Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 10:21
Behavioral task
behavioral1
Sample
3cde120534bd025cbb5fe6309adff820N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
3cde120534bd025cbb5fe6309adff820N.exe
-
Size
66KB
-
MD5
3cde120534bd025cbb5fe6309adff820
-
SHA1
20c06204c8221e5c8f7dbac06decd2142780dc45
-
SHA256
4d187763423dc8b8326126654012bd2aa2ddfeb3580307fd9153e9fb314bfc6c
-
SHA512
0eaeff459d4bfe32a5ccb6729cecc76639669cd0dd486f454f340267dfa7b95bdecdba74912692f4d0c30c70d9bd15adebe5ed32e2ad4c27be292486c27f0176
-
SSDEEP
1536:WvQBeOGtrYS3srx93UBWfwC6Ggnouy8DKsrQHbhnyLFWZ:WhOmTsF93UYfwC6GIoutz075yL6
Malware Config
Signatures
-
Detect Blackmoon payload 58 IoCs
resource yara_rule behavioral1/memory/480-6-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2920-21-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1640-17-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2776-39-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2312-30-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1172-59-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1896-56-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2668-89-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1444-85-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1444-78-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1448-76-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1448-72-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon behavioral1/memory/2748-104-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2024-138-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2568-128-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon behavioral1/memory/1476-146-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon behavioral1/memory/1764-150-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1336-167-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/808-179-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2756-176-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1044-194-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon behavioral1/memory/1440-213-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2088-223-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2088-221-0x00000000003C0000-0x00000000003F2000-memory.dmp family_blackmoon behavioral1/memory/1556-248-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1060-268-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1060-266-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon behavioral1/memory/1904-296-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2452-305-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2388-320-0x00000000003B0000-0x00000000003E2000-memory.dmp family_blackmoon behavioral1/memory/2456-313-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2468-327-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon behavioral1/memory/2264-347-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2456-312-0x00000000002A0000-0x00000000002D2000-memory.dmp family_blackmoon behavioral1/memory/2608-372-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1992-379-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/676-285-0x00000000002D0000-0x0000000000302000-memory.dmp family_blackmoon behavioral1/memory/676-287-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2652-401-0x0000000000230000-0x0000000000262000-memory.dmp