Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 15:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe
-
Size
453KB
-
MD5
97feb28f0e447340ec6bf8dd58ba249f
-
SHA1
179b749a42ce30fb49443f3a163dde6c1b541cb1
-
SHA256
820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63
-
SHA512
5e0266f3226adf2ea72e5c1b6379f6bd5751391f23e40a1b9e5a945f7234abd4a46fe11bc7bb306d2245585a209f0f6e7fbbc3c634bbd4c94adb9b778d3b141f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4856-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-1266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4932 bbhbtn.exe 1608 djpdp.exe 1672 bnnbtn.exe 2324 7vpjj.exe 4864 3rrlxxr.exe 4872 thnbnn.exe 4084 1tbthn.exe 2008 7jjvd.exe 3932 fxlfxrl.exe 4992 tnnbbt.exe 3240 ttnttb.exe 2760 jppjj.exe 3284 rlfrlfx.exe 1744 httnbt.exe 1812 5llxrlf.exe 3992 tbbthb.exe 4308 nbbtnh.exe 2228 jdjdd.exe 3436 xxfxffx.exe 2524 hnnbnh.exe 976 lrfxlfx.exe 3500 tbhbnn.exe 212 7jvjd.exe 1524 jpvdp.exe 2724 tbhtnb.exe 1888 tnhbtn.exe 3452 xrrlffx.exe 1660 hhhbtt.exe 3460 lxfrxrr.exe 1572 bhtttn.exe 5056 1flrffx.exe 8 lxxrlff.exe 404 pddjd.exe 4056 7lrlfxr.exe 4436 tbbtnh.exe 2232 pdvdv.exe 940 rrxrrlr.exe 2152 1hbtnb.exe 4824 thttbt.exe 3196 vjpvv.exe 2984 lffrffx.exe 2712 nbhtnh.exe 1472 dpdvj.exe 4368 lxlfrrf.exe 4356 frrlllf.exe 4640 hbhbtn.exe 1496 vjjvj.exe 3728 llxlrlr.exe 4596 frrlfxr.exe 4908 tbhbtn.exe 4132 fxxrrlf.exe 1672 lrxxrlf.exe 1900 btbttt.exe 2188 pjvjj.exe 1220 5xxrllf.exe 884 bnnbnh.exe 1460 7bbthh.exe 2180 djjdp.exe 2716 frxrlfx.exe 4648 bnbnhb.exe 4812 jdddp.exe 4032 frrlxrl.exe 3312 htttnh.exe 2192 vppjd.exe -
resource yara_rule behavioral2/memory/4856-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-698-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrrrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 4932 4856 820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe 82 PID 4856 wrote to memory of 4932 4856 820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe 82 PID 4856 wrote to memory of 4932 4856 820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe 82 PID 4932 wrote to memory of 1608 4932 bbhbtn.exe 83 PID 4932 wrote to memory of 1608 4932 bbhbtn.exe 83 PID 4932 wrote to memory of 1608 4932 bbhbtn.exe 83 PID 1608 wrote to memory of 1672 1608 djpdp.exe 84 PID 1608 wrote to memory of 1672 1608 djpdp.exe 84 PID 1608 wrote to memory of 1672 1608 djpdp.exe 84 PID 1672 wrote to memory of 2324 1672 bnnbtn.exe 85 PID 1672 wrote to memory of 2324 1672 bnnbtn.exe 85 PID 1672 wrote to memory of 2324 1672 bnnbtn.exe 85 PID 2324 wrote to memory of 4864 2324 7vpjj.exe 86 PID 2324 wrote to memory of 4864 2324 7vpjj.exe 86 PID 2324 wrote to memory of 4864 2324 7vpjj.exe 86 PID 4864 wrote to memory of 4872 4864 3rrlxxr.exe 87 PID 4864 wrote to memory of 4872 4864 3rrlxxr.exe 87 PID 4864 wrote to memory of 4872 4864 3rrlxxr.exe 87 PID 4872 wrote to memory of 4084 4872 thnbnn.exe 88 PID 4872 wrote to memory of 4084 4872 thnbnn.exe 88 PID 4872 wrote to memory of 4084 4872 thnbnn.exe 88 PID 4084 wrote to memory of 2008 4084 1tbthn.exe 89 PID 4084 wrote to memory of 2008 4084 