Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 06:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aaadec0e582d30469e62c78f7785f81bc18d2d4b571d368ede3c7ced5c4f2002.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
aaadec0e582d30469e62c78f7785f81bc18d2d4b571d368ede3c7ced5c4f2002.exe
-
Size
453KB
-
MD5
a2b37b0e1585822eadc97b6f951dd2b3
-
SHA1
d733f6aa95c724cf7720277b47023dc59b7e3b6f
-
SHA256
aaadec0e582d30469e62c78f7785f81bc18d2d4b571d368ede3c7ced5c4f2002
-
SHA512
396950ad88e34b13f2b011e549146710ac26f99d068e6a1d85af85e33cac1fcb7d74b157eb02ba5d1598bdc57e67d3846034c484e8e5ea56b23ba83ea55e09ac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1732-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-955-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-1097-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-1125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-1410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-1420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-1745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2428 ttbhnn.exe 2492 fflfxrl.exe 1272 nhhbtn.exe 4084 dvpjj.exe 2116 bntnhh.exe 4112 dpjpp.exe 4068 3rrfxxr.exe 3012 xflfxlf.exe 4428 tbhbtn.exe 1564 btnnhb.exe 4252 bntnnn.exe 996 vjjjj.exe 2520 lxxrlff.exe 4688 vpppj.exe 4996 3xrxlxr.exe 2432 9hntnn.exe 2952 jvjjd.exe 1388 rllxrrl.exe 1972 htbbtt.exe 4712 rlxrxxr.exe 1596 1rxrffx.exe 4780 nhhbhb.exe 4108 pvvpj.exe 1056 xrfxfff.exe 760 pjjjp.exe 1720 hhnntt.exe 1292 flrlxrl.exe 3960 ppjdd.exe 4812 lrrrlfx.exe 392 lfffxxx.exe 2552 tttnbn.exe 4448 dddvp.exe 5100 7jjdp.exe 4372 vjjdv.exe 3288 rrllffx.exe 3436 hhbbtn.exe 5072 5ttnbb.exe 4504 vpjvp.exe 5064 lxlxrrl.exe 3780 1tnbnh.exe 3408 dpvjp.exe 4288 1lflxxr.exe 4216 bbhtnh.exe 4500 1dvpv.exe 2400 vjpdv.exe 2320 lrflrrr.exe 4856 hbnnnt.exe 4088 dvvpd.exe 1136 vvjdp.exe 3460 flrrlff.exe 3192 hhtbhh.exe 2144 pjpdv.exe 4112 jjpjv.exe 5116 rrxrrfx.exe 3616 bntbtn.exe 3320 jjjdv.exe 4508 rllffxf.exe 4932 thhbtn.exe 3688 vpvpp.exe 1968 xflfxrl.exe 4080 fxrrlfx.exe 2824 nnthtt.exe 2520 vppdv.exe 4688 9xfrfxl.exe -
resource yara_rule behavioral2/memory/1732-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-955-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-1097-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2428 1732 aaadec0e582d30469e62c78f7785f81bc18d2d4b571d368ede3c7ced5c4f2002.exe 82 PID 1732 wrote to memory of 2428 1732 aaadec0e582d30469e62c78f7785f81bc18d2d4b571d368ede3c7ced5c4f2002.exe 82 PID 1732 wrote to memory of 2428 1732 aaadec0e582d30469e62c78f7785f81bc18d2d4b571d368ede3c7ced5c4f2002.exe 82 PID 2428 wrote to memory