Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 23:04
Behavioral task
behavioral1
Sample
d84f195ae3a1834bc18a4c4419198aa7dc0dfb5c4003e2258c0671ea3f1efcb4.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
d84f195ae3a1834bc18a4c4419198aa7dc0dfb5c4003e2258c0671ea3f1efcb4.exe
-
Size
74KB
-
MD5
efb2dd41a951124058486c64fdcf1de0
-
SHA1
97561983602d12b2a2d8144c502174c232948d38
-
SHA256
d84f195ae3a1834bc18a4c4419198aa7dc0dfb5c4003e2258c0671ea3f1efcb4
-
SHA512
945ba8024b0133813fdc3da86da4bf0a12f0d209099c8b1030790740261dae53552775846bbad3aef0c03c792676b839468bc049ddc1c68ff9f6f608ebd619fc
-
SSDEEP
1536:vvQBeOGtrYS3srx93UBWfwC6Ggnouy8rrUxAqQDrzIksAtFOu:vhOmTsF93UYfwC6GIoutrAxAqU6AtFOu
Malware Config
Signatures
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/2672-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2808-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/684-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2416-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2536-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2348-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-67-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3040-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3056-78-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3056-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2936-96-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2936-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2936-94-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2120-101-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2504-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2936-124-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/592-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1900-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1332-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1332-159-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1092-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/916-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/792-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1288-231-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2304-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1820-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-255-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1632-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1608-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2872-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1496-356-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2652-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1040-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-384-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/788-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2868-429-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1112-510-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2300-573-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-586-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/916-774-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2656-851-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2324-933-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1684-958-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2212-977-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2312-1039-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2532-1169-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1300-1214-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2240-1233-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2600-1258-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/276-1332-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2428-1345-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2672 