Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe
-
Size
454KB
-
MD5
93fe093020186154dac55862e030f0f2
-
SHA1
a148ffbb2308f15e20d4cceff5030a0a63841c5d
-
SHA256
50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8
-
SHA512
fa6b0e5939d5212d748c883fe72c6cf88869130f24161192450ed18267c1ee0760a5fcfaf378331fbd3823b46c793448d45167bd14470e595a6e6e7490ff68e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/532-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-935-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-1075-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-1304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-1446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-1738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1900 bbttnt.exe 3924 jjvpv.exe 3052 bnttnn.exe 4400 1lrrlrr.exe 216 ffxxffl.exe 4936 9ffxxlf.exe 1620 hntttb.exe 3896 hhnnbb.exe 2716 1ddjj.exe 3880 frrrrrr.exe 3652 1bbbtb.exe 4424 dvjdd.exe 1104 pppdj.exe 4956 fllffff.exe 4920 tbbttt.exe 3968 rlllflf.exe 464 ntthbb.exe 2396 llrrxfl.exe 2264 1htnnh.exe 1296 9ttttt.exe 2432 vdddd.exe 1716 lrrrflr.exe 836 bnnbtt.exe 2680 hhnnnt.exe 1928 pjpjj.exe 1100 lxrlffx.exe 1780 llrrlrr.exe 3780 tttnhh.exe 3976 ddddd.exe 4036 3jpjj.exe 3512 7xxxxxx.exe 1732 5bbbnt.exe 1196 bhnntt.exe 3356 pjpjd.exe 4268 lrrlllf.exe 2392 hnnnnn.exe 5056 ttttnn.exe 1160 pdddd.exe 2436 xfllxxf.exe 2468 bhnntt.exe 3272 jpppp.exe 1788 7djpv.exe 3956 lrxfxlf.exe 5076 tbhbtt.exe 4048 bbbbbb.exe 3504 vjppp.exe 3136 rxrrlll.exe 960 xlrrllf.exe 4820 7nnntb.exe 3768 jdpjv.exe 4708 lfxrlrl.exe 1000 xxxxxll.exe 2764 hhnnth.exe 4360 vjppj.exe 4016 lrrlllf.exe 1700 hnhhhn.exe 4384 vpddv.exe 400 bttnnn.exe 4960 dpvvj.exe 224 hntttt.exe 3076 dpvvd.exe 2064 pjppp.exe 4936 flrxrrf.exe 1208 bbnnhh.exe -
resource yara_rule behavioral2/memory/532-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-935-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-942-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 532 wrote to memory of 1900 532 50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe 83 PID 532 wrote to memory of 1900 532 50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe 83 PID 532 wrote to memory of 1900 532 50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe 83 PID 1900 wrote to memory of 3924 1900 bbttnt.exe 84 PID 1900 wrote to memory of 3924 1900 bbttnt.exe 84 PID 1900 wrote to memory of 3924 1900 bbttnt.exe 84 PID 3924 wrote to memory of 3052 3924 jjvpv.exe 85 PID 3924 wrote to memory of 3052 3924 jjvpv.exe 85 PID 3924 wrote to memory of 3052 3924 jjvpv.exe 85 PID 3052 wrote to memory of 4400 3052 bnttnn.exe 86 PID 3052 wrote to memory of 4400 3052 bnttnn.exe 86 PID 3052 wrote to memory of 4400 3052 bnttnn.exe 86 PID 4400 wrote to memory of 216 4400 1lrrlrr.exe 87 PID 4400 wrote to memory of 216 4400 1lrrlrr.exe 87 PID 4400 wrote to memory of 216 4400 1lrrlrr.exe 87 PID 216 wrote to memory of 4936 216 ffxxffl.exe 88 PID 216 wrote to memory of 4936 216 ffxxffl.exe 88 PID 216 wrote to memory of 4936 216 ffxxffl.exe 88 PID 4936 wrote to memory of 1620 4936 9ffxxlf.exe 89 PID 4936 wrote to memory of 1620 4936 9ffxxlf.exe 89 PID 4936 wrote to