1tbthn.exe 89 PID 4084 wrote to memory of 2008 4084 1tbthn.exe 89 PID 2008 wrote to memory of 3932 2008 7jjvd.exe 90 PID 2008 wrote to memory of 3932 2008 7jjvd.exe 90 PID 2008 wrote to memory of 3932 2008 7jjvd.exe 90 PID 3932 wrote to memory of 4992 3932 fxlfxrl.exe 91 PID 3932 wrote to memory of 4992 3932 fxlfxrl.exe 91 PID 3932 wrote to memory of 4992 3932 fxlfxrl.exe 91 PID 4992 wrote to memory of 3240 4992 tnnbbt.exe 92 PID 4992 wrote to memory of 3240 4992 tnnbbt.exe 92 PID 4992 wrote to memory of 3240 4992 tnnbbt.exe 92 PID 3240 wrote to memory of 2760 3240 ttnttb.exe 93 PID 3240 wrote to memory of 2760 3240 ttnttb.exe 93 PID 3240 wrote to memory of 2760 3240 ttnttb.exe 93 PID 2760 wrote to memory of 3284 2760 jppjj.exe 94 PID 2760 wrote to memory of 3284 2760 jppjj.exe 94 PID 2760 wrote to memory of 3284 2760 jppjj.exe 94 PID 3284 wrote to memory of 1744 3284 rlfrlfx.exe 95 PID 3284 wrote to memory of 1744 3284 rlfrlfx.exe 95 PID 3284 wrote to memory of 1744 3284 rlfrlfx.exe 95 PID 1744 wrote to memory of 1812 1744 httnbt.exe 96 PID 1744 wrote to memory of 1812 1744 httnbt.exe 96 PID 1744 wrote to memory of 1812 1744 httnbt.exe 96 PID 1812 wrote to memory of 3992 1812 5llxrlf.exe 97 PID 1812 wrote to memory of 3992 1812 5llxrlf.exe 97 PID 1812 wrote to memory of 3992 1812 5llxrlf.exe 97 PID 3992 wrote to memory of 4308 3992 tbbthb.exe 98 PID 3992 wrote to memory of 4308 3992 tbbthb.exe 98 PID 3992 wrote to memory of 4308 3992 tbbthb.exe 98 PID 4308 wrote to memory of 2228 4308 nbbtnh.exe 99 PID 4308 wrote to memory of 2228 4308 nbbtnh.exe 99 PID 4308 wrote to memory of 2228 4308 nbbtnh.exe 99 PID 2228 wrote to memory of 3436 2228 jdjdd.exe 100 PID 2228 wrote to memory of 3436 2228 jdjdd.exe 100 PID 2228 wrote to memory of 3436 2228 jdjdd.exe 100 PID 3436 wrote to memory of 2524 3436 xxfxffx.exe 101 PID 3436 wrote to memory of 2524 3436 xxfxffx.exe 101 PID 3436 wrote to memory of 2524 3436 xxfxffx.exe 101 PID 2524 wrote to memory of 976 2524 hnnbnh.exe 102 PID 2524 wrote to memory of 976 2524 hnnbnh.exe 102 PID 2524 wrote to memory of 976 2524 hnnbnh.exe 102 PID 976 wrote to memory of 3500 976 lrfxlfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe"C:\Users\Admin\AppData\Local\Temp\820b4f579308df5d350ce9ccd4ffd11c5106a3599d63ee8aa623fce5d6ae7c63.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\bbhbtn.exec:\bbhbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\djpdp.exec:\djpdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\bnnbtn.exec:\bnnbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\7vpjj.exec:\7vpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\3rrlxxr.exec:\3rrlxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\thnbnn.exec:\thnbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\1tbthn.exec:\1tbthn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\7jjvd.exec:\7jjvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\fxlfxrl.exec:\fxlfxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\tnnbbt.exec:\tnnbbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\ttnttb.exec:\ttnttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