xrrrxrx.exe 2808 bnbhtt.exe 2784 hthhtt.exe 2416 vpvdj.exe 2348 flrlfxx.exe 2536 7tbhth.exe 3040 nnbtth.exe 3056 3lllxlr.exe 2936 3btbtt.exe 2120 jdppd.exe 2504 vvjjj.exe 1348 tnttbb.exe 1900 nhttbb.exe 592 3vdjd.exe 1404 vpdvd.exe 1332 xxrfxlx.exe 2040 bnhttb.exe 2316 pdpvj.exe 1688 jdpdj.exe 1908 5xxllrx.exe 1092 tnbhhh.exe 916 pjvjd.exe 792 dpddv.exe 1288 xllrxff.exe 1820 bnhbnn.exe 2304 1jjpj.exe 1632 vpjpv.exe 2924 thnntn.exe 2884 jvjvj.exe 2272 vpppd.exe 2612 1xlxxfl.exe 2748 bhnbbt.exe 2760 tnhhnb.exe 1608 pjdpd.exe 2872 xxlrflf.exe 2100 1xxfrrx.exe 2700 7thhnn.exe 2840 nbtnnh.exe 2536 vjppv.exe 1496 vpjdj.exe 2652 3lfllxf.exe 1040 bhntnn.exe 2576 btbbbn.exe 2108 ppdpp.exe 2112 vpddp.exe 1260 xxxxxrf.exe 576 bhnhnb.exe 332 3ttbhn.exe 788 vpdjv.exe 540 jjvjv.exe 2868 5ffxfrl.exe 2904 hbtttn.exe 2236 bbhbbt.exe 1904 jpdvp.exe 1780 3jddv.exe 2328 7flxffl.exe 1524 hntnth.exe 1688 thtbnn.exe 3004 vppdj.exe 1932 jddpv.exe 2064 9xxlrfr.exe 916 7flrrll.exe 852 nnhnbh.exe 1112 9bnbnn.exe -
resource yara_rule behavioral1/memory/684-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d00000001226b-5.dat upx behavioral1/files/0x0008000000015f81-17.dat upx behavioral1/memory/2672-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2808-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/684-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000164c8-45.dat upx behavioral1/memory/2416-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016307-37.dat upx behavioral1/memory/2784-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001612f-28.dat upx behavioral1/files/0x000900000001662e-63.dat upx behavioral1/memory/2536-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001658c-55.dat upx behavioral1/memory/2348-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016855-72.dat upx behavioral1/memory/3056-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3040-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3056-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2936-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016dd1-84.dat upx behavioral1/memory/3056-82-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0006000000016dd7-98.dat upx behavioral1/memory/2936-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016ea4-106.dat upx behavioral1/files/0x0006000000016eca-114.dat upx behavioral1/memory/2504-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001706d-123.dat upx behavioral1/memory/592-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000173da-134.dat upx behavioral1/memory/1900-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000173f1-143.dat upx behavioral1/files/0x00060000000173f4-151.dat upx behavioral1/memory/1332-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000173fc-160.dat upx behavioral1/files/0x0006000000017472-169.dat upx behavioral1/memory/2316-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017487-178.dat upx behavioral1/memory/1688-186-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/files/0x00060000000174a2-189.dat upx behavioral1/memory/1908-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017525-197.dat upx behavioral1/memory/1092-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0014000000018663-208.dat upx behavioral1/memory/1092-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d00000001866e-217.dat upx behavioral1/memory/916-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018687-224.dat upx behavioral1/memory/1288-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/792-226-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018792-236.dat upx behavioral1/files/0x0006000000018c1a-246.dat upx behavioral1/memory/2304-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1820-238-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018c26-256.dat