of 2492 2428 ttbhnn.exe 83 PID 2428 wrote to memory of 2492 2428 ttbhnn.exe 83 PID 2428 wrote to memory of 2492 2428 ttbhnn.exe 83 PID 2492 wrote to memory of 1272 2492 fflfxrl.exe 84 PID 2492 wrote to memory of 1272 2492 fflfxrl.exe 84 PID 2492 wrote to memory of 1272 2492 fflfxrl.exe 84 PID 1272 wrote to memory of 4084 1272 nhhbtn.exe 85 PID 1272 wrote to memory of 4084 1272 nhhbtn.exe 85 PID 1272 wrote to memory of 4084 1272 nhhbtn.exe 85 PID 4084 wrote to memory of 2116 4084 dvpjj.exe 86 PID 4084 wrote to memory of 2116 4084 dvpjj.exe 86 PID 4084 wrote to memory of 2116 4084 dvpjj.exe 86 PID 2116 wrote to memory of 4112 2116 bntnhh.exe 87 PID 2116 wrote to memory of 4112 2116 bntnhh.exe 87 PID 2116 wrote to memory of 4112 2116 bntnhh.exe 87 PID 4112 wrote to memory of 4068 4112 dpjpp.exe 88 PID 4112 wrote to memory of 4068 4112 dpjpp.exe 88 PID 4112 wrote to memory of 4068 4112 dpjpp.exe 88 PID 4068 wrote to memory of 3012 4068 3rrfxxr.exe 89 PID 4068 wrote to memory of 3012 4068 3rrfxxr.exe 89 PID 4068 wrote to memory of 3012 4068 3rrfxxr.exe 89 PID 3012 wrote to memory of 4428 3012 xflfxlf.exe 90 PID 3012 wrote to memory of 4428 3012 xflfxlf.exe 90 PID 3012 wrote to memory of 4428 3012 xflfxlf.exe 90 PID 4428 wrote to memory of 1564 4428 tbhbtn.exe 91 PID 4428 wrote to memory of 1564 4428 tbhbtn.exe 91 PID 4428 wrote to memory of 1564 4428 tbhbtn.exe 91 PID 1564 wrote to memory of 4252 1564 btnnhb.exe 92 PID 1564 wrote to memory of 4252 1564 btnnhb.exe 92 PID 1564 wrote to memory of 4252 1564 btnnhb.exe 92 PID 4252 wrote to memory of 996 4252 bntnnn.exe 93 PID 4252 wrote to memory of 996 4252 bntnnn.exe 93 PID 4252 wrote to memory of 996 4252 bntnnn.exe 93 PID 996 wrote to memory of 2520 996 vjjjj.exe 94 PID 996 wrote to memory of 2520 996 vjjjj.exe 94 PID 996 wrote to memory of 2520 996 vjjjj.exe 94 PID 2520 wrote to memory of 4688 2520 lxxrlff.exe 95 PID 2520 wrote to memory of 4688 2520 lxxrlff.exe 95 PID 2520 wrote to memory of 4688 2520 lxxrlff.exe 95 PID 4688 wrote to memory of 4996 4688 vpppj.exe 96 PID 4688 wrote to memory of 4996 4688 vpppj.exe 96 PID 4688 wrote to memory of 4996 4688 vpppj.exe 96 PID 4996 wrote to memory of 2432 4996 3xrxlxr.exe 97 PID 4996 wrote to memory of 2432 4996 3xrxlxr.exe 97 PID 4996 wrote to memory of 2432 4996 3xrxlxr.exe 97 PID 2432 wrote to memory of 2952 2432 9hntnn.exe 98 PID 2432 wrote to memory of 2952 2432 9hntnn.exe 98 PID 2432 wrote to memory of 2952 2432 9hntnn.exe 98 PID 2952 wrote to memory of 1388 2952 jvjjd.exe 99 PID 2952 wrote to memory of 1388 2952 jvjjd.exe 99 PID 2952 wrote to memory of 1388 2952 jvjjd.exe 99 PID 1388 wrote