Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 21:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe
-
Size
453KB
-
MD5
483c5dbbd2ad5cfedd2e7e1c0ed6b6ac
-
SHA1
21778785e8b4e0875817b1e07f059c2e95f18be5
-
SHA256
3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4
-
SHA512
c479e66f7b441e96c897913a1e6ffa20a88ab194ef4e771a31359a2c6ab165a7057fdb43ea84859f37b475b57a29210650d20c0df81ebcf12d9c116a846b4a94
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/876-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-1122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-1280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-1371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-1514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2672 tbbnnh.exe 3088 jvpdp.exe 1492 ddjvd.exe 3640 rrxxxlx.exe 1704 lfxrxrx.exe 820 bhntth.exe 5032 dvjjp.exe 516 fffrfxl.exe 640 1vjvj.exe 3508 fffxxxx.exe 4048 rrfrlxr.exe 4884 ddvpd.exe 1900 lxlfrfr.exe 3732 httnhn.exe 4408 vvdvv.exe 4820 fllfrlr.exe 532 7nhtnh.exe 4864 ntbhnh.exe 3696 jpdpd.exe 2540 tbnhhb.exe 1472 dpvdp.exe 4292 btthbt.exe 4464 hbnbnh.exe 1104 7jvjv.exe 4996 3flxfrl.exe 1360 flfxffr.exe 2708 5vdvj.exe 1664 xxxrlfx.exe 4536 3hhbhh.exe 2256 frxlrlx.exe 1784 xxlflll.exe 3156 vvvjd.exe 2212 jpjjv.exe 2608 lxxrrll.exe 4244 5bhbhn.exe 2940 jvppj.exe 4476 9ppdv.exe 2800 9xxrllf.exe 4124 fxrlfrl.exe 3260 tbhnbn.exe 4524 vvjdd.exe 4284 vjjdv.exe 3128 7rrlxxr.exe 3980 htnbtn.exe 2420 hbbttt.exe 3844 vvvjj.exe 1228 fxxlfxx.exe 972 nnbhtb.exe 2148 thhtnh.exe 820 xllrlrr.exe 1100 9xxlxrf.exe 4592 hthhtb.exe 2436 dpjvp.exe 1452 5nhthb.exe 1460 jdjpv.exe 4316 bnhtbt.exe 3196 pjdvd.exe 2116 fffxrfx.exe 1612 fllfrlr.exe 1900 5rxrlxr.exe 3732 hbbthh.exe 4952 5jpjp.exe 3672 rrxfrxf.exe 888 btbbhb.exe -
resource yara_rule behavioral2/memory/876-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-696-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 876 wrote to memory of 2672 876 3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe 84 PID 876 wrote to memory of 2672 876 3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe 84 PID 876 wrote to memory of 2672 876 3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe 84 PID 2672 wrote to memory of 3088 2672 tbbnnh.exe 85 PID 2672 wrote to memory of 3088 2672 tbbnnh.exe 85 PID 2672 wrote to memory of 3088 2672 tbbnnh.exe 85 PID 3088 wrote to memory of 1492 3088 jvpdp.exe 86 PID 3088 wrote to memory of 1492 3088 jvpdp.exe 86 PID 3088 wrote to memory of 1492 3088 jvpdp.exe 86 PID 1492 wrote to memory of 3640 1492 ddjvd.exe 87 PID 1492 wrote to memory of 3640 1492 ddjvd.exe 87 PID 1492 wrote to memory of 3640 1492 ddjvd.exe 87 PID 3640 wrote to memory of 1704 3640 rrxxxlx.exe 88 PID 3640 wrote to memory of 1704 3640 rrxxxlx.exe 88 PID 3640 wrote to memory of 1704 3640 rrxxxlx.exe 88 PID 1704 wrote to memory of 820 1704 lfxrxrx.exe 133 PID 1704 wrote to memory of 820 1704 lfxrxrx.exe 133 PID 1704 wrote to memory of 820 1704 lfxrxrx.exe 133 PID 820 wrote to memory of 5032 820 bhntth.exe 90 PID 820 wrote to memory of 5032 820 bhntth.exe 90 PID 820 wrote to memory of 5032 820 bhntth.exe 