Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 15:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe
-
Size
453KB
-
MD5
97feb28f0e447340ec6bf8dd58ba249f
-
SHA1
179b749a42ce30fb49443f3a163dde6c1b541cb1
-
SHA256
820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63
-
SHA512
5e0266f3226adf2ea72e5c1b6379f6bd5751391f23e40a1b9e5a945f7234abd4a46fe11bc7bb306d2245585a209f0f6e7fbbc3c634bbd4c94adb9b778d3b141f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2652-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-1071-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3544 9bhttb.exe 2924 vjvdd.exe 1516 bntnnh.exe 4164 5dvjv.exe 3752 rlrffff.exe 3536 nnbtnh.exe 4844 bbhtnh.exe 3508 lrffxxx.exe 3764 ntthnt.exe 3256 bnbbtt.exe 1140 pjdjd.exe 1408 5vpjd.exe 3344 xllxrlf.exe 2184 5jppv.exe 796 jvddp.exe 3612 btbtnn.exe 3664 9djjv.exe 2220 pddvp.exe 212 hntnhn.exe 2036 3jppj.exe 1340 rfffxrr.exe 4184 3ntnnn.exe 4512 rfxrllf.exe 1912 nhnntn.exe 716 dvvpd.exe 3476 rlxrrxx.exe 2040 bthbnb.exe 1680 jvvjd.exe 4660 lxlfrrl.exe 5104 lrllxxx.exe 4612 3pppv.exe 4904 lxxrllf.exe 740 bbthbn.exe 1016 pjjdd.exe 4536 3xffxlf.exe 2508 rflffff.exe 1660 nbnhbb.exe 3668 vvddp.exe 2084 hnnhtt.exe 4504 httnbb.exe 4104 dpjvj.exe 1908 rxlfrrr.exe 3648 bntbbb.exe 1076 nttnbb.exe 3336 jdvpd.exe 4432 1lrlxxr.exe 3800 ntbbtn.exe 3008 vjjdv.exe 2472 lffxlfx.exe 4488 tnhbtt.exe 4580 hbhbtn.exe 4804 pjpjd.exe 2292 lxrllrl.exe 3076 thbthh.exe 3544 jpvpd.exe 528 fxxlxfx.exe 4516 bhnnhb.exe 3736 7dpvd.exe 736 lxrrlfr.exe 2840 frlfxrl.exe 664 nttnhh.exe 4720 pjvpj.exe 3480 pjdvj.exe 3372 rffxrff.exe -
resource yara_rule behavioral2/memory/2652-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-726-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2652 wrote to memory of 3544 2652 820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe 82 PID 2652 wrote to memory of 3544 2652 820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe 82 PID 2652 wrote to memory of 3544 2652 820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe 82 PID 3544 wrote to memory of 2924 3544 9bhttb.exe 83 PID 3544 wrote to memory of 2924 3544 9bhttb.exe 83 PID 3544 wrote to memory of 2924 3544 9bhttb.exe 83 PID 2924 wrote to memory of 1516 2924 vjvdd.exe 84 PID 2924 wrote to memory of 1516 2924 vjvdd.exe 84 PID 2924 wrote to memory of 1516 2924 vjvdd.exe 84 PID 1516 wrote to memory of 4164 1516 bntnnh.exe 85 PID 1516 wrote to memory of 4164 1516 bntnnh.exe 85 PID 1516 wrote to memory of 4164 1516 bntnnh.exe 85 PID 4164 wrote to memory of 3752 4164 5dvjv.exe 86 PID 4164 wrote to memory of 3752 4164 5dvjv.exe 86 PID 4164 wrote to memory of 3752 4164 5dvjv.exe 86 PID 3752 wrote to memory of 3536 3752 rlrffff.exe 87 PID 3752 wrote to memory of 3536 3752 rlrffff.exe 87 PID 3752 wrote to memory of 3536 3752 rlrffff.exe 87 PID 3536 wrote to memory of 4844 3536 nnbtnh.exe 88 PID 3536 wrote to memory of 4844 3536 nnbtnh.exe 88 PID 3536 wrote to memory of 4844 3536 nnbtnh.exe 88 PID 4844 wrote to memory of 3508 4844 bbhtnh.exe 89 PID 4844 wrote to memory of 3508 4844 bbhtnh.exe 89 PID 4844 wrote to memory of 