family_blackmoon behavioral1/memory/2652-400-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2700-393-0x00000000003A0000-0x00000000003D2000-memory.dmp family_blackmoon behavioral1/memory/2512-414-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon behavioral1/memory/2512-415-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/940-428-0x00000000003C0000-0x00000000003F2000-memory.dmp family_blackmoon behavioral1/memory/1628-441-0x00000000003A0000-0x00000000003D2000-memory.dmp family_blackmoon behavioral1/memory/2148-510-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1036-529-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/2384-555-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/864-600-0x00000000002D0000-0x0000000000302000-memory.dmp family_blackmoon behavioral1/memory/1076-624-0x00000000002C0000-0x00000000002F2000-memory.dmp family_blackmoon behavioral1/memory/2672-647-0x00000000001B0000-0x00000000001E2000-memory.dmp family_blackmoon behavioral1/memory/2680-675-0x0000000000230000-0x0000000000262000-memory.dmp family_blackmoon behavioral1/memory/3016-695-0x0000000000440000-0x0000000000472000-memory.dmp family_blackmoon behavioral1/memory/2900-834-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon behavioral1/memory/2256-892-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1420-1075-0x0000000000400000-0x0000000000432000-memory.dmp family_blackmoon behavioral1/memory/1904-1112-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon behavioral1/memory/2472-1133-0x0000000000220000-0x0000000000252000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1640 btttbb.exe 2920 ddpvd.exe 2312 7fxrffr.exe 2776 fffllff.exe 1896 bnbbhh.exe 1172 jdppj.exe 1448 rllrxxf.exe 1444 tnhtbb.exe 2668 thttnb.exe 2748 vpdjj.exe 2908 xrfllrf.exe 2572 hhbnht.exe 2568 jpvdd.exe 2024 7vvdj.exe 1476 rlxfflr.exe 1764 thnttb.exe 1336 bnbnth.exe 2756 fxrrlrl.exe 808 9xrflrf.exe 1044 hthhhn.exe 2876 vjvvv.exe 1440 7xlrrrx.exe 2088 7frxffl.exe 2400 1nhntb.exe 996 1bnbnn.exe 1556 jdjjp.exe 1828 vpjjj.exe 1060 lfrrxxr.exe 532 9rfrxxx.exe 676 7bbtbt.exe 1904 5jddj.exe 2452 frfrflr.exe 2456 1rffllr.exe 2388 9bbbtb.exe 2468 9tntnn.exe 1696 5pjvp.exe 1568 vjvvd.exe 2264 rlrxlfx.exe 2404 3rlfllr.exe 936 1bbntt.exe 2160 nhnnbb.exe 2608 hbnnbh.exe 1992 jdddd.exe 2640 5dpvd.exe 2700 rffllll.exe 2652 xxfxxxf.exe 2632 5rfrxfx.exe 2512 thtntt.exe 2592 7bntnn.exe 940 jjdpv.exe 1908 jvjpp.exe 1628 llfrlrx.exe 1488 xrxflxr.exe 1472 hbthbt.exe 796 3nhtht.exe 392 pjvdd.exe 1124 rllrflf.exe 1424 7hnbhh.exe 1096 pjddp.exe 1120 3fflxxl.exe 2172 lxrlrrx.exe 2880 9nbhtb.exe 1280 hhtnhh.exe 2148 3pjpj.exe -
resource yara_rule behavioral1/files/0x00090000000120f1-4.dat upx behavioral1/memory/480-6-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1640-8-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2920-21-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0008000000015d10-19.dat upx behavioral1/memory/1640-17-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0008000000015d51-37.dat upx behavioral1/files/0x0008000000015d39-27.dat upx behavioral1/memory/2776-39-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2312-30-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1896-46-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0007000000015d71-45.dat upx behavioral1/memory/1896-50-0x0000000000220000-0x0000000000252000-memory.dmp