upx behavioral1/memory/1632-264-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018f53-263.dat upx behavioral1/files/0x000600000001903b-272.dat upx behavioral1/memory/2884-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0033000000015db1-282.dat upx behavioral1/files/0x00060000000190ce-289.dat upx behavioral1/files/0x00060000000190e0-296.dat upx behavioral1/memory/2612-298-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1608-318-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffrrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 684 wrote to memory of 2672 684 d84f195ae3a1834bc18a4c4419198aa7dc0dfb5c4003e2258c0671ea3f1efcb4.exe 30 PID 684 wrote to memory of 2672 684 d84f195ae3a1834bc18a4c4419198aa7dc0dfb5c4003e2258c0671ea3f1efcb4.exe 30 PID 684 wrote to memory of 2672 684 d84f195ae3a1834bc18a4c4419198aa7dc0dfb5c4003e2258c0671ea3f1efcb4.exe 30 PID 684 wrote to memory of 2672 684 d84f195ae3a1834bc18a4c4419198aa7dc0dfb5c4003e2258c0671ea3f1efcb4.exe 30 PID 2672 wrote to memory of 2808 2672 xrrrxrx.exe 31 PID 2672 wrote to memory of 2808 2672 xrrrxrx.exe 31 PID 2672 wrote to memory of 2808 2672 xrrrxrx.exe 31 PID 2672 wrote to memory of 2808 2672 xrrrxrx.exe 31 PID 2808 wrote to memory of 2784 2808 bnbhtt.exe 32 PID 2808 wrote to memory of 2784 2808 bnbhtt.exe 32 PID 2808 wrote to memory of 2784 2808 bnbhtt.exe 32 PID 2808 wrote to memory of 2784 2808 bnbhtt.exe 32 PID 2784 wrote to memory of 2416 2784 hthhtt.exe 33 PID 2784 wrote to memory of 2416 2784 hthhtt.exe 33 PID 2784 wrote to memory of 2416 2784 hthhtt.exe 33 PID 2784 wrote to memory of 2416 2784 hthhtt.exe 33 PID 2416 wrote to memory of 2348 2416 vpvdj.exe 34 PID 2416 wrote to memory of 2348 2416 vpvdj.exe 34 PID 2416 wrote to memory of 2348 2416 vpvdj.exe 34 PID 2416 wrote to memory of 2348 2416 vpvdj.exe 34 PID 2348 wrote to memory of 2536 2348 flrlfxx.exe 35 PID 2348 wrote to memory of 2536 2348 flrlfxx.exe 35 PID 2348 wrote to memory of 2536 2348 flrlfxx.exe 35 PID 2348 wrote to memory of 2536 2348 flrlfxx.exe 35 PID 2536 wrote to memory of 3040 2536 7tbhth.exe 36 PID 2536 wrote to memory of 3040 2536 7tbhth.exe 36 PID 2536 wrote to memory of 3040 2536 7tbhth.exe 36 PID 2536 wrote to memory of 3040 2536 7tbhth.exe 36 PID 3040 wrote to memory of 3056 3040 nnbtth.exe 37 PID 3040 wrote to memory of 3056 3040 nnbtth.exe 37 PID 3040 wrote to memory of 3056 3040 nnbtth.exe 37 PID 3040 wrote to memory of 3056 3040 nnbtth.exe 37 PID 3056 wrote to memory of 2936 3056 3lllxlr.exe 38 PID 3056 wrote to memory of 2936 3056 3lllxlr.exe 38 PID 3056 wrote to memory of 2936 3056 3lllxlr.exe 38 PID 3056 wrote to memory of 2936 3056 3lllxlr.exe 38 PID 2936 wrote to memory of 2120 2936 3btbtt.exe 39 PID 2936 wrote to memory of 2120 2936 3btbtt.exe 39 PID 2936 wrote to memory of 2120 2936 3btbtt.exe 39 PID 2936 wrote to memory of 2120 2936 3btbtt.exe 39 PID 2120 wrote to memory of 2504 2120 jdppd.exe 40 PID 2120 wrote to memory of 2504 2120 jdppd.exe 40 PID 2120 wrote to memory of 2504 2120 jdppd.exe 40 PID 2120 wrote to memory of 2504 2120 jdppd.exe 40 PID 2504 wrote to memory of 1348 2504 vvjjj.exe 41 PID 2504 wrote to memory of 1348 2504 vvjjj.exe 41 PID 2504 wrote to memory of 1348 2504 vvjjj.exe 41 PID 2504 wrote to memory of 1348 2504 vvjjj.exe 41 PID 1348 wrote to memory of 1900 1348 tnttbb.exe 42 PID 1348 wrote to memory of 1900 1348 tnttbb.exe 42 PID 1348 wrote to memory of 1900 1348 tnttbb.exe 42 PID 1348 wrote to memory of 1900 1348 tnttbb.exe 42 PID 1900 wrote to memory of 592 1900 nhttbb.exe 43 PID 1900 wrote to memory of 592 1900 nhttbb.exe 43 PID 1900 wrote to memory of 592 1900 nhttbb.exe 43 PID 1900 wrote to memory of 592 1900 nhttbb.exe 43 PID 592 wrote to memory of 1404 592 3vdjd.exe 44 PID 592 wrote to