memory of 1620 4936 9ffxxlf.exe 89 PID 1620 wrote to memory of 3896 1620 hntttb.exe 90 PID 1620 wrote to memory of 3896 1620 hntttb.exe 90 PID 1620 wrote to memory of 3896 1620 hntttb.exe 90 PID 3896 wrote to memory of 2716 3896 hhnnbb.exe 91 PID 3896 wrote to memory of 2716 3896 hhnnbb.exe 91 PID 3896 wrote to memory of 2716 3896 hhnnbb.exe 91 PID 2716 wrote to memory of 3880 2716 1ddjj.exe 92 PID 2716 wrote to memory of 3880 2716 1ddjj.exe 92 PID 2716 wrote to memory of 3880 2716 1ddjj.exe 92 PID 3880 wrote to memory of 3652 3880 frrrrrr.exe 93 PID 3880 wrote to memory of 3652 3880 frrrrrr.exe 93 PID 3880 wrote to memory of 3652 3880 frrrrrr.exe 93 PID 3652 wrote to memory of 4424 3652 1bbbtb.exe 94 PID 3652 wrote to memory of 4424 3652 1bbbtb.exe 94 PID 3652 wrote to memory of 4424 3652 1bbbtb.exe 94 PID 4424 wrote to memory of 1104 4424 dvjdd.exe 95 PID 4424 wrote to memory of 1104 4424 dvjdd.exe 95 PID 4424 wrote to memory of 1104 4424 dvjdd.exe 95 PID 1104 wrote to memory of 4956 1104 pppdj.exe 96 PID 1104 wrote to memory of 4956 1104 pppdj.exe 96 PID 1104 wrote to memory of 4956 1104 pppdj.exe 96 PID 4956 wrote to memory of 4920 4956 fllffff.exe 97 PID 4956 wrote to memory of 4920 4956 fllffff.exe 97 PID 4956 wrote to memory of 4920 4956 fllffff.exe 97 PID 4920 wrote to memory of 3968 4920 tbbttt.exe 98 PID 4920 wrote to memory of 3968 4920 tbbttt.exe 98 PID 4920 wrote to memory of 3968 4920 tbbttt.exe 98 PID 3968 wrote to memory of 464 3968 rlllflf.exe 99 PID 3968 wrote to memory of 464 3968 rlllflf.exe 99 PID 3968 wrote to memory of 464 3968 rlllflf.exe 99 PID 464 wrote to memory of 2396 464 ntthbb.exe 100 PID 464 wrote to memory of 2396 464 ntthbb.exe 100 PID 464 wrote to memory of 2396 464 ntthbb.exe 100 PID 2396 wrote to memory of 2264 2396 llrrxfl.exe 101 PID 2396 wrote to memory of 2264 2396 llrrxfl.exe 101 PID 2396 wrote to memory of 2264 2396 llrrxfl.exe 101 PID 2264 wrote to memory of 1296 2264 1htnnh.exe 102 PID 2264 wrote to memory of 1296 2264 1htnnh.exe 102 PID 2264 wrote to memory of 1296 2264 1htnnh.exe 102 PID 1296 wrote to memory of 2432 1296 9ttttt.exe 103 PID 1296 wrote to memory of 2432 1296 9ttttt.exe 103 PID 1296 wrote to memory of 2432 1296 9ttttt.exe 103 PID 2432 wrote to memory of 1716 2432 vdddd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe"C:\Users\Admin\AppData\Local\Temp\50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\bbttnt.exec:\bbttnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\jjvpv.exec:\jjvpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\bnttnn.exec:\bnttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\1lrrlrr.exec:\1lrrlrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\ffxxffl.exec:\ffxxffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\9ffxxlf.exec:\9ffxxlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\hntttb.exec:\hntttb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\hhnnbb.exec:\hhnnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\1ddjj.exec:\1ddjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\frrrrrr.exec:\frrrrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\1bbbtb.exec:\1bbbtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\dvjdd.exec:\dvjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\pppdj.exec:\pppdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\fllffff.exec:\fllffff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\tbbttt.exec:\tbbttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\rlllflf.exec:\rlllflf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\ntthbb.exec:\ntthbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\llrrxfl.exec:\llrrxfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\1htnnh.exec:\1htnnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\9ttttt.exec:\9ttttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\vdddd.exec:\vdddd.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\lrrrflr.exec:\lrrrflr.exe23⤵
- Executes dropped EXE
PID:1716 -
\??\c:\bnnbtt.exec:\bnnbtt.exe24⤵
- Executes dropped EXE
PID:836 -
\??\c:\hhnnnt.exec:\hhnnnt.exe25⤵
- Executes dropped EXE
PID:2680 -
\??\c:\pjpjj.exec:\pjpjj.exe26⤵
- Executes dropped EXE
PID:1928 -
\??\c:\lxrlffx.exec:\lxrlffx.exe27⤵
- Executes dropped EXE
PID:1100 -
\??\c:\llrrlrr.exec:\llrrlrr.exe28⤵
- Executes dropped EXE
PID:1780 -
\??\c:\tttnhh.exec:\tttnhh.exe29⤵
- Executes dropped EXE
PID:3780 -
\??\c:\ddddd.exec:\ddddd.exe30⤵
- Executes dropped EXE
PID:3976 -
\??\c:\3jpjj.exec:\3jpjj.exe31⤵
- Executes dropped EXE
PID:4036 -
\??\c:\7xxxxxx.exec:\7xxxxxx.exe32⤵
- Executes dropped EXE
PID:3512 -
\??\c:\5bbbnt.exec:\5bbbnt.exe33⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bhnntt.exec:\bhnntt.exe34⤵
- Executes dropped EXE
PID:1196 -
\??\c:\pjpjd.exec:\pjpjd.exe35⤵
- Executes dropped EXE
PID:3356 -
\??\c:\lrrlllf.exec:\lrrlllf.exe36⤵
- Executes dropped EXE
PID:4268 -
\??\c:\hnnnnn.exec:\hnnnnn.exe37⤵
- Executes dropped EXE
PID:2392 -
\??\c:\ttttnn.exec:\ttttnn.exe38⤵
- Executes dropped EXE
PID:5056 -
\??\c:\pdddd.exec:\pdddd.exe39⤵
- Executes dropped EXE
PID:1160 -
\??\c:\xfllxxf.exec:\xfllxxf.exe40⤵
- Executes dropped EXE
PID:2436 -
\??\c:\bhnntt.exec:\bhnntt.exe41⤵
- Executes dropped EXE
PID:2468 -
\??\c:\jpppp.exec:\jpppp.exe42⤵
- Executes dropped EXE
PID:3272 -
\??\c:\7djpv.exec:\7djpv.exe43⤵
- Executes dropped EXE
PID:1788 -
\??\c:\lrxfxlf.exec:\lrxfxlf.exe44⤵
- Executes dropped EXE
PID:3956 -
\??\c:\tbhbtt.exec:\tbhbtt.exe45⤵
- Executes dropped EXE
PID:5076 -
\??\c:\bbbbbb.exec:\bbbbbb.exe46⤵
- Executes dropped EXE
PID:4048 -
\??\c:\vjppp.exec:\vjppp.exe47⤵
- Executes dropped EXE
PID:3504 -
\??\c:\rxrrlll.exec:\rxrrlll.exe48⤵
- Executes dropped EXE
PID:3136 -
\??\c:\xlrrllf.exec:\xlrrllf.exe49⤵
- Executes dropped EXE
PID:960 -
\??\c:\7nnntb.exec:\7nnntb.exe50⤵
- Executes dropped EXE
PID:4820 -
\??\c:\jdpjv.exec:\jdpjv.exe51⤵
- Executes dropped EXE
PID:3768 -
\??\c:\lfxrlrl.exec:\lfxrlrl.exe52⤵
- Executes dropped EXE
PID:4708 -
\??\c:\xxxxxll.exec:\xxxxxll.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000 -
\??\c:\hhnnth.exec:\hhnnth.exe54⤵
- Executes dropped EXE
PID:2764 -
\??\c:\vjppj.exec:\vjppj.exe55⤵
- Executes dropped EXE
PID:4360 -
\??\c:\lrrlllf.exec:\lrrlllf.exe56⤵
- Executes dropped EXE
PID:4016 -
\??\c:\hnhhhn.exec:\hnhhhn.exe57⤵
- Executes dropped EXE
PID:1700 -
\??\c:\vpddv.exec:\vpddv.exe58⤵