upx behavioral1/memory/1172-59-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0007000000015d79-57.dat upx behavioral1/memory/1896-56-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0007000000015d81-65.dat upx behavioral1/memory/2668-89-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0007000000016ccd-95.dat upx behavioral1/files/0x0009000000015f19-87.dat upx behavioral1/memory/1444-85-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1444-78-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0009000000015eb1-77.dat upx behavioral1/memory/1448-76-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1448-72-0x0000000000220000-0x0000000000252000-memory.dmp upx behavioral1/files/0x0006000000016d20-103.dat upx behavioral1/memory/2748-104-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0006000000016d30-111.dat upx behavioral1/files/0x0006000000016d39-120.dat upx behavioral1/memory/2568-121-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0006000000016d49-139.dat upx behavioral1/memory/2024-138-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0006000000016d41-131.dat upx behavioral1/memory/1764-150-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0006000000016d5d-149.dat upx behavioral1/files/0x0006000000016d62-157.dat upx behavioral1/memory/1336-165-0x0000000000440000-0x0000000000472000-memory.dmp upx behavioral1/files/0x0006000000016d66-169.dat upx behavioral1/memory/2756-168-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/1336-167-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0006000000016d6d-177.dat upx behavioral1/memory/808-179-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2756-176-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0006000000016d89-188.dat upx behavioral1/files/0x0006000000016dde-196.dat upx behavioral1/files/0x0006000000016de1-205.dat upx behavioral1/files/0x0006000000016de9-212.dat upx behavioral1/memory/1440-213-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2088-223-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0006000000016ec4-222.dat upx behavioral1/files/0x0006000000017041-231.dat upx behavioral1/files/0x0006000000017487-240.dat upx behavioral1/files/0x0006000000017491-249.dat upx behavioral1/memory/1556-248-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x00060000000174ca-259.dat upx behavioral1/memory/1060-268-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/532-269-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0009000000018671-267.dat upx behavioral1/files/0x000500000001867d-277.dat upx behavioral1/files/0x00050000000186de-288.dat upx behavioral1/memory/1904-296-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x00050000000186e4-297.dat upx behavioral1/memory/2452-305-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/2388-320-0x00000000003B0000-0x00000000003E2000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 480 wrote to memory of 1640 480 3cde120534bd025cbb5fe6309adff820N.exe 28 PID 480 wrote to memory of 1640 480 3cde120534bd025cbb5fe6309adff820N.exe 28 PID 480 wrote to memory of 1640 480 3cde120534bd025cbb5fe6309adff820N.exe 28 PID 480 wrote to memory of 1640 480 3cde120534bd025cbb5fe6309adff820N.exe 28 PID 1640 wrote to memory of 2920 1640 btttbb.exe 29 PID 1640 wrote to memory of 2920 1640 btttbb.exe 29 PID 1640 wrote to memory of 2920 1640 btttbb.exe 29 PID 1640 wrote to memory