\jppjj.exec:\jppjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\rlfrlfx.exec:\rlfrlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\httnbt.exec:\httnbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\5llxrlf.exec:\5llxrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\tbbthb.exec:\tbbthb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\nbbtnh.exec:\nbbtnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\jdjdd.exec:\jdjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\xxfxffx.exec:\xxfxffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\hnnbnh.exec:\hnnbnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\lrfxlfx.exec:\lrfxlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\tbhbnn.exec:\tbhbnn.exe23⤵
- Executes dropped EXE
PID:3500 -
\??\c:\7jvjd.exec:\7jvjd.exe24⤵
- Executes dropped EXE
PID:212 -
\??\c:\jpvdp.exec:\jpvdp.exe25⤵
- Executes dropped EXE
PID:1524 -
\??\c:\tbhtnb.exec:\tbhtnb.exe26⤵
- Executes dropped EXE
PID:2724 -
\??\c:\tnhbtn.exec:\tnhbtn.exe27⤵
- Executes dropped EXE
PID:1888 -
\??\c:\xrrlffx.exec:\xrrlffx.exe28⤵
- Executes dropped EXE
PID:3452 -
\??\c:\hhhbtt.exec:\hhhbtt.exe29⤵
- Executes dropped EXE
PID:1660 -
\??\c:\lxfrxrr.exec:\lxfrxrr.exe30⤵
- Executes dropped EXE
PID:3460 -
\??\c:\bhtttn.exec:\bhtttn.exe31⤵
- Executes dropped EXE
PID:1572 -
\??\c:\1flrffx.exec:\1flrffx.exe32⤵
- Executes dropped EXE
PID:5056 -
\??\c:\lxxrlff.exec:\lxxrlff.exe33⤵
- Executes dropped EXE
PID:8 -
\??\c:\pddjd.exec:\pddjd.exe34⤵
- Executes dropped EXE
PID:404 -
\??\c:\7lrlfxr.exec:\7lrlfxr.exe35⤵
- Executes dropped EXE
PID:4056 -
\??\c:\tbbtnh.exec:\tbbtnh.exe36⤵
- Executes dropped EXE
PID:4436 -
\??\c:\pdvdv.exec:\pdvdv.exe37⤵
- Executes dropped EXE
PID:2232 -
\??\c:\rrxrrlr.exec:\rrxrrlr.exe38⤵
- Executes dropped EXE
PID:940 -
\??\c:\1hbtnb.exec:\1hbtnb.exe39⤵
- Executes dropped EXE
PID:2152 -
\??\c:\thttbt.exec:\thttbt.exe40⤵
- Executes dropped EXE
PID:4824 -
\??\c:\vjpvv.exec:\vjpvv.exe41⤵
- Executes dropped EXE
PID:3196 -
\??\c:\lffrffx.exec:\lffrffx.exe42⤵
- Executes dropped EXE
PID:2984 -
\??\c:\nbhtnh.exec:\nbhtnh.exe43⤵
- Executes dropped EXE
PID:2712 -
\??\c:\dpdvj.exec:\dpdvj.exe44⤵
- Executes dropped EXE
PID:1472 -
\??\c:\lxlfrrf.exec:\lxlfrrf.exe45⤵
- Executes dropped EXE
PID:4368 -
\??\c:\frrlllf.exec:\frrlllf.exe46⤵
- Executes dropped EXE
PID:4356 -
\??\c:\hbhbtn.exec:\hbhbtn.exe47⤵
- Executes dropped EXE
PID:4640 -
\??\c:\vjjvj.exec:\vjjvj.exe48⤵
- Executes dropped EXE
PID:1496 -
\??\c:\llxlrlr.exec:\llxlrlr.exe49⤵
- Executes dropped EXE
PID:3728 -
\??\c:\frrlfxr.exec:\frrlfxr.exe50⤵
- Executes dropped EXE
PID:4596 -
\??\c:\tbhbtn.exec:\tbhbtn.exe51⤵
- Executes dropped EXE
PID:4908 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe52⤵
- Executes dropped EXE
PID:4132 -
\??\c:\lrxxrlf.exec:\lrxxrlf.exe53⤵
- Executes dropped EXE
PID:1672 -
\??\c:\btbttt.exec:\btbttt.exe54⤵
- Executes dropped EXE
PID:1900 -
\??\c:\pjvjj.exec:\pjvjj.exe55⤵
- Executes dropped EXE
PID:2188 -
\??\c:\5xxrllf.exec:\5xxrllf.exe56⤵
- Executes dropped EXE
PID:1220 -
\??\c:\bnnbnh.exec:\bnnbnh.exe57⤵