3508 4844 bbhtnh.exe 89 PID 3508 wrote to memory of 3764 3508 lrffxxx.exe 90 PID 3508 wrote to memory of 3764 3508 lrffxxx.exe 90 PID 3508 wrote to memory of 3764 3508 lrffxxx.exe 90 PID 3764 wrote to memory of 3256 3764 ntthnt.exe 91 PID 3764 wrote to memory of 3256 3764 ntthnt.exe 91 PID 3764 wrote to memory of 3256 3764 ntthnt.exe 91 PID 3256 wrote to memory of 1140 3256 bnbbtt.exe 92 PID 3256 wrote to memory of 1140 3256 bnbbtt.exe 92 PID 3256 wrote to memory of 1140 3256 bnbbtt.exe 92 PID 1140 wrote to memory of 1408 1140 pjdjd.exe 93 PID 1140 wrote to memory of 1408 1140 pjdjd.exe 93 PID 1140 wrote to memory of 1408 1140 pjdjd.exe 93 PID 1408 wrote to memory of 3344 1408 5vpjd.exe 94 PID 1408 wrote to memory of 3344 1408 5vpjd.exe 94 PID 1408 wrote to memory of 3344 1408 5vpjd.exe 94 PID 3344 wrote to memory of 2184 3344 xllxrlf.exe 95 PID 3344 wrote to memory of 2184 3344 xllxrlf.exe 95 PID 3344 wrote to memory of 2184 3344 xllxrlf.exe 95 PID 2184 wrote to memory of 796 2184 5jppv.exe 96 PID 2184 wrote to memory of 796 2184 5jppv.exe 96 PID 2184 wrote to memory of 796 2184 5jppv.exe 96 PID 796 wrote to memory of 3612 796 jvddp.exe 97 PID 796 wrote to memory of 3612 796 jvddp.exe 97 PID 796 wrote to memory of 3612 796 jvddp.exe 97 PID 3612 wrote to memory of 3664 3612 btbtnn.exe 98 PID 3612 wrote to memory of 3664 3612 btbtnn.exe 98 PID 3612 wrote to memory of 3664 3612 btbtnn.exe 98 PID 3664 wrote to memory of 2220 3664 9djjv.exe 99 PID 3664 wrote to memory of 2220 3664 9djjv.exe 99 PID 3664 wrote to memory of 2220 3664 9djjv.exe 99 PID 2220 wrote to memory of 212 2220 pddvp.exe 100 PID 2220 wrote to memory of 212 2220 pddvp.exe 100 PID 2220 wrote to memory of 212 2220 pddvp.exe 100 PID 212 wrote to memory of 2036 212 hntnhn.exe 101 PID 212 wrote to memory of 2036 212 hntnhn.exe 101 PID 212 wrote to memory of 2036 212 hntnhn.exe 101 PID 2036 wrote to memory of 1340 2036 3jppj.exe 102 PID 2036 wrote to memory of 1340 2036 3jppj.exe 102 PID 2036 wrote to memory of 1340 2036 3jppj.exe 102 PID 1340 wrote to memory of 4184 1340 rfffxrr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe"C:\Users\Admin\AppData\Local\Temp\820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\9bhttb.exec:\9bhttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\vjvdd.exec:\vjvdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\bntnnh.exec:\bntnnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\5dvjv.exec:\5dvjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\rlrffff.exec:\rlrffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\nnbtnh.exec:\nnbtnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\bbhtnh.exec:\bbhtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\lrffxxx.exec:\lrffxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\ntthnt.exec:\ntthnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\bnbbtt.exec:\bnbbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\pjdjd.exec:\pjdjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\5vpjd.exec:\5vpjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\xllxrlf.exec:\xllxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\5jppv.exec:\5jppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\jvddp.exec:\jvddp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\btbtnn.exec:\btbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\9djjv.exec:\9djjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\pddvp.exec:\pddvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\hntnhn.exec:\hntnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\3jppj.exec:\3jppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\rfffxrr.exec:\rfffxrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\3ntnnn.exec:\3ntnnn.exe23⤵
- Executes dropped EXE
PID:4184 -
\??\c:\rfxrllf.exec:\rfxrllf.exe24⤵
- Executes dropped EXE
PID:4512 -
\??\c:\nhnntn.exec:\nhnntn.exe25⤵
- Executes dropped EXE
PID:1912 -
\??\c:\dvvpd.exec:\dvvpd.exe26⤵
- Executes dropped EXE
PID:716 -
\??\c:\rlxrrxx.exec:\rlxrrxx.exe27⤵
- Executes dropped EXE
PID:3476 -
\??\c:\bthbnb.exec:\bthbnb.exe28⤵
- Executes dropped EXE
PID:2040 -
\??\c:\jvvjd.exec:\jvvjd.exe29⤵
- Executes dropped EXE
PID:1680 -
\??\c:\lxlfrrl.exec:\lxlfrrl.exe30⤵
- Executes dropped EXE
PID:4660 -
\??\c:\lrllxxx.exec:\lrllxxx.exe31⤵
- Executes dropped EXE
PID:5104 -
\??\c:\3pppv.exec:\3pppv.exe32⤵
- Executes dropped EXE
PID:4612 -
\??\c:\lxxrllf.exec:\lxxrllf.exe33⤵
- Executes dropped EXE
PID:4904 -
\??\c:\bbthbn.exec:\bbthbn.exe34⤵
- Executes dropped EXE
PID:740 -
\??\c:\pjjdd.exec:\pjjdd.exe35⤵
- Executes dropped EXE
PID:1016 -
\??\c:\3xffxlf.exec:\3xffxlf.exe36⤵
- Executes dropped EXE
PID:4536 -
\??\c:\rflffff.exec:\rflffff.exe37⤵
- Executes dropped EXE
PID:2508 -
\??\c:\nbnhbb.exec:\nbnhbb.exe38⤵
- Executes dropped EXE
PID:1660 -
\??\c:\vvddp.exec:\vvddp.exe39⤵
- Executes dropped EXE
PID:3668 -
\??\c:\hnnhtt.exec:\hnnhtt.exe40⤵
- Executes dropped EXE
PID:2084 -
\??\c:\httnbb.exec:\httnbb.exe41⤵
- Executes dropped EXE
PID:4504 -
\??\c:\dpjvj.exec:\dpjvj.exe42⤵
- Executes dropped EXE
PID:4104 -
\??\c:\rxlfrrr.exec:\rxlfrrr.exe43⤵
- Executes dropped EXE
PID:1908 -
\??\c:\bntbbb.exec:\bntbbb.exe44⤵
- Executes dropped EXE
PID:3648 -
\??\c:\nttnbb.exec:\nttnbb.exe45⤵
- Executes dropped EXE
PID:1076 -
\??\c:\jdvpd.exec:\jdvpd.exe46⤵
- Executes dropped EXE
PID:3336 -
\??\c:\1lrlxxr.exec:\1lrlxxr.exe47⤵
- Executes dropped EXE
PID:4432 -
\??\c:\ntbbtn.exec:\ntbbtn.exe48⤵
- Executes dropped EXE
PID:3800 -
\??\c:\vjjdv.exec:\vjjdv.exe49⤵
- Executes dropped EXE
PID:3008 -
\??\c:\lffxlfx.exec:\lffxlfx.exe50⤵
- Executes dropped EXE
PID:2472 -
\??\c:\tnhbtt.exec:\tnhbtt.exe51⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hbhbtn.exec:\hbhbtn.exe52⤵
- Executes dropped EXE
PID:4580 -
\??\c:\pjpjd.exec:\pjpjd.exe53⤵
- Executes dropped EXE
PID:4804 -
\??\c:\lxrllrl.exec:\lxrllrl.exe54⤵
- Executes dropped EXE
PID:2292 -
\??\c:\thbthh.exec:\thbthh.exe55⤵
- Executes dropped EXE
PID:3076 -
\??\c:\jpvpd.exec:\jpvpd.exe56⤵
- Executes dropped EXE
PID:3544 -
\??\c:\fxxlxfx.exec:\fxxlxfx.exe57⤵
- Executes dropped EXE
PID:528 -
\??\c:\bhnnhb.exec:\bhnnhb.exe58⤵
- Executes dropped EXE
PID:4516 -
\??\c:\7dpvd.exec:\7dpvd.exe59⤵
- Executes dropped EXE
PID:3736 -