memory of 1404 592 3vdjd.exe 44 PID 592 wrote to memory of 1404 592 3vdjd.exe 44 PID 592 wrote to memory of 1404 592 3vdjd.exe 44 PID 1404 wrote to memory of 1332 1404 vpdvd.exe 45 PID 1404 wrote to memory of 1332 1404 vpdvd.exe 45 PID 1404 wrote to memory of 1332 1404 vpdvd.exe 45 PID 1404 wrote to memory of 1332 1404 vpdvd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d84f195ae3a1834bc18a4c4419198aa7dc0dfb5c4003e2258c0671ea3f1efcb4.exe"C:\Users\Admin\AppData\Local\Temp\d84f195ae3a1834bc18a4c4419198aa7dc0dfb5c4003e2258c0671ea3f1efcb4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\xrrrxrx.exec:\xrrrxrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\bnbhtt.exec:\bnbhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\hthhtt.exec:\hthhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\vpvdj.exec:\vpvdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\flrlfxx.exec:\flrlfxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\7tbhth.exec:\7tbhth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\nnbtth.exec:\nnbtth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\3lllxlr.exec:\3lllxlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\3btbtt.exec:\3btbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\jdppd.exec:\jdppd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\vvjjj.exec:\vvjjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\tnttbb.exec:\tnttbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\nhttbb.exec:\nhttbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\3vdjd.exec:\3vdjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\vpdvd.exec:\vpdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\xxrfxlx.exec:\xxrfxlx.exe17⤵
- Executes dropped EXE
PID:1332 -
\??\c:\bnhttb.exec:\bnhttb.exe18⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pdpvj.exec:\pdpvj.exe19⤵
- Executes dropped EXE
PID:2316 -
\??\c:\jdpdj.exec:\jdpdj.exe20⤵
- Executes dropped EXE
PID:1688 -
\??\c:\5xxllrx.exec:\5xxllrx.exe21⤵
- Executes dropped EXE
PID:1908 -
\??\c:\tnbhhh.exec:\tnbhhh.exe22⤵
- Executes dropped EXE
PID:1092 -
\??\c:\pjvjd.exec:\pjvjd.exe23⤵
- Executes dropped EXE
PID:916 -
\??\c:\dpddv.exec:\dpddv.exe24⤵
- Executes dropped EXE
PID:792 -
\??\c:\xllrxff.exec:\xllrxff.exe25⤵
- Executes dropped EXE
PID:1288 -
\??\c:\bnhbnn.exec:\bnhbnn.exe26⤵
- Executes dropped EXE
PID:1820 -
\??\c:\1jjpj.exec:\1jjpj.exe27⤵
- Executes dropped EXE
PID:2304 -
\??\c:\vpjpv.exec:\vpjpv.exe28⤵
- Executes dropped EXE
PID:1632 -
\??\c:\thnntn.exec:\thnntn.exe29⤵
- Executes dropped EXE
PID:2924 -
\??\c:\jvjvj.exec:\jvjvj.exe30⤵
- Executes dropped EXE
PID:2884 -
\??\c:\vpppd.exec:\vpppd.exe31⤵
- Executes dropped EXE
PID:2272 -
\??\c:\1xlxxfl.exec:\1xlxxfl.exe32⤵
- Executes dropped EXE
PID:2612 -
\??\c:\bhnbbt.exec:\bhnbbt.exe33⤵
- Executes dropped EXE
PID:2748 -
\??\c:\tnhhnb.exec:\tnhhnb.exe34⤵
- Executes dropped EXE
PID:2760 -
\??\c:\pjdpd.exec:\pjdpd.exe35⤵
- Executes dropped EXE
PID:1608 -
\??\c:\xxlrflf.exec:\xxlrflf.exe36⤵
- Executes dropped EXE
PID:2872 -
\??\c:\1xxfrrx.exec:\1xxfrrx.exe37⤵
- Executes dropped EXE
PID:2100 -
\??\c:\7thhnn.exec:\7thhnn.exe38⤵
- Executes dropped EXE
PID:2700 -
\??\c:\nbtnnh.exec:\nbtnnh.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vjppv.exec:\vjppv.exe40⤵
- Executes dropped EXE
PID:2536 -
\??\c:\vpjdj.exec:\vpjdj.exe41⤵
- Executes dropped EXE
PID:1496 -
\??\c:\3lfllxf.exec:\3lfllxf.exe42⤵
- Executes dropped EXE
PID:2652 -
\??\c:\bhntnn.exec:\bhntnn.exe43⤵
- Executes dropped EXE
PID:1040 -
\??\c:\btbbbn.exec:\btbbbn.exe44⤵
- Executes dropped EXE
PID:2576 -
\??\c:\ppdpp.exec:\ppdpp.exe45⤵
- Executes dropped EXE
PID:2108 -
\??\c:\vpddp.exec:\vpddp.exe46⤵
- Executes dropped EXE
PID:2112 -
\??\c:\xxxxxrf.exec:\xxxxxrf.exe47⤵
- Executes dropped EXE
PID:1260 -