of 2920 1640 btttbb.exe 29 PID 2920 wrote to memory of 2312 2920 ddpvd.exe 30 PID 2920 wrote to memory of 2312 2920 ddpvd.exe 30 PID 2920 wrote to memory of 2312 2920 ddpvd.exe 30 PID 2920 wrote to memory of 2312 2920 ddpvd.exe 30 PID 2312 wrote to memory of 2776 2312 7fxrffr.exe 31 PID 2312 wrote to memory of 2776 2312 7fxrffr.exe 31 PID 2312 wrote to memory of 2776 2312 7fxrffr.exe 31 PID 2312 wrote to memory of 2776 2312 7fxrffr.exe 31 PID 2776 wrote to memory of 1896 2776 fffllff.exe 32 PID 2776 wrote to memory of 1896 2776 fffllff.exe 32 PID 2776 wrote to memory of 1896 2776 fffllff.exe 32 PID 2776 wrote to memory of 1896 2776 fffllff.exe 32 PID 1896 wrote to memory of 1172 1896 bnbbhh.exe 33 PID 1896 wrote to memory of 1172 1896 bnbbhh.exe 33 PID 1896 wrote to memory of 1172 1896 bnbbhh.exe 33 PID 1896 wrote to memory of 1172 1896 bnbbhh.exe 33 PID 1172 wrote to memory of 1448 1172 jdppj.exe 34 PID 1172 wrote to memory of 1448 1172 jdppj.exe 34 PID 1172 wrote to memory of 1448 1172 jdppj.exe 34 PID 1172 wrote to memory of 1448 1172 jdppj.exe 34 PID 1448 wrote to memory of 1444 1448 rllrxxf.exe 35 PID 1448 wrote to memory of 1444 1448 rllrxxf.exe 35 PID 1448 wrote to memory of 1444 1448 rllrxxf.exe 35 PID 1448 wrote to memory of 1444 1448 rllrxxf.exe 35 PID 1444 wrote to memory of 2668 1444 tnhtbb.exe 36 PID 1444 wrote to memory of 2668 1444 tnhtbb.exe 36 PID 1444 wrote to memory of 2668 1444 tnhtbb.exe 36 PID 1444 wrote to memory of 2668 1444 tnhtbb.exe 36 PID 2668 wrote to memory of 2748 2668 thttnb.exe 37 PID 2668 wrote to memory of 2748 2668 thttnb.exe 37 PID 2668 wrote to memory of 2748 2668 thttnb.exe 37 PID 2668 wrote to memory of 2748 2668 thttnb.exe 37 PID 2748 wrote to memory of 2908 2748 vpdjj.exe 38 PID 2748 wrote to memory of 2908 2748 vpdjj.exe 38 PID 2748 wrote to memory of 2908 2748 vpdjj.exe 38 PID 2748 wrote to memory of 2908 2748 vpdjj.exe 38 PID 2908 wrote to memory of 2572 2908 xrfllrf.exe 39 PID 2908 wrote to memory of 2572 2908 xrfllrf.exe 39 PID 2908 wrote to memory of 2572 2908 xrfllrf.exe 39 PID 2908 wrote to memory of 2572 2908 xrfllrf.exe 39 PID 2572 wrote to memory of 2568 2572 hhbnht.exe 40 PID 2572 wrote to memory of 2568 2572 hhbnht.exe 40 PID 2572 wrote to memory of 2568 2572 hhbnht.exe 40 PID 2572 wrote to memory of 2568 2572 hhbnht.exe 40 PID 2568 wrote to memory of 2024 2568 jpvdd.exe 41 PID 2568 wrote to memory of 2024 2568 jpvdd.exe 41 PID 2568 wrote to memory of 2024 2568 jpvdd.exe 41 PID 2568 wrote to memory of 2024 2568 jpvdd.exe 41 PID 2024 wrote to memory of 1476 2024 7vvdj.exe 42 PID 2024 wrote to memory of 1476 2024 7vvdj.exe 42 PID 2024 wrote to memory of 1476 2024 7vvdj.exe 42 PID 2024 wrote to memory of 1476 2024 7vvdj.exe 42 PID 1476 wrote to memory of 1764 1476 rlxfflr.exe 43 PID 1476 wrote to memory of 1764 1476 rlxfflr.exe 43 PID 1476 wrote to memory of 1764 1476 rlxfflr.exe 43 PID 1476 wrote to memory of 1764 1476 rlxfflr.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cde120534bd025cbb5fe6309adff820N.exe"C:\Users\Admin\AppData\Local\Temp\3cde120534bd025cbb5fe6309adff820N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:480 -