to memory of 1972 1388 rllxrrl.exe 100 PID 1388 wrote to memory of 1972 1388 rllxrrl.exe 100 PID 1388 wrote to memory of 1972 1388 rllxrrl.exe 100 PID 1972 wrote to memory of 4712 1972 htbbtt.exe 101 PID 1972 wrote to memory of 4712 1972 htbbtt.exe 101 PID 1972 wrote to memory of 4712 1972 htbbtt.exe 101 PID 4712 wrote to memory of 1596 4712 rlxrxxr.exe 102 PID 4712 wrote to memory of 1596 4712 rlxrxxr.exe 102 PID 4712 wrote to memory of 1596 4712 rlxrxxr.exe 102 PID 1596 wrote to memory of 4780 1596 1rxrffx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaadec0e582d30469e62c78f7785f81bc18d2d4b571d368ede3c7ced5c4f2002.exe"C:\Users\Admin\AppData\Local\Temp\aaadec0e582d30469e62c78f7785f81bc18d2d4b571d368ede3c7ced5c4f2002.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\ttbhnn.exec:\ttbhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\fflfxrl.exec:\fflfxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\nhhbtn.exec:\nhhbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\dvpjj.exec:\dvpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\bntnhh.exec:\bntnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\dpjpp.exec:\dpjpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\3rrfxxr.exec:\3rrfxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\xflfxlf.exec:\xflfxlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\tbhbtn.exec:\tbhbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\btnnhb.exec:\btnnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\bntnnn.exec:\bntnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\vjjjj.exec:\vjjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\lxxrlff.exec:\lxxrlff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\vpppj.exec:\vpppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\3xrxlxr.exec:\3xrxlxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\9hntnn.exec:\9hntnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\jvjjd.exec:\jvjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\rllxrrl.exec:\rllxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\htbbtt.exec:\htbbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\rlxrxxr.exec:\rlxrxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\1rxrffx.exec:\1rxrffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\nhhbhb.exec:\nhhbhb.exe23⤵
- Executes dropped EXE
PID:4780 -
\??\c:\pvvpj.exec:\pvvpj.exe24⤵
- Executes dropped EXE
PID:4108 -
\??\c:\xrfxfff.exec:\xrfxfff.exe25⤵
- Executes dropped EXE
PID:1056 -
\??\c:\pjjjp.exec:\pjjjp.exe26⤵
- Executes dropped EXE
PID:760 -
\??\c:\hhnntt.exec:\hhnntt.exe27⤵
- Executes dropped EXE
PID:1720 -
