Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 04:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe
-
Size
454KB
-
MD5
41f966c420346180ad88d02de6d5b55f
-
SHA1
e7d96552e987512d3e91abe962aff08bb52d9d26
-
SHA256
600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c
-
SHA512
005a2161854de170655b1130a52b2ccfaf7979f6511ba4f393d940e9af4e63624b3eb13272d41e2eb7911dbdf7fba3ea066ebda6054ea94aa03ebe81bacbd736
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4072-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-853-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-1011-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-1079-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-1651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-1694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-1957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1084 hthbtb.exe 1944 1hbnhh.exe 2036 vpjdd.exe 1464 flllffx.exe 3752 hhhhhh.exe 4036 ppddv.exe 4024 pppdv.exe 4368 xfxrffr.exe 4424 3ntntt.exe 968 tbnhbt.exe 1660 3jjdp.exe 2152 flrxrxr.exe 4488 5xrlfxr.exe 4852 hbtnhh.exe 2072 vjjjp.exe 1840 1jdvv.exe 1540 fxllllf.exe 3560 5tbhbh.exe 3292 nnnhbt.exe 3676 dvdvp.exe 4100 lxrfxxr.exe 5016 xrxrxrx.exe 3280 bbhbbb.exe 1264 dvjdd.exe 2364 3fffxfr.exe 764 9fffrrx.exe 2520 htnhhh.exe 1016 3vdvv.exe 2448 xrrlffx.exe 3540 fxxxxxf.exe 2220 nhnhbb.exe 3652 pjpjj.exe 1716 vjpvp.exe 2160 rllfxrr.exe 3324 hbnhhh.exe 2016 hbbtnh.exe 3156 djjdd.exe 4508 flxlfxr.exe 1588 flxrlfx.exe 4920 hbtnhb.exe 4340 1vdvp.exe 1204 dvdvp.exe 2516 7lfxxfl.exe 4060 hbnbhb.exe 1400 bnhbtn.exe 2352 dvpjj.exe 3664 7lrrffl.exe 1440 frxrrll.exe 4964 bhhhbb.exe 3892 9pppj.exe 2320 dpdvd.exe 3000 fxfxrrl.exe 4264 nthtnn.exe 4452 bhtnnn.exe 3080 jjdvp.exe 3952 fflrrrl.exe 216 7llfxxr.exe 1892 3bhtnb.exe 4104 1djpj.exe 2040 jvdvv.exe 1040 rlxrrrx.exe 3480 tthhbb.exe 4664 thnhhh.exe 1876 jvvpj.exe -
resource yara_rule behavioral2/memory/4072-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4072 wrote to memory of 1084 4072 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 82 PID 4072 wrote to memory of 1084 4072 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 82 PID 4072 wrote to memory of 1084 4072 600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe 82 PID 1084 wrote to memory of 1944 1084 hthbtb.exe 83 PID 1084 wrote to memory of 1944 1084 hthbtb.exe 83 PID 1084 wrote to memory of 1944 1084 hthbtb.exe 83 PID 1944 wrote to memory of 2036 1944 1hbnhh.exe 84 PID 1944 wrote to memory of 2036 1944 1hbnhh.exe 84 PID 1944 wrote to memory of 2036 1944 1hbnhh.exe 84 PID 2036 wrote to memory of 1464 2036 vpjdd.exe 85 PID 2036 wrote to memory of 1464 2036 vpjdd.exe 85 PID 2036 wrote to memory of 1464 2036 vpjdd.exe 85 PID 1464 wrote to memory of 3752 1464 flllffx.exe 86 PID 1464 wrote to memory of 3752 1464 flllffx.exe 86 PID 1464 wrote to memory of 3752 1464 flllffx.exe 86 PID 3752 wrote to memory of 4036 3752 hhhhhh.exe 87 PID 3752 wrote to memory of 4036 3752 hhhhhh.exe 87 PID 3752 wrote to memory of 4036 3752 hhhhhh.exe 87 PID 4036 wrote to memory of 4024 4036 ppddv.exe 88 PID 4036 wrote to memory of 4024 4036 ppddv.exe 