\??\c:\btttbb.exec:\btttbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\ddpvd.exec:\ddpvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\7fxrffr.exec:\7fxrffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\fffllff.exec:\fffllff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\bnbbhh.exec:\bnbbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\jdppj.exec:\jdppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\rllrxxf.exec:\rllrxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\tnhtbb.exec:\tnhtbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\thttnb.exec:\thttnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\vpdjj.exec:\vpdjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\xrfllrf.exec:\xrfllrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\hhbnht.exec:\hhbnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\jpvdd.exec:\jpvdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\7vvdj.exec:\7vvdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\rlxfflr.exec:\rlxfflr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\thnttb.exec:\thnttb.exe17⤵
- Executes dropped EXE
PID:1764 -
\??\c:\bnbnth.exec:\bnbnth.exe18⤵
- Executes dropped EXE
PID:1336 -
\??\c:\fxrrlrl.exec:\fxrrlrl.exe19⤵
- Executes dropped EXE
PID:2756 -
\??\c:\9xrflrf.exec:\9xrflrf.exe20⤵
- Executes dropped EXE
PID:808 -
\??\c:\hthhhn.exec:\hthhhn.exe21⤵
- Executes dropped EXE
PID:1044 -
\??\c:\vjvvv.exec:\vjvvv.exe22⤵
- Executes dropped EXE
PID:2876 -
\??\c:\7xlrrrx.exec:\7xlrrrx.exe23⤵
- Executes dropped EXE
PID:1440 -
\??\c:\7frxffl.exec:\7frxffl.exe24⤵
- Executes dropped EXE
PID:2088 -
\??\c:\1nhntb.exec:\1nhntb.exe25⤵
- Executes dropped EXE
PID:2400 -
\??\c:\1bnbnn.exec:\1bnbnn.exe26⤵
- Executes dropped EXE
PID:996 -
\??\c:\jdjjp.exec:\jdjjp.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\vpjjj.exec:\vpjjj.exe28⤵
- Executes dropped EXE
PID:1828 -
\??\c:\lfrrxxr.exec:\lfrrxxr.exe29⤵
- Executes dropped EXE
PID:1060 -
\??\c:\9rfrxxx.exec:\9rfrxxx.exe30⤵
- Executes dropped EXE
PID:532 -
\??\c:\7bbtbt.exec:\7bbtbt.exe31⤵
- Executes dropped EXE
PID:676 -
\??\c:\5jddj.exec:\5jddj.exe32⤵
- Executes dropped EXE
PID:1904 -
\??\c:\frfrflr.exec:\frfrflr.exe33⤵
- Executes dropped EXE
PID:2452 -
\??\c:\1rffllr.exec:\1rffllr.exe34⤵
- Executes dropped EXE
PID:2456 -
\??\c:\9bbbtb.exec:\9bbbtb.exe35⤵
- Executes dropped EXE
PID:2388 -
\??\c:\9tntnn.exec:\9tntnn.exe36⤵
- Executes dropped EXE
PID:2468 -
\??\c:\5pjvp.exec:\5pjvp.exe37⤵
- Executes dropped EXE
PID:1696 -
\??\c:\vjvvd.exec:\vjvvd.exe38⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rlrxlfx.exec:\rlrxlfx.exe39⤵
- Executes dropped EXE
PID:2264 -
\??\c:\3rlfllr.exec:\3rlfllr.exe40⤵
- Executes dropped EXE
PID:2404 -
\??\c:\1bbntt.exec:\1bbntt.exe41⤵
- Executes dropped EXE
PID:936 -
\??\c:\nhnnbb.exec:\nhnnbb.exe42⤵
- Executes dropped EXE
PID:2160 -
\??\c:\hbnnbh.exec:\hbnnbh.exe43⤵
- Executes dropped EXE
PID:2608 -
\??\c:\jdddd.exec:\jdddd.exe44⤵
- Executes dropped EXE
PID:1992 -
\??\c:\5dpvd.exec:\5dpvd.exe45⤵
- Executes dropped EXE
PID:2640 -
\??\c:\rffllll.exec:\rffllll.exe46⤵
- Executes dropped EXE
PID:2700 -
\??\c:\xxfxxxf.exec:\xxfxxxf.exe47⤵
- Executes dropped EXE
PID:2652 -
\??\c:\5rfrxfx.exec:\5rfrxfx.exe48⤵
- Executes dropped EXE
PID:2632 -
\??\c:\thtntt.exec:\thtntt.exe49⤵
- Executes dropped EXE
PID:2512 -
\??\c:\7bntnn.exec:\7bntnn.exe50⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jjdpv.exec:\jjdpv.exe51⤵
- Executes dropped EXE
PID:940 -
\??\c:\jvjpp.exec:\jvjpp.exe52⤵
- Executes dropped EXE
PID:1908 -
\??\c:\llfrlrx.exec:\llfrlrx.exe53⤵
- Executes dropped EXE