\??\c:\flrlxrl.exec:\flrlxrl.exe28⤵
- Executes dropped EXE
PID:1292 -
\??\c:\ppjdd.exec:\ppjdd.exe29⤵
- Executes dropped EXE
PID:3960 -
\??\c:\lrrrlfx.exec:\lrrrlfx.exe30⤵
- Executes dropped EXE
PID:4812 -
\??\c:\lfffxxx.exec:\lfffxxx.exe31⤵
- Executes dropped EXE
PID:392 -
\??\c:\tttnbn.exec:\tttnbn.exe32⤵
- Executes dropped EXE
PID:2552 -
\??\c:\dddvp.exec:\dddvp.exe33⤵
- Executes dropped EXE
PID:4448 -
\??\c:\7jjdp.exec:\7jjdp.exe34⤵
- Executes dropped EXE
PID:5100 -
\??\c:\vjjdv.exec:\vjjdv.exe35⤵
- Executes dropped EXE
PID:4372 -
\??\c:\rrllffx.exec:\rrllffx.exe36⤵
- Executes dropped EXE
PID:3288 -
\??\c:\hhbbtn.exec:\hhbbtn.exe37⤵
- Executes dropped EXE
PID:3436 -
\??\c:\5ttnbb.exec:\5ttnbb.exe38⤵
- Executes dropped EXE
PID:5072 -
\??\c:\vpjvp.exec:\vpjvp.exe39⤵
- Executes dropped EXE
PID:4504 -
\??\c:\lxlxrrl.exec:\lxlxrrl.exe40⤵
- Executes dropped EXE
PID:5064 -
\??\c:\1tnbnh.exec:\1tnbnh.exe41⤵
- Executes dropped EXE
PID:3780 -
\??\c:\dpvjp.exec:\dpvjp.exe42⤵
- Executes dropped EXE
PID:3408 -
\??\c:\1lflxxr.exec:\1lflxxr.exe43⤵
- Executes dropped EXE
PID:4288 -
\??\c:\bbhtnh.exec:\bbhtnh.exe44⤵
- Executes dropped EXE
PID:4216 -
\??\c:\1dvpv.exec:\1dvpv.exe45⤵
- Executes dropped EXE
PID:4500 -
\??\c:\vjpdv.exec:\vjpdv.exe46⤵
- Executes dropped EXE
PID:2400 -
\??\c:\lrflrrr.exec:\lrflrrr.exe47⤵
- Executes dropped EXE
PID:2320 -
\??\c:\hbnnnt.exec:\hbnnnt.exe48⤵
- Executes dropped EXE
PID:4856 -
\??\c:\dvvpd.exec:\dvvpd.exe49⤵
- Executes dropped EXE
PID:4088 -
\??\c:\vvjdp.exec:\vvjdp.exe50⤵
- Executes dropped EXE
PID:1136 -
\??\c:\flrrlff.exec:\flrrlff.exe51⤵
- Executes dropped EXE
PID:3460 -
\??\c:\hhtbhh.exec:\hhtbhh.exe52⤵
- Executes dropped EXE
PID:3192 -
\??\c:\pjpdv.exec:\pjpdv.exe53⤵
- Executes dropped EXE
PID:2144 -
\??\c:\jjpjv.exec:\jjpjv.exe54⤵
- Executes dropped EXE
PID:4112 -
\??\c:\rrxrrfx.exec:\rrxrrfx.exe55⤵
- Executes dropped EXE
PID:5116 -
\??\c:\bntbtn.exec:\bntbtn.exe56⤵
- Executes dropped EXE
PID:3616 -
\??\c:\jjjdv.exec:\jjjdv.exe57⤵
- Executes dropped EXE
PID:3320 -
\??\c:\rllffxf.exec:\rllffxf.exe58⤵
- Executes dropped EXE
PID:4508 -
\??\c:\thhbtn.exec:\thhbtn.exe59⤵
- Executes dropped EXE
PID:4932 -
\??\c:\vpvpp.exec:\vpvpp.exe60⤵
- Executes dropped EXE
PID:3688 -
\??\c:\xflfxrl.exec:\xflfxrl.exe61⤵
- Executes dropped EXE
PID:1968 -
\??\c:\fxrrlfx.exec:\fxrrlfx.exe62⤵
- Executes dropped EXE
PID:4080 -
\??\c:\nnthtt.exec:\nnthtt.exe63⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vppdv.exec:\vppdv.exe64⤵
- Executes dropped EXE
PID:2520 -
\??\c:\9xfrfxl.exec:\9xfrfxl.exe65⤵
- Executes dropped EXE
PID:4688 -
\??\c:\tntttt.exec:\tntttt.exe66⤵PID:1568
-