88 PID 4036 wrote to memory of 4024 4036 ppddv.exe 88 PID 4024 wrote to memory of 4368 4024 pppdv.exe 89 PID 4024 wrote to memory of 4368 4024 pppdv.exe 89 PID 4024 wrote to memory of 4368 4024 pppdv.exe 89 PID 4368 wrote to memory of 4424 4368 xfxrffr.exe 90 PID 4368 wrote to memory of 4424 4368 xfxrffr.exe 90 PID 4368 wrote to memory of 4424 4368 xfxrffr.exe 90 PID 4424 wrote to memory of 968 4424 3ntntt.exe 91 PID 4424 wrote to memory of 968 4424 3ntntt.exe 91 PID 4424 wrote to memory of 968 4424 3ntntt.exe 91 PID 968 wrote to memory of 1660 968 tbnhbt.exe 92 PID 968 wrote to memory of 1660 968 tbnhbt.exe 92 PID 968 wrote to memory of 1660 968 tbnhbt.exe 92 PID 1660 wrote to memory of 2152 1660 3jjdp.exe 93 PID 1660 wrote to memory of 2152 1660 3jjdp.exe 93 PID 1660 wrote to memory of 2152 1660 3jjdp.exe 93 PID 2152 wrote to memory of 4488 2152 flrxrxr.exe 94 PID 2152 wrote to memory of 4488 2152 flrxrxr.exe 94 PID 2152 wrote to memory of 4488 2152 flrxrxr.exe 94 PID 4488 wrote to memory of 4852 4488 5xrlfxr.exe 95 PID 4488 wrote to memory of 4852 4488 5xrlfxr.exe 95 PID 4488 wrote to memory of 4852 4488 5xrlfxr.exe 95 PID 4852 wrote to memory of 2072 4852 hbtnhh.exe 152 PID 4852 wrote to memory of 2072 4852 hbtnhh.exe 152 PID 4852 wrote to memory of 2072 4852 hbtnhh.exe 152 PID 2072 wrote to memory of 1840 2072 vjjjp.exe 97 PID 2072 wrote to memory of 1840 2072 vjjjp.exe 97 PID 2072 wrote to memory of 1840 2072 vjjjp.exe 97 PID 1840 wrote to memory of 1540 1840 1jdvv.exe 98 PID 1840 wrote to memory of 1540 1840 1jdvv.exe 98 PID 1840 wrote to memory of 1540 1840 1jdvv.exe 98 PID 1540 wrote to memory of 3560 1540 fxllllf.exe 99 PID 1540 wrote to memory of 3560 1540 fxllllf.exe 99 PID 1540 wrote to memory of 3560 1540 fxllllf.exe 99 PID 3560 wrote to memory of 3292 3560 5tbhbh.exe 100 PID 3560 wrote to memory of 3292 3560 5tbhbh.exe 100 PID 3560 wrote to memory of 3292 3560 5tbhbh.exe 100 PID 3292 wrote to memory of 3676 3292 nnnhbt.exe 101 PID 3292 wrote to memory of 3676 3292 nnnhbt.exe 101 PID 3292 wrote to memory of 3676 3292 nnnhbt.exe 101 PID 3676 wrote to memory of 4100 3676 dvdvp.exe 157 PID 3676 wrote to memory of 4100 3676 dvdvp.exe 157 PID 3676 wrote to memory of 4100 3676 dvdvp.exe 157 PID 4100 wrote to memory of 5016 4100 lxrfxxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe"C:\Users\Admin\AppData\Local\Temp\600af36d58b2feb3abc1ac8b60cbda21656ad16180688c4bc29e371d3038b57c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\hthbtb.exec:\hthbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\1hbnhh.exec:\1hbnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\vpjdd.exec:\vpjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\flllffx.exec:\flllffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\hhhhhh.exec:\hhhhhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\ppddv.exec:\ppddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\pppdv.exec:\pppdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\xfxrffr.exec:\xfxrffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\3ntntt.exec:\3ntntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\tbnhbt.exec:\tbnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\3jjdp.exec:\3jjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\flrxrxr.exec:\flrxrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\5xrlfxr.exec:\5xrlfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\hbtnhh.exec:\hbtnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\vjjjp.exec:\vjjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\1jdvv.exec:\1jdvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\fxllllf.exec:\fxllllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\5tbhbh.exec:\5tbhbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\nnnhbt.exec:\nnnhbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\dvdvp.exec:\dvdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\lxrfxxr.exec:\lxrfxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe23⤵
- Executes dropped EXE
PID:5016 -
\??\c:\bbhbbb.exec:\bbhbbb.exe24⤵
- Executes dropped EXE
PID:3280 -
\??\c:\dvjdd.exec:\dvjdd.exe25⤵
- Executes dropped EXE
PID:1264 -
\??\c:\3fffxfr.exec:\3fffxfr.exe26⤵
- Executes dropped EXE
PID:2364 -
\??\c:\9fffrrx.exec:\9fffrrx.exe27⤵
- Executes dropped EXE
PID:764 -
\??\c:\htnhhh.exec:\htnhhh.exe28⤵
- Executes dropped EXE
PID:2520 -
\??\c:\3vdvv.exec:\3vdvv.exe29⤵
- Executes dropped EXE
PID:1016 -
\??\c:\xrrlffx.exec:\xrrlffx.exe30⤵
- Executes dropped EXE
PID:2448 -
\??\c:\fxxxxxf.exec:\fxxxxxf.exe31⤵
- Executes dropped EXE
PID:3540 -
\??\c:\nhnhbb.exec:\nhnhbb.exe32⤵
- Executes dropped EXE
PID:2220 -
\??\c:\pjpjj.exec:\pjpjj.exe33⤵
- Executes dropped EXE
PID:3652 -
\??\c:\vjpvp.exec:\vjpvp.exe34⤵
- Executes dropped EXE
PID:1716 -
\??\c:\rllfxrr.exec:\rllfxrr.exe35⤵
- Executes dropped EXE
PID:2160 -
\??\c:\hbnhhh.exec:\hbnhhh.exe36⤵
- Executes dropped EXE
PID:3324 -
\??\c:\hbbtnh.exec:\hbbtnh.exe37⤵
- Executes dropped EXE
PID:2016 -
\??\c:\djjdd.exec:\djjdd.exe38⤵
- Executes dropped EXE
PID:3156 -
\??\c:\flxlfxr.exec:\flxlfxr.exe39⤵
- Executes dropped EXE
PID:4508 -
\??\c:\flxrlfx.exec:\flxrlfx.exe40⤵
- Executes dropped EXE
PID:1588 -
\??\c:\hbtnhb.exec:\hbtnhb.exe41⤵
- Executes dropped EXE
PID:4920 -
\??\c:\1vdvp.exec:\1vdvp.exe42⤵
- Executes dropped EXE
PID:4340 -
\??\c:\dvdvp.exec:\dvdvp.exe43⤵
- Executes dropped EXE
PID:1204 -
\??\c:\7lfxxfl.exec:\7lfxxfl.exe44⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hbnbhb.exec:\hbnbhb.exe45⤵
- Executes dropped EXE
PID:4060 -
\??\c:\bnhbtn.exec:\bnhbtn.exe46⤵
- Executes dropped EXE
PID:1400 -
\??\c:\dvpjj.exec:\dvpjj.exe47⤵
- Executes dropped EXE
PID:2352 -
\??\c:\7lrrffl.exec:\7lrrffl.exe48⤵
- Executes dropped EXE
PID:3664 -
\??\c:\frxrrll.exec:\frxrrll.exe49⤵
- Executes dropped EXE
PID:1440 -
\??\c:\bhhhbb.exec:\bhhhbb.exe50⤵
- Executes dropped EXE
PID:4964 -
\??\c:\9pppj.exec:\9pppj.exe51⤵
- Executes dropped EXE
PID:3892 -
\??\c:\dpdvd.exec:\dpdvd.exe52⤵
- Executes dropped EXE
PID:2320 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe53⤵
- Executes dropped EXE
PID:3000 -
\??\c:\nthtnn.exec:\nthtnn.exe54⤵
- Executes dropped EXE
PID:4264 -
\??\c:\bhtnnn.exec:\bhtnnn.exe55⤵
- Executes dropped EXE
PID:4452 -
\??\c:\jjdvp.exec:\jjdvp.exe56⤵
- Executes dropped EXE
PID:3080 -
\??\c:\fflrrrl.exec:\fflrrrl.exe57⤵