PID:1628 -
\??\c:\xrxflxr.exec:\xrxflxr.exe54⤵
- Executes dropped EXE
PID:1488 -
\??\c:\hbthbt.exec:\hbthbt.exe55⤵
- Executes dropped EXE
PID:1472 -
\??\c:\3nhtht.exec:\3nhtht.exe56⤵
- Executes dropped EXE
PID:796 -
\??\c:\pjvdd.exec:\pjvdd.exe57⤵
- Executes dropped EXE
PID:392 -
\??\c:\rllrflf.exec:\rllrflf.exe58⤵
- Executes dropped EXE
PID:1124 -
\??\c:\7hnbhh.exec:\7hnbhh.exe59⤵
- Executes dropped EXE
PID:1424 -
\??\c:\pjddp.exec:\pjddp.exe60⤵
- Executes dropped EXE
PID:1096 -
\??\c:\3fflxxl.exec:\3fflxxl.exe61⤵
- Executes dropped EXE
PID:1120 -
\??\c:\lxrlrrx.exec:\lxrlrrx.exe62⤵
- Executes dropped EXE
PID:2172 -
\??\c:\9nbhtb.exec:\9nbhtb.exe63⤵
- Executes dropped EXE
PID:2880 -
\??\c:\hhtnhh.exec:\hhtnhh.exe64⤵
- Executes dropped EXE
PID:1280 -
\??\c:\3pjpj.exec:\3pjpj.exe65⤵
- Executes dropped EXE
PID:2148 -
\??\c:\jdddj.exec:\jdddj.exe66⤵PID:2352
-
\??\c:\rfrxflx.exec:\rfrxflx.exe67⤵PID:1036
-
\??\c:\fxfxllr.exec:\fxfxllr.exe68⤵PID:296
-
\??\c:\bthhhb.exec:\bthhhb.exe69⤵PID:596
-
\??\c:\9jpjv.exec:\9jpjv.exe70⤵PID:2044
-
\??\c:\rrlrlrx.exec:\rrlrlrx.exe71⤵PID:2384
-
\??\c:\xrlxffl.exec:\xrlxffl.exe72⤵PID:2232
-
\??\c:\nhbhnb.exec:\nhbhnb.exe73⤵PID:2704
-
\??\c:\pjpdd.exec:\pjpdd.exe74⤵PID:872
-
\??\c:\pjvvv.exec:\pjvvv.exe75⤵PID:1904
-
\??\c:\rxfllfl.exec:\rxfllfl.exe76⤵PID:2300
-
\??\c:\rfrxxxf.exec:\rfrxxxf.exe77⤵PID:1572
-
\??\c:\btnbhh.exec:\btnbhh.exe78⤵PID:1940
-
\??\c:\7thnnt.exec:\7thnnt.exe79⤵PID:864
-
\??\c:\pdpvv.exec:\pdpvv.exe80⤵PID:2080
-
\??\c:\vdvjv.exec:\vdvjv.exe81⤵PID:1604
-
\??\c:\frlfllr.exec:\frlfllr.exe82⤵PID:1076
-
\??\c:\1thhhn.exec:\1thhhn.exe83⤵PID:2256
-
\??\c:\htbbbb.exec:\htbbbb.exe84⤵PID:2836
-
\??\c:\7dpvj.exec:\7dpvj.exe85⤵PID:2248
-
\??\c:\rfrflrr.exec:\rfrflrr.exe86⤵PID:2672
-
\??\c:\5lllllr.exec:\5lllllr.exe87⤵PID:2656
-
\??\c:\bthnhh.exec:\bthnhh.exe88⤵PID:2144
-
\??\c:\5bttht.exec:\5bttht.exe89⤵PID:2828
-
\??\c:\jdvjv.exec:\jdvjv.exe90⤵PID:2680
-
\??\c:\pjvdj.exec:\pjvdj.exe91⤵PID:2668
-
\??\c:\xrxrffl.exec:\xrxrffl.exe92⤵PID:1720
-
\??\c:\rffffxr.exec:\rffffxr.exe93⤵PID:3016
-
\??\c:\ttnthn.exec:\ttnthn.exe94⤵PID:2024
-
\??\c:\1bbnnh.exec:\1bbnnh.exe95⤵PID:2216
-
\??\c:\bnbntt.exec:\bnbntt.exe96⤵PID:1400
-
\??\c:\jdvvd.exec:\jdvvd.exe97⤵PID:2792
-
\??\c:\vpvpp.exec:\vpvpp.exe98⤵PID:1408
-
\??\c:\3xrfflr.exec:\3xrfflr.exe99⤵PID:2756
-
\??\c:\xxrfxfx.exec:\xxrfxfx.exe100⤵PID:392
-
\??\c:\3rlxrrx.exec:\3rlxrrx.exe101⤵PID:2040
-
\??\c:\5htbnt.exec:\5htbnt.exe102⤵PID:1424
-
\??\c:\5htttt.exec:\5htttt.exe103⤵PID:3044
-
\??\c:\ttnbth.exec:\ttnbth.exe104⤵PID:1120
-
\??\c:\3pddd.exec:\3pddd.exe105⤵PID:2368
-
\??\c:\dpvpv.exec:\dpvpv.exe106⤵PID:2880
-
\??\c:\lxllxxl.exec:\lxllxxl.exe107⤵PID:2360
-
\??\c:\xrrrfxf.exec:\xrrrfxf.exe108⤵PID:1724
-
\??\c:\lxlrffl.exec:\lxlrffl.exe109⤵PID:2116
-
\??\c:\bthbhn.exec:\bthbhn.exe110⤵PID:1532
-
\??\c:\tnntth.exec:\tnntth.exe111⤵PID:2184
-
\??\c:\nhnnth.exec:\nhnnth.exe112⤵PID:1420
-
\??\c:\1dppd.exec:\1dppd.exe113⤵PID:1828
-
\??\c:\fxlrrlr.exec:\fxlrrlr.exe114⤵PID:1548
-
\??\c:\7xlrrrr.exec:\7xlrrrr.exe115⤵PID:532
-
\??\c:\rfrxxff.exec:\rfrxxff.exe116⤵PID:2900
-
\??\c:\tnhnhb.exec:\tnhnhb.exe117⤵PID:2924
-
\??\c:\jjvpj.exec:\jjvpj.exe118⤵PID:1640
-
\??\c:\pdppj.exec:\pdppj.exe119⤵PID:1300
-
\??\c:\5rfrxfx.exec:\5rfrxfx.exe120⤵PID:2596
-
\??\c:\xrlrrrx.exec:\xrlrrrx.exe121⤵PID:1572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-