90 PID 5032 wrote to memory of 516 5032 dvjjp.exe 91 PID 5032 wrote to memory of 516 5032 dvjjp.exe 91 PID 5032 wrote to memory of 516 5032 dvjjp.exe 91 PID 516 wrote to memory of 640 516 fffrfxl.exe 92 PID 516 wrote to memory of 640 516 fffrfxl.exe 92 PID 516 wrote to memory of 640 516 fffrfxl.exe 92 PID 640 wrote to memory of 3508 640 1vjvj.exe 93 PID 640 wrote to memory of 3508 640 1vjvj.exe 93 PID 640 wrote to memory of 3508 640 1vjvj.exe 93 PID 3508 wrote to memory of 4048 3508 fffxxxx.exe 94 PID 3508 wrote to memory of 4048 3508 fffxxxx.exe 94 PID 3508 wrote to memory of 4048 3508 fffxxxx.exe 94 PID 4048 wrote to memory of 4884 4048 rrfrlxr.exe 95 PID 4048 wrote to memory of 4884 4048 rrfrlxr.exe 95 PID 4048 wrote to memory of 4884 4048 rrfrlxr.exe 95 PID 4884 wrote to memory of 1900 4884 ddvpd.exe 96 PID 4884 wrote to memory of 1900 4884 ddvpd.exe 96 PID 4884 wrote to memory of 1900 4884 ddvpd.exe 96 PID 1900 wrote to memory of 3732 1900 lxlfrfr.exe 97 PID 1900 wrote to memory of 3732 1900 lxlfrfr.exe 97 PID 1900 wrote to memory of 3732 1900 lxlfrfr.exe 97 PID 3732 wrote to memory of 4408 3732 httnhn.exe 98 PID 3732 wrote to memory of 4408 3732 httnhn.exe 98 PID 3732 wrote to memory of 4408 3732 httnhn.exe 98 PID 4408 wrote to memory of 4820 4408 vvdvv.exe 99 PID 4408 wrote to memory of 4820 4408 vvdvv.exe 99 PID 4408 wrote to memory of 4820 4408 vvdvv.exe 99 PID 4820 wrote to memory of 532 4820 fllfrlr.exe 100 PID 4820 wrote to memory of 532 4820 fllfrlr.exe 100 PID 4820 wrote to memory of 532 4820 fllfrlr.exe 100 PID 532 wrote to memory of 4864 532 7nhtnh.exe 101 PID 532 wrote to memory of 4864 532 7nhtnh.exe 101 PID 532 wrote to memory of 4864 532 7nhtnh.exe 101 PID 4864 wrote to memory of 3696 4864 ntbhnh.exe 102 PID 4864 wrote to memory of 3696 4864 ntbhnh.exe 102 PID 4864 wrote to memory of 3696 4864 ntbhnh.exe 102 PID 3696 wrote to memory of 2540 3696 jpdpd.exe 103 PID 3696 wrote to memory of 2540 3696 jpdpd.exe 103 PID 3696 wrote to memory of 2540 3696 jpdpd.exe 103 PID 2540 wrote to memory of 1472 2540 tbnhhb.exe 104 PID 2540 wrote to memory of 1472 2540 tbnhhb.exe 104 PID 2540 wrote to memory of 1472 2540 tbnhhb.exe 104 PID 1472 wrote to memory of 4292 1472 dpvdp.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe"C:\Users\Admin\AppData\Local\Temp\3194648a861f3bbbf39799bc5425568321a60e749dc53f8be940c0608e3d94a4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\tbbnnh.exec:\tbbnnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\jvpdp.exec:\jvpdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\ddjvd.exec:\ddjvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\rrxxxlx.exec:\rrxxxlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\lfxrxrx.exec:\lfxrxrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\bhntth.exec:\bhntth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\dvjjp.exec:\dvjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\fffrfxl.exec:\fffrfxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\1vjvj.exec:\1vjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\fffxxxx.exec:\fffxxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