- Executes dropped EXE
PID:3952 -
\??\c:\7llfxxr.exec:\7llfxxr.exe58⤵
- Executes dropped EXE
PID:216 -
\??\c:\3bhtnb.exec:\3bhtnb.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892 -
\??\c:\1djpj.exec:\1djpj.exe60⤵
- Executes dropped EXE
PID:4104 -
\??\c:\jvdvv.exec:\jvdvv.exe61⤵
- Executes dropped EXE
PID:2040 -
\??\c:\rlxrrrx.exec:\rlxrrrx.exe62⤵
- Executes dropped EXE
PID:1040 -
\??\c:\tthhbb.exec:\tthhbb.exe63⤵
- Executes dropped EXE
PID:3480 -
\??\c:\thnhhh.exec:\thnhhh.exe64⤵
- Executes dropped EXE
PID:4664 -
\??\c:\jvvpj.exec:\jvvpj.exe65⤵
- Executes dropped EXE
PID:1876 -
\??\c:\rlxrrxx.exec:\rlxrrxx.exe66⤵PID:2844
-
\??\c:\tntnhh.exec:\tntnhh.exe67⤵PID:4424
-
\??\c:\1nnhhh.exec:\1nnhhh.exe68⤵PID:1216
-
\??\c:\pvdvp.exec:\pvdvp.exe69⤵PID:2264
-
\??\c:\xllffff.exec:\xllffff.exe70⤵PID:3508
-
\??\c:\nnnnnn.exec:\nnnnnn.exe71⤵PID:4380
-
\??\c:\pjdpj.exec:\pjdpj.exe72⤵PID:2072
-
\??\c:\rxrlfxr.exec:\rxrlfxr.exe73⤵PID:1744
-
\??\c:\1tnhbt.exec:\1tnhbt.exe74⤵PID:2392
-
\??\c:\hbhbbt.exec:\hbhbbt.exe75⤵PID:800
-
\??\c:\pdvpd.exec:\pdvpd.exe76⤵PID:732
-
\??\c:\xlrlfrl.exec:\xlrlfrl.exe77⤵PID:4100
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe78⤵PID:1800
-
\??\c:\nhbnbt.exec:\nhbnbt.exe79⤵PID:4504
-
\??\c:\pjjvj.exec:\pjjvj.exe80⤵PID:1264
-
\??\c:\3xrllfr.exec:\3xrllfr.exe81⤵PID:3684
-
\??\c:\nhtnhh.exec:\nhtnhh.exe82⤵PID:2228
-
\??\c:\vvdvj.exec:\vvdvj.exe83⤵PID:3276
-
\??\c:\7xflfxr.exec:\7xflfxr.exe84⤵PID:1596
-
\??\c:\lxlxxlr.exec:\lxlxxlr.exe85⤵PID:4500
-
\??\c:\hbhhnn.exec:\hbhhnn.exe86⤵PID:3540
-
\??\c:\pdddp.exec:\pdddp.exe87⤵PID:1452
-
\??\c:\rrrxfxx.exec:\rrrxfxx.exe88⤵PID:1232
-
\??\c:\1pvpp.exec:\1pvpp.exe89⤵PID:3260
-
\??\c:\jvvpd.exec:\jvvpd.exe90⤵PID:3764
-
\??\c:\lxlxrll.exec:\lxlxrll.exe91⤵PID:2144
-
\??\c:\pvdvp.exec:\pvdvp.exe92⤵PID:3484
-
\??\c:\rfxxllf.exec:\rfxxllf.exe93⤵PID:4508
-
\??\c:\pvdpv.exec:\pvdpv.exe94⤵PID:1588
-
\??\c:\htbbtn.exec:\htbbtn.exe95⤵PID:4660
-
\??\c:\xlrfxxx.exec:\xlrfxxx.exe96⤵PID:3160
-
\??\c:\jjvjp.exec:\jjvjp.exe97⤵PID:2164
-
\??\c:\9llfrrr.exec:\9llfrrr.exe98⤵PID:1636
-
\??\c:\thbthh.exec:\thbthh.exe99⤵PID:1400
-
\??\c:\7nhbnn.exec:\7nhbnn.exe100⤵PID:4632
-
\??\c:\pdjdv.exec:\pdjdv.exe101⤵PID:1684
-
\??\c:\rrxxfxf.exec:\rrxxfxf.exe102⤵PID:1440
-
\??\c:\rflfxrl.exec:\rflfxrl.exe103⤵PID:4268
-
\??\c:\bnbnhb.exec:\bnbnhb.exe104⤵PID:1640
-
\??\c:\3ppjd.exec:\3ppjd.exe105⤵PID:3488
-
\??\c:\pjvdp.exec:\pjvdp.exe106⤵PID:1848
-
\??\c:\9rlfxrr.exec:\9rlfxrr.exe107⤵PID:5036
-
\??\c:\bbbthb.exec:\bbbthb.exe108⤵PID:4028
-
\??\c:\hhnbbt.exec:\hhnbbt.exe109⤵PID:452
-
\??\c:\pddvj.exec:\pddvj.exe110⤵PID:4988
-
\??\c:\3xxrllx.exec:\3xxrllx.exe111⤵PID:432
-
\??\c:\9xxrllf.exec:\9xxrllf.exe112⤵PID:1084
-
\??\c:\hhhtbn.exec:\hhhtbn.exe113⤵PID:3112
-
\??\c:\vdvjv.exec:\vdvjv.exe114⤵PID:5012
-
\??\c:\vdjvp.exec:\vdjvp.exe115⤵PID:4928
-
\??\c:\xffrlxl.exec:\xffrlxl.exe116⤵PID:4560
-
\??\c:\frrfxrf.exec:\frrfxrf.exe117⤵PID:1516
-
\??\c:\tnnhtn.exec:\tnnhtn.exe118⤵PID:3732
-
\??\c:\pvpdd.exec:\pvpdd.exe119⤵PID:928
-
\??\c:\dppdp.exec:\dppdp.exe120⤵PID:4652
-
\??\c:\3llxllx.exec:\3llxllx.exe121⤵PID:3480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-