\??\c:\lxrrlfr.exec:\lxrrlfr.exe60⤵
- Executes dropped EXE
PID:736 -
\??\c:\frlfxrl.exec:\frlfxrl.exe61⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nttnhh.exec:\nttnhh.exe62⤵
- Executes dropped EXE
PID:664 -
\??\c:\pjvpj.exec:\pjvpj.exe63⤵
- Executes dropped EXE
PID:4720 -
\??\c:\pjdvj.exec:\pjdvj.exe64⤵
- Executes dropped EXE
PID:3480 -
\??\c:\rffxrff.exec:\rffxrff.exe65⤵
- Executes dropped EXE
PID:3372 -
\??\c:\thtnbn.exec:\thtnbn.exe66⤵PID:2580
-
\??\c:\bntnbb.exec:\bntnbb.exe67⤵PID:1636
-
\??\c:\ppvpp.exec:\ppvpp.exe68⤵PID:856
-
\??\c:\rxffxrx.exec:\rxffxrx.exe69⤵PID:1444
-
\??\c:\nttnhb.exec:\nttnhb.exe70⤵PID:3352
-
\??\c:\bhbhbb.exec:\bhbhbb.exe71⤵PID:1292
-
\??\c:\dddpv.exec:\dddpv.exe72⤵
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\xxrlflf.exec:\xxrlflf.exe73⤵PID:1596
-
\??\c:\bbhbtn.exec:\bbhbtn.exe74⤵PID:2184
-
\??\c:\3vppd.exec:\3vppd.exe75⤵PID:1616
-
\??\c:\flxlxxr.exec:\flxlxxr.exe76⤵PID:3612
-
\??\c:\rlllxxl.exec:\rlllxxl.exe77⤵PID:1732
-
\??\c:\3ntnht.exec:\3ntnht.exe78⤵PID:1760
-
\??\c:\ddjdp.exec:\ddjdp.exe79⤵PID:3664
-
\??\c:\5dvpj.exec:\5dvpj.exe80⤵PID:2220
-
\??\c:\fxxrxxx.exec:\fxxrxxx.exe81⤵PID:2068
-
\??\c:\nhhbtt.exec:\nhhbtt.exe82⤵PID:3488
-
\??\c:\htbhhb.exec:\htbhhb.exe83⤵
- System Location Discovery: System Language Discovery
PID:4732 -
\??\c:\vdpjj.exec:\vdpjj.exe84⤵PID:3564
-
\??\c:\rllfxfx.exec:\rllfxfx.exe85⤵PID:1128
-
\??\c:\tthbtt.exec:\tthbtt.exe86⤵PID:3516
-
\??\c:\vpjdv.exec:\vpjdv.exe87⤵PID:4476
-
\??\c:\5lfxllf.exec:\5lfxllf.exe88⤵PID:1268
-
\??\c:\tnttbt.exec:\tnttbt.exe89⤵PID:4520
-
\??\c:\tntnhh.exec:\tntnhh.exe90⤵PID:1060
-
\??\c:\dvpjv.exec:\dvpjv.exe91⤵PID:952
-
\??\c:\ffxrffx.exec:\ffxrffx.exe92⤵PID:4500
-
\??\c:\thnhbn.exec:\thnhbn.exe93⤵PID:396
-
\??\c:\1jpdv.exec:\1jpdv.exe94⤵PID:1844
-
\??\c:\3rxllll.exec:\3rxllll.exe95⤵PID:4660
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe96⤵
- System Location Discovery: System Language Discovery
PID:5064 -
\??\c:\tttnhh.exec:\tttnhh.exe97⤵PID:4612
-
\??\c:\pppvd.exec:\pppvd.exe98⤵PID:3592
-
\??\c:\pdpdp.exec:\pdpdp.exe99⤵PID:992
-
\??\c:\xlfllfl.exec:\xlfllfl.exe100⤵PID:4628
-
\??\c:\tnnhbt.exec:\tnnhbt.exe101⤵PID:4716
-
\??\c:\3ttnhh.exec:\3ttnhh.exe102⤵PID:1012
-
\??\c:\3pjdd.exec:\3pjdd.exe103⤵PID:2988
-
\??\c:\xflfxrr.exec:\xflfxrr.exe104⤵PID:1660
-
\??\c:\nhtnbb.exec:\nhtnbb.exe105⤵PID:3668
-
\??\c:\5htbtb.exec:\5htbtb.exe106⤵PID:2456
-
\??\c:\5jjdp.exec:\5jjdp.exe107⤵PID:4504
-
\??\c:\rllxrlf.exec:\rllxrlf.exe108⤵PID:4104
-
\??\c:\tbhnbb.exec:\tbhnbb.exe109⤵PID:4276
-
\??\c:\7hhbbb.exec:\7hhbbb.exe110⤵PID:3648
-
\??\c:\djjdv.exec:\djjdv.exe111⤵PID:3996
-
\??\c:\7rxrffr.exec:\7rxrffr.exe112⤵PID:392
-
\??\c:\lrxrllf.exec:\lrxrllf.exe113⤵PID:3548
-
\??\c:\btbbtn.exec:\btbbtn.exe114⤵PID:4872
-
\??\c:\7jdpd.exec:\7jdpd.exe115⤵PID:1664
-
\??\c:\xfrlrfx.exec:\xfrlrfx.exe116⤵PID:1000
-
\??\c:\nhnhnh.exec:\nhnhnh.exe117⤵PID:3060
-
\??\c:\pvdvp.exec:\pvdvp.exe118⤵PID:4580
-
\??\c:\jdjdd.exec:\jdjdd.exe119⤵PID:2044
-
\??\c:\1lxrllf.exec:\1lxrllf.exe120⤵PID:1640
-
\??\c:\hhnhbb.exec:\hhnhbb.exe121⤵PID:116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-