\rrfrlxr.exec:\rrfrlxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\ddvpd.exec:\ddvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\lxlfrfr.exec:\lxlfrfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\httnhn.exec:\httnhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\vvdvv.exec:\vvdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\fllfrlr.exec:\fllfrlr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\7nhtnh.exec:\7nhtnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\ntbhnh.exec:\ntbhnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\jpdpd.exec:\jpdpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\tbnhhb.exec:\tbnhhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\dpvdp.exec:\dpvdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\btthbt.exec:\btthbt.exe23⤵
- Executes dropped EXE
PID:4292 -
\??\c:\hbnbnh.exec:\hbnbnh.exe24⤵
- Executes dropped EXE
PID:4464 -
\??\c:\7jvjv.exec:\7jvjv.exe25⤵
- Executes dropped EXE
PID:1104 -
\??\c:\3flxfrl.exec:\3flxfrl.exe26⤵
- Executes dropped EXE
PID:4996 -
\??\c:\flfxffr.exec:\flfxffr.exe27⤵
- Executes dropped EXE
PID:1360 -
\??\c:\5vdvj.exec:\5vdvj.exe28⤵
- Executes dropped EXE
PID:2708 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe29⤵
- Executes dropped EXE
PID:1664 -
\??\c:\3hhbhh.exec:\3hhbhh.exe30⤵
- Executes dropped EXE
PID:4536 -
\??\c:\frxlrlx.exec:\frxlrlx.exe31⤵
- Executes dropped EXE
PID:2256 -
\??\c:\xxlflll.exec:\xxlflll.exe32⤵
- Executes dropped EXE
PID:1784 -
\??\c:\vvvjd.exec:\vvvjd.exe33⤵
- Executes dropped EXE
PID:3156 -
\??\c:\jpjjv.exec:\jpjjv.exe34⤵
- Executes dropped EXE
PID:2212 -
\??\c:\lxxrrll.exec:\lxxrrll.exe35⤵
- Executes dropped EXE
PID:2608 -
\??\c:\5bhbhn.exec:\5bhbhn.exe36⤵
- Executes dropped EXE
PID:4244 -
\??\c:\jvppj.exec:\jvppj.exe37⤵
- Executes dropped EXE
PID:2940 -
\??\c:\9ppdv.exec:\9ppdv.exe38⤵
- Executes dropped EXE
PID:4476 -
\??\c:\9xxrllf.exec:\9xxrllf.exe39⤵
- Executes dropped EXE
PID:2800 -
\??\c:\fxrlfrl.exec:\fxrlfrl.exe40⤵
- Executes dropped EXE
PID:4124 -
\??\c:\tbhnbn.exec:\tbhnbn.exe41⤵
- Executes dropped EXE
PID:3260 -
\??\c:\vvjdd.exec:\vvjdd.exe42⤵
- Executes dropped EXE
PID:4524 -
\??\c:\vjjdv.exec:\vjjdv.exe43⤵
- Executes dropped EXE
PID:4284 -
\??\c:\7rrlxxr.exec:\7rrlxxr.exe44⤵
- Executes dropped EXE
PID:3128 -
\??\c:\htnbtn.exec:\htnbtn.exe45⤵
- Executes dropped EXE
PID:3980 -
\??\c:\hbbttt.exec:\hbbttt.exe46⤵
- Executes dropped EXE
PID:2420 -
\??\c:\vvvjj.exec:\vvvjj.exe47⤵
- Executes dropped EXE
PID:3844 -
\??\c:\fxxlfxx.exec:\fxxlfxx.exe48⤵
- Executes dropped EXE
PID:1228 -
\??\c:\nnbhtb.exec:\nnbhtb.exe49⤵
- Executes dropped EXE
PID:972 -
\??\c:\thhtnh.exec:\thhtnh.exe50⤵
- Executes dropped EXE
PID:2148 -
\??\c:\xllrlrr.exec:\xllrlrr.exe51⤵
- Executes dropped EXE
PID:820 -
\??\c:\9xxlxrf.exec:\9xxlxrf.exe52⤵
- Executes dropped EXE
PID:1100 -
\??\c:\hthhtb.exec:\hthhtb.exe53⤵
- Executes dropped EXE
PID:4592 -
\??\c:\dpjvp.exec:\dpjvp.exe54⤵
- Executes dropped EXE
PID:2436 -
\??\c:\5nhthb.exec:\5nhthb.exe55⤵
- Executes dropped EXE
PID:1452 -
\??\c:\jdjpv.exec:\jdjpv.exe56⤵
- Executes dropped EXE
PID:1460 -