\??\c:\bhnhnb.exec:\bhnhnb.exe48⤵
- Executes dropped EXE
PID:576 -
\??\c:\3ttbhn.exec:\3ttbhn.exe49⤵
- Executes dropped EXE
PID:332 -
\??\c:\vpdjv.exec:\vpdjv.exe50⤵
- Executes dropped EXE
PID:788 -
\??\c:\jjvjv.exec:\jjvjv.exe51⤵
- Executes dropped EXE
PID:540 -
\??\c:\5ffxfrl.exec:\5ffxfrl.exe52⤵
- Executes dropped EXE
PID:2868 -
\??\c:\hbtttn.exec:\hbtttn.exe53⤵
- Executes dropped EXE
PID:2904 -
\??\c:\bbhbbt.exec:\bbhbbt.exe54⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jpdvp.exec:\jpdvp.exe55⤵
- Executes dropped EXE
PID:1904 -
\??\c:\3jddv.exec:\3jddv.exe56⤵
- Executes dropped EXE
PID:1780 -
\??\c:\7flxffl.exec:\7flxffl.exe57⤵
- Executes dropped EXE
PID:2328 -
\??\c:\hntnth.exec:\hntnth.exe58⤵
- Executes dropped EXE
PID:1524 -
\??\c:\thtbnn.exec:\thtbnn.exe59⤵
- Executes dropped EXE
PID:1688 -
\??\c:\vppdj.exec:\vppdj.exe60⤵
- Executes dropped EXE
PID:3004 -
\??\c:\jddpv.exec:\jddpv.exe61⤵
- Executes dropped EXE
PID:1932 -
\??\c:\9xxlrfr.exec:\9xxlrfr.exe62⤵
- Executes dropped EXE
PID:2064 -
\??\c:\7flrrll.exec:\7flrrll.exe63⤵
- Executes dropped EXE
PID:916 -
\??\c:\nnhnbh.exec:\nnhnbh.exe64⤵
- Executes dropped EXE
PID:852 -
\??\c:\9bnbnn.exec:\9bnbnn.exe65⤵
- Executes dropped EXE
PID:1112 -
\??\c:\dpvvd.exec:\dpvvd.exe66⤵PID:1288
-
\??\c:\flrflfx.exec:\flrflfx.exe67⤵PID:1712
-
\??\c:\xrlxffl.exec:\xrlxffl.exe68⤵PID:1788
-
\??\c:\hbnnnh.exec:\hbnnnh.exe69⤵PID:2304
-
\??\c:\nbbbnn.exec:\nbbbnn.exe70⤵PID:1752
-
\??\c:\jdvjj.exec:\jdvjj.exe71⤵PID:1632
-
\??\c:\vppvj.exec:\vppvj.exe72⤵PID:2960
-
\??\c:\1xrfrrx.exec:\1xrfrrx.exe73⤵PID:1664
-
\??\c:\xxfxllr.exec:\xxfxllr.exe74⤵PID:1440
-
\??\c:\bthnhn.exec:\bthnhn.exe75⤵PID:2300
-
\??\c:\tntthh.exec:\tntthh.exe76⤵PID:2636
-
\??\c:\5rllrxf.exec:\5rllrxf.exe77⤵PID:2736
-
\??\c:\bhbhnn.exec:\bhbhnn.exe78⤵
- System Location Discovery: System Language Discovery
PID:2984 -
\??\c:\htnhtt.exec:\htnhtt.exe79⤵PID:1608
-
\??\c:\dvpvd.exec:\dvpvd.exe80⤵PID:2972
-
\??\c:\vjvdp.exec:\vjvdp.exe81⤵PID:2728
-
\??\c:\9rllxrx.exec:\9rllxrx.exe82⤵PID:2792
-
\??\c:\lffrrrx.exec:\lffrrrx.exe83⤵PID:2556
-
\??\c:\3thbbt.exec:\3thbbt.exe84⤵PID:1636
-
\??\c:\hbbhnt.exec:\hbbhnt.exe85⤵PID:1584
-
\??\c:\pdjdj.exec:\pdjdj.exe86⤵PID:1060
-
\??\c:\fxxxlrx.exec:\fxxxlrx.exe87⤵PID:3040
-
\??\c:\fxrrfrl.exec:\fxrrfrl.exe88⤵PID:2908
-
\??\c:\bbbtth.exec:\bbbtth.exe89⤵PID:2376
-
\??\c:\5hnnnb.exec:\5hnnnb.exe90⤵PID:1672
-
\??\c:\ddddj.exec:\ddddj.exe91⤵PID:1988
-
\??\c:\7pdjp.exec:\7pdjp.exe92⤵PID:2888
-
\??\c:\lrfllrl.exec:\lrfllrl.exe93⤵PID:600
-
\??\c:\fxffrrx.exec:\fxffrrx.exe94⤵PID:2864
-
\??\c:\bththb.exec:\bththb.exe95⤵PID:808
-
\??\c:\7nttbh.exec:\7nttbh.exe96⤵PID:592
-
\??\c:\dvjjd.exec:\dvjjd.exe97⤵PID:2600
-
\??\c:\pjdjj.exec:\pjdjj.exe98⤵PID:552
-
\??\c:\ffxfxff.exec:\ffxfxff.exe99⤵PID:2236
-
\??\c:\lfflrfx.exec:\lfflrfx.exe100⤵PID:1756
-
\??\c:\tnbntt.exec:\tnbntt.exe101⤵PID:2316
-
\??\c:\9nhbbb.exec:\9nhbbb.exe102⤵PID:2328
-
\??\c:\jdjpv.exec:\jdjpv.exe103⤵PID:1100
-
\??\c:\7jdjp.exec:\7jdjp.exe104⤵PID:1688
-
\??\c:\frxxxfl.exec:\frxxxfl.exe105⤵PID:2976
-
\??\c:\lffxfxf.exec:\lffxfxf.exe106⤵PID:2088
-
\??\c:\bbtbtb.exec:\bbtbtb.exe107⤵PID:2224
-
\??\c:\nhhbhb.exec:\nhhbhb.exe108⤵PID:916
-
\??\c:\vpjpv.exec:\vpjpv.exe109⤵PID:2856
-
\??\c:\9jvpp.exec:\9jvpp.exe110⤵PID:1512
-
\??\c:\lfffrrx.exec:\lfffrrx.exe111⤵PID:2508
-
\??\c:\llflxfl.exec:\llflxfl.exe112⤵PID:3012
-
\??\c:\9hbhnt.exec:\9hbhnt.exe113⤵PID:2404
-
\??\c:\thhhtt.exec:\thhhtt.exe114⤵PID:1776
-
\??\c:\9jpdp.exec:\9jpdp.exe115⤵PID:2924
-
\??\c:\vjpvj.exec:\vjpvj.exe116⤵PID:796
-
\??\c:\llfxlxf.exec:\llfxlxf.exe117⤵PID:1836
-
\??\c:\lxxxllx.exec:\lxxxllx.exe118⤵PID:2260
-
\??\c:\hbnthh.exec:\hbnthh.exe119⤵PID:1956
-
\??\c:\pdvjp.exec:\pdvjp.exe120⤵PID:2656
-
\??\c:\vvvvv.exec:\vvvvv.exe121⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-