- Executes dropped EXE
PID:884 -
\??\c:\7bbthh.exec:\7bbthh.exe58⤵
- Executes dropped EXE
PID:1460 -
\??\c:\djjdp.exec:\djjdp.exe59⤵
- Executes dropped EXE
PID:2180 -
\??\c:\frxrlfx.exec:\frxrlfx.exe60⤵
- Executes dropped EXE
PID:2716 -
\??\c:\bnbnhb.exec:\bnbnhb.exe61⤵
- Executes dropped EXE
PID:4648 -
\??\c:\jdddp.exec:\jdddp.exe62⤵
- Executes dropped EXE
PID:4812 -
\??\c:\frrlxrl.exec:\frrlxrl.exe63⤵
- Executes dropped EXE
PID:4032 -
\??\c:\htttnh.exec:\htttnh.exe64⤵
- Executes dropped EXE
PID:3312 -
\??\c:\vppjd.exec:\vppjd.exe65⤵
- Executes dropped EXE
PID:2192 -
\??\c:\pvdvd.exec:\pvdvd.exe66⤵PID:4896
-
\??\c:\5rrlrfx.exec:\5rrlrfx.exe67⤵PID:4072
-
\??\c:\bnnhbt.exec:\bnnhbt.exe68⤵PID:2676
-
\??\c:\5vdvp.exec:\5vdvp.exe69⤵PID:2760
-
\??\c:\pddpd.exec:\pddpd.exe70⤵PID:3284
-
\??\c:\9xrlffx.exec:\9xrlffx.exe71⤵PID:1744
-
\??\c:\tnnbbt.exec:\tnnbbt.exe72⤵PID:400
-
\??\c:\hhbbtt.exec:\hhbbtt.exe73⤵PID:2756
-
\??\c:\jjjdp.exec:\jjjdp.exe74⤵PID:5008
-
\??\c:\lflllll.exec:\lflllll.exe75⤵PID:4268
-
\??\c:\bhtnhh.exec:\bhtnhh.exe76⤵PID:2320
-
\??\c:\dpvpj.exec:\dpvpj.exe77⤵PID:4588
-
\??\c:\9fxxllf.exec:\9fxxllf.exe78⤵PID:1964
-
\??\c:\nnnhhh.exec:\nnnhhh.exe79⤵PID:2380
-
\??\c:\7jjjd.exec:\7jjjd.exe80⤵PID:1196
-
\??\c:\7llxllf.exec:\7llxllf.exe81⤵PID:3372
-
\??\c:\bntnhb.exec:\bntnhb.exe82⤵PID:3440
-
\??\c:\nnhhbt.exec:\nnhhbt.exe83⤵PID:3808
-
\??\c:\dvvdv.exec:\dvvdv.exe84⤵PID:3384
-
\??\c:\rfflxxl.exec:\rfflxxl.exe85⤵PID:1872
-
\??\c:\bnhttn.exec:\bnhttn.exe86⤵PID:3896
-
\??\c:\jjdvv.exec:\jjdvv.exe87⤵PID:4652
-
\??\c:\xflfxrl.exec:\xflfxrl.exe88⤵PID:2808
-
\??\c:\httnnn.exec:\httnnn.exe89⤵PID:464
-
\??\c:\pjjdp.exec:\pjjdp.exe90⤵PID:3776
-
\??\c:\jddvj.exec:\jddvj.exe91⤵PID:4036
-
\??\c:\lllffxx.exec:\lllffxx.exe92⤵PID:1888
-
\??\c:\btbbhh.exec:\btbbhh.exe93⤵PID:4252
-
\??\c:\djvdj.exec:\djvdj.exe94⤵PID:4216
-
\??\c:\rlrllfx.exec:\rlrllfx.exe95⤵PID:4144
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe96⤵PID:5044
-
\??\c:\5hhbnn.exec:\5hhbnn.exe97⤵PID:4796
-
\??\c:\vdjvj.exec:\vdjvj.exe98⤵PID:1796
-
\??\c:\rflfrrr.exec:\rflfrrr.exe99⤵PID:4404
-
\??\c:\tnhbtt.exec:\tnhbtt.exe100⤵PID:1028
-
\??\c:\vjpjj.exec:\vjpjj.exe101⤵PID:3836
-
\??\c:\jddpp.exec:\jddpp.exe102⤵PID:2012
-
\??\c:\llrrlll.exec:\llrrlll.exe103⤵PID:2864
-
\??\c:\nntnbt.exec:\nntnbt.exe104⤵PID:1224
-
\??\c:\pppjv.exec:\pppjv.exe105⤵PID:1368
-
\??\c:\frxlfxf.exec:\frxlfxf.exe106⤵PID:1300
-
\??\c:\bnttnn.exec:\bnttnn.exe107⤵PID:4636
-
\??\c:\nhtntn.exec:\nhtntn.exe108⤵PID:4868
-
\??\c:\jdddv.exec:\jdddv.exe109⤵PID:4256
-
\??\c:\ddddv.exec:\ddddv.exe110⤵PID:1876
-
\??\c:\7xrlffx.exec:\7xrlffx.exe111⤵PID:3416
-
\??\c:\ffrrrrx.exec:\ffrrrrx.exe112⤵PID:4468
-
\??\c:\hnnnbb.exec:\hnnnbb.exe113⤵PID:1716
-
\??\c:\vjjdv.exec:\vjjdv.exe114⤵PID:752
-
\??\c:\dvjdj.exec:\dvjdj.exe115⤵PID:4856
-
\??\c:\1xrlxrl.exec:\1xrlxrl.exe116⤵PID:4780
-
\??\c:\thbtnn.exec:\thbtnn.exe117⤵PID:1904
-
\??\c:\jdvpj.exec:\jdvpj.exe118⤵PID:3692
-
\??\c:\xffffrx.exec:\xffffrx.exe119⤵PID:3068
-
\??\c:\ntnhbb.exec:\ntnhbb.exe120⤵PID:4132
-
\??\c:\bhnhhh.exec:\bhnhhh.exe121⤵PID:3160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-