\??\c:\bnhtbt.exec:\bnhtbt.exe57⤵
- Executes dropped EXE
PID:4316 -
\??\c:\pjdvd.exec:\pjdvd.exe58⤵
- Executes dropped EXE
PID:3196 -
\??\c:\fffxrfx.exec:\fffxrfx.exe59⤵
- Executes dropped EXE
PID:2116 -
\??\c:\fllfrlr.exec:\fllfrlr.exe60⤵
- Executes dropped EXE
PID:1612 -
\??\c:\5rxrlxr.exec:\5rxrlxr.exe61⤵
- Executes dropped EXE
PID:1900 -
\??\c:\hbbthh.exec:\hbbthh.exe62⤵
- Executes dropped EXE
PID:3732 -
\??\c:\5jpjp.exec:\5jpjp.exe63⤵
- Executes dropped EXE
PID:4952 -
\??\c:\rrxfrxf.exec:\rrxfrxf.exe64⤵
- Executes dropped EXE
PID:3672 -
\??\c:\btbbhb.exec:\btbbhb.exe65⤵
- Executes dropped EXE
PID:888 -
\??\c:\jdjvv.exec:\jdjvv.exe66⤵PID:3064
-
\??\c:\3frfrfx.exec:\3frfrfx.exe67⤵PID:1660
-
\??\c:\flfxrlf.exec:\flfxrlf.exe68⤵PID:3744
-
\??\c:\bbnbtn.exec:\bbnbtn.exe69⤵PID:8
-
\??\c:\dvdpp.exec:\dvdpp.exe70⤵PID:2124
-
\??\c:\1lfrxrr.exec:\1lfrxrr.exe71⤵PID:2980
-
\??\c:\3xrlfxl.exec:\3xrlfxl.exe72⤵PID:944
-
\??\c:\ththth.exec:\ththth.exe73⤵PID:1016
-
\??\c:\vvvpd.exec:\vvvpd.exe74⤵PID:4464
-
\??\c:\ffxxlfr.exec:\ffxxlfr.exe75⤵PID:1104
-
\??\c:\9bbnnh.exec:\9bbnnh.exe76⤵PID:2024
-
\??\c:\pvvjv.exec:\pvvjv.exe77⤵PID:4040
-
\??\c:\1pdpd.exec:\1pdpd.exe78⤵PID:2752
-
\??\c:\rlfflfx.exec:\rlfflfx.exe79⤵PID:2708
-
\??\c:\5hbthb.exec:\5hbthb.exe80⤵PID:2724
-
\??\c:\1vvdv.exec:\1vvdv.exe81⤵PID:2964
-
\??\c:\rlffrxl.exec:\rlffrxl.exe82⤵PID:3532
-
\??\c:\ntbnbn.exec:\ntbnbn.exe83⤵PID:2216
-
\??\c:\nnnbth.exec:\nnnbth.exe84⤵PID:1784
-
\??\c:\5dvpv.exec:\5dvpv.exe85⤵PID:4428
-
\??\c:\9ffrrll.exec:\9ffrrll.exe86⤵PID:4796
-
\??\c:\bhhtbt.exec:\bhhtbt.exe87⤵PID:4160
-
\??\c:\jdvjv.exec:\jdvjv.exe88⤵PID:2608
-
\??\c:\dpvjp.exec:\dpvjp.exe89⤵PID:4244
-
\??\c:\xxrxlfx.exec:\xxrxlfx.exe90⤵PID:3516
-
\??\c:\5htnbn.exec:\5htnbn.exe91⤵PID:4144
-
\??\c:\jppdj.exec:\jppdj.exe92⤵PID:2744
-
\??\c:\9jjvj.exec:\9jjvj.exe93⤵PID:3208
-
\??\c:\ffxlxfr.exec:\ffxlxfr.exe94⤵PID:5064
-
\??\c:\tttbbn.exec:\tttbbn.exe95⤵PID:3108
-
\??\c:\7pdvv.exec:\7pdvv.exe96⤵PID:3432
-
\??\c:\ddvpj.exec:\ddvpj.exe97⤵PID:3660
-
\??\c:\9xlfxxr.exec:\9xlfxxr.exe98⤵PID:4376
-
\??\c:\bnbhht.exec:\bnbhht.exe99⤵PID:4148
-
\??\c:\9pvjd.exec:\9pvjd.exe100⤵PID:1188
-
\??\c:\3rxrxxl.exec:\3rxrxxl.exe101⤵PID:3088
-
\??\c:\xffxrll.exec:\xffxrll.exe102⤵PID:3708
-
\??\c:\nhnhbh.exec:\nhnhbh.exe103⤵PID:1628
-
\??\c:\7vvpj.exec:\7vvpj.exe104⤵PID:3152
-
\??\c:\rxxfxlf.exec:\rxxfxlf.exe105⤵PID:1280
-
\??\c:\1ththb.exec:\1ththb.exe106⤵PID:820
-
\??\c:\nbbthn.exec:\nbbthn.exe107⤵PID:2928
-
\??\c:\7djvp.exec:\7djvp.exe108⤵PID:3668
-
\??\c:\9fllfff.exec:\9fllfff.exe109⤵PID:3700
-
\??\c:\lrfxrlf.exec:\lrfxrlf.exe110⤵PID:3252
-
\??\c:\bhtbhn.exec:\bhtbhn.exe111⤵PID:948
-
\??\c:\1djdp.exec:\1djdp.exe112⤵PID:3172
-
\??\c:\rrfxfrf.exec:\rrfxfrf.exe113⤵PID:3132
-
\??\c:\9nhbnn.exec:\9nhbnn.exe114⤵PID:4048
-
\??\c:\jvvpj.exec:\jvvpj.exe115⤵PID:5068
-
\??\c:\rrlfxrf.exec:\rrlfxrf.exe116⤵PID:2400
-
\??\c:\9nbbtt.exec:\9nbbtt.exe117⤵PID:4084
-
\??\c:\nbthbt.exec:\nbthbt.exe118⤵PID:4380
-
\??\c:\3jjdd.exec:\3jjdd.exe119⤵PID:1708
-
\??\c:\9xxlffx.exec:\9xxlffx.exe120⤵PID:720
-
\??\c:\rfxrfxr.exec:\rfxrfxr.exe121⤵PID:532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-