\??\c:\htbthh.exec:\htbthh.exe67⤵PID:3864
-
\??\c:\vjvpd.exec:\vjvpd.exe68⤵PID:3924
-
\??\c:\fxflrfl.exec:\fxflrfl.exe69⤵PID:4404
-
\??\c:\9xfxrrl.exec:\9xfxrrl.exe70⤵PID:2244
-
\??\c:\tbbnhb.exec:\tbbnhb.exe71⤵PID:628
-
\??\c:\dpdvp.exec:\dpdvp.exe72⤵PID:1832
-
\??\c:\xxrlllf.exec:\xxrlllf.exe73⤵PID:2472
-
\??\c:\frxrrlf.exec:\frxrrlf.exe74⤵PID:3544
-
\??\c:\bbnhtt.exec:\bbnhtt.exe75⤵PID:732
-
\??\c:\djvpv.exec:\djvpv.exe76⤵PID:4780
-
\??\c:\7frlxxr.exec:\7frlxxr.exe77⤵PID:1348
-
\??\c:\lfffxll.exec:\lfffxll.exe78⤵PID:2396
-
\??\c:\1nttnt.exec:\1nttnt.exe79⤵PID:1056
-
\??\c:\jjvpj.exec:\jjvpj.exe80⤵PID:2288
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe81⤵PID:468
-
\??\c:\nbbtnh.exec:\nbbtnh.exe82⤵PID:5112
-
\??\c:\nhnhbt.exec:\nhnhbt.exe83⤵PID:1292
-
\??\c:\vjpjd.exec:\vjpjd.exe84⤵PID:456
-
\??\c:\lxrrllf.exec:\lxrrllf.exe85⤵PID:4800
-
\??\c:\rrffxll.exec:\rrffxll.exe86⤵PID:3332
-
\??\c:\htbtnb.exec:\htbtnb.exe87⤵PID:2612
-
\??\c:\5ppdv.exec:\5ppdv.exe88⤵PID:2372
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe89⤵PID:316
-
\??\c:\xffxrxr.exec:\xffxrxr.exe90⤵PID:3576
-
\??\c:\tnnhbt.exec:\tnnhbt.exe91⤵PID:944
-
\??\c:\pdjdv.exec:\pdjdv.exe92⤵PID:3860
-
\??\c:\rrxxfff.exec:\rrxxfff.exe93⤵PID:2024
-
\??\c:\thnhbb.exec:\thnhbb.exe94⤵PID:2452
-
\??\c:\nbbbtt.exec:\nbbbtt.exe95⤵PID:2028
-
\??\c:\7ddvj.exec:\7ddvj.exe96⤵PID:712
-
\??\c:\rlxxffx.exec:\rlxxffx.exe97⤵PID:3436
-
\??\c:\tnbttt.exec:\tnbttt.exe98⤵PID:2508
-
\??\c:\7hhbnh.exec:\7hhbnh.exe99⤵PID:2440
-
\??\c:\pppvp.exec:\pppvp.exe100⤵PID:4504
-
\??\c:\xlxxrlf.exec:\xlxxrlf.exe101⤵PID:832
-
\??\c:\rfrlxxr.exec:\rfrlxxr.exe102⤵PID:2772
-
\??\c:\hthbtt.exec:\hthbtt.exe103⤵PID:4596
-
\??\c:\pjpdv.exec:\pjpdv.exe104⤵PID:4276
-
\??\c:\pjjdp.exec:\pjjdp.exe105⤵PID:2876
-
\??\c:\bbbhbb.exec:\bbbhbb.exe106⤵PID:4412
-
\??\c:\tbhtnh.exec:\tbhtnh.exe107⤵PID:4864
-
\??\c:\1vvjd.exec:\1vvjd.exe108⤵
- System Location Discovery: System Language Discovery
PID:1684 -
\??\c:\lrlfxxx.exec:\lrlfxxx.exe109⤵PID:5032
-
\??\c:\rfxrllf.exec:\rfxrllf.exe110⤵PID:3080
-
\??\c:\htbttt.exec:\htbttt.exe111⤵PID:3024
-
\??\c:\5ppjv.exec:\5ppjv.exe112⤵PID:1028
-
\??\c:\ddvvv.exec:\ddvvv.exe113⤵PID:2692
-
\??\c:\rllrlfr.exec:\rllrlfr.exe114⤵PID:2116
-
\??\c:\tthhbh.exec:\tthhbh.exe115⤵PID:4608
-
\??\c:\pjvpj.exec:\pjvpj.exe116⤵PID:4612
-
\??\c:\jddvj.exec:\jddvj.exe117⤵
- System Location Discovery: System Language Discovery
PID:3628 -
\??\c:\xxxxrll.exec:\xxxxrll.exe118⤵PID:3452
-
\??\c:\thnnbb.exec:\thnnbb.exe119⤵PID:3108
-
\??\c:\nhhbhb.exec:\nhhbhb.exe120⤵PID:2224
-
\??\c:\jdpdd.exec:\jdpdd.exe121⤵PID:4284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-