- Executes dropped EXE
PID:4384 -
\??\c:\bttnnn.exec:\bttnnn.exe59⤵
- Executes dropped EXE
PID:400 -
\??\c:\dpvvj.exec:\dpvvj.exe60⤵
- Executes dropped EXE
PID:4960 -
\??\c:\hntttt.exec:\hntttt.exe61⤵
- Executes dropped EXE
PID:224 -
\??\c:\dpvvd.exec:\dpvvd.exe62⤵
- Executes dropped EXE
PID:3076 -
\??\c:\pjppp.exec:\pjppp.exe63⤵
- Executes dropped EXE
PID:2064 -
\??\c:\flrxrrf.exec:\flrxrrf.exe64⤵
- Executes dropped EXE
PID:4936 -
\??\c:\bbnnhh.exec:\bbnnhh.exe65⤵
- Executes dropped EXE
PID:1208 -
\??\c:\5vdpp.exec:\5vdpp.exe66⤵PID:1624
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe67⤵PID:1432
-
\??\c:\jdddd.exec:\jdddd.exe68⤵PID:3772
-
\??\c:\tbhhhn.exec:\tbhhhn.exe69⤵PID:2080
-
\??\c:\jpddd.exec:\jpddd.exe70⤵PID:5104
-
\??\c:\fxxxxfl.exec:\fxxxxfl.exe71⤵PID:3652
-
\??\c:\hnnhhh.exec:\hnnhhh.exe72⤵PID:1316
-
\??\c:\xlfrrrf.exec:\xlfrrrf.exe73⤵PID:4912
-
\??\c:\bbbttb.exec:\bbbttb.exe74⤵PID:1016
-
\??\c:\5vppd.exec:\5vppd.exe75⤵PID:4340
-
\??\c:\5xffxxx.exec:\5xffxxx.exe76⤵PID:4956
-
\??\c:\nhntbh.exec:\nhntbh.exe77⤵PID:396
-
\??\c:\dvvdv.exec:\dvvdv.exe78⤵PID:4592
-
\??\c:\xxflflf.exec:\xxflflf.exe79⤵PID:3584
-
\??\c:\btttbb.exec:\btttbb.exe80⤵PID:1080
-
\??\c:\bhnnbh.exec:\bhnnbh.exe81⤵PID:384
-
\??\c:\dpdpj.exec:\dpdpj.exe82⤵PID:1116
-
\??\c:\ntnnhh.exec:\ntnnhh.exe83⤵PID:4604
-
\??\c:\jjddv.exec:\jjddv.exe84⤵PID:4176
-
\??\c:\flrlllf.exec:\flrlllf.exe85⤵PID:1500
-
\??\c:\ntnhbt.exec:\ntnhbt.exe86⤵PID:1716
-
\??\c:\ddpjj.exec:\ddpjj.exe87⤵PID:4040
-
\??\c:\tthbtt.exec:\tthbtt.exe88⤵PID:2400
-
\??\c:\1lrlfxx.exec:\1lrlfxx.exe89⤵PID:2060
-
\??\c:\nnnhhh.exec:\nnnhhh.exe90⤵
- System Location Discovery: System Language Discovery
PID:3976 -
\??\c:\rlfxxxf.exec:\rlfxxxf.exe91⤵PID:2944
-
\??\c:\xllxlff.exec:\xllxlff.exe92⤵PID:3512
-
\??\c:\bbbbth.exec:\bbbbth.exe93⤵PID:1288
-
\??\c:\pjjdv.exec:\pjjdv.exe94⤵PID:1504
-
\??\c:\9lrlllf.exec:\9lrlllf.exe95⤵PID:3728
-
\??\c:\llrlxlf.exec:\llrlxlf.exe96⤵PID:1308
-
\??\c:\tbbbnn.exec:\tbbbnn.exe97⤵PID:2392
-
\??\c:\7jdvp.exec:\7jdvp.exe98⤵PID:3596
-
\??\c:\3lfxllx.exec:\3lfxllx.exe99⤵PID:1656
-
\??\c:\rflfrrl.exec:\rflfrrl.exe100⤵PID:3224
-
\??\c:\1bnhhn.exec:\1bnhhn.exe101⤵PID:2908
-
\??\c:\pjdvp.exec:\pjdvp.exe102⤵PID:3272
-
\??\c:\9ddvp.exec:\9ddvp.exe103⤵PID:2136
-
\??\c:\frxlxlx.exec:\frxlxlx.exe104⤵PID:1076
-
\??\c:\hhtnhh.exec:\hhtnhh.exe105⤵PID:4732
-
\??\c:\7vdvj.exec:\7vdvj.exe106⤵PID:2464
-
\??\c:\rflfffr.exec:\rflfffr.exe107⤵PID:3580
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe108⤵PID:4932
-
\??\c:\3nhbtn.exec:\3nhbtn.exe109⤵PID:404
-
\??\c:\jjjdv.exec:\jjjdv.exe110⤵PID:3136
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe111⤵PID:2576
-
\??\c:\bhbnhh.exec:\bhbnhh.exe112⤵PID:5052
-
\??\c:\tntnbh.exec:\tntnbh.exe113⤵PID:4768
-
\??\c:\pjjvv.exec:\pjjvv.exe114⤵PID:4188
-
\??\c:\lrlxxrl.exec:\lrlxxrl.exe115⤵PID:812
-
\??\c:\tbhnnh.exec:\tbhnnh.exe116⤵PID:2232
-
\??\c:\bbnhbt.exec:\bbnhbt.exe117⤵PID:2180
-
\??\c:\7vpjd.exec:\7vpjd.exe118⤵PID:5060
-
\??\c:\rlffrrl.exec:\rlffrrl.exe119⤵PID:540
-
\??\c:\fxrrrrx.exec:\fxrrrrx.exe120⤵PID:460
-
\??\c:\ntnhtt.exec:\ntnhtt.exe121⤵PID:4308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-