Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 01:57 UTC
Behavioral task
behavioral1
Sample
c74448b2757dda856fae26f3bc86f639c5e509b42b28297787d19ca777ea7d35.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
c74448b2757dda856fae26f3bc86f639c5e509b42b28297787d19ca777ea7d35.exe
-
Size
367KB
-
MD5
bbf4041171bca5e329ba59279508b9e6
-
SHA1
61d7616669cabd72a5dcdabc34c05870690f475b
-
SHA256
c74448b2757dda856fae26f3bc86f639c5e509b42b28297787d19ca777ea7d35
-
SHA512
ebf67bfcae114b5de4c1c9e155ea719ea5eed5db49b19bb209990e49b4e2702e02366f136748b0979679bda0bbdf71d08c08f98eea79f9938c3b201898b5f4cc
-
SSDEEP
6144:9cm4FmowdHoSdSyEAxyx/ZrTTr4qIMgE8S:/4wFHoSQuxy3rTXIM18S
Malware Config
Signatures
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/2512-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3044-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/320-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2672-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1960-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2656-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2820-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1756-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2760-122-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2760-120-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1852-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-149-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1936-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/768-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-179-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2948-177-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2632-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2516-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1624-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1624-226-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1680-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2380-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2468-270-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2488-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2848-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2636-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2020-438-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2872-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-452-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3020-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/764-498-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1540-523-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1076-563-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1676-668-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2524-706-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3036-731-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1240-756-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2152-792-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2756-918-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1560-943-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2572-956-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1852-969-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2292-1118-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2460-1136-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2656-1205-0x00000000001C0000-0x00000000001E7000-memory.dmp family_blackmoon behavioral1/memory/2656-1203-0x00000000001C0000-0x00000000001E7000-memory.dmp family_blackmoon behavioral1/memory/3020-1293-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1208-1336-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2012-1372-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2880-1410-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2880-1412-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2884-1463-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2880 vvpdp.exe 320 llrlfrf.exe 3044 xxxlxlr.exe 2676 ththbn.exe 2820 tnhhtt.exe 1920 jpjjd.exe 2804 llrxrrf.exe 2672 7bnnnb.exe 2540 1nnhht.exe 2656 5vvvj.exe 1960 pppjv.exe 636 rrlrfrx.exe 2760 1tttnt.exe 1756 ffxflrl.exe 1852 fxrfrfx.exe 2360 btttbn.exe 1936 3tbttn.exe 768 tntbhn.exe 2948 vvvpj.exe 2108 3xflxff.exe 2632 vdvpj.exe 2516 ttnbth.exe 3024 dvvdp.exe 1624 ntnbtb.exe 2224 vdpjj.exe 1680 llflrxl.exe 2380 1bnnhh.exe 1684 hbbbht.exe 2468 jvddd.exe 2496 bhbhhn.exe 1028 hbtbtb.exe 2488 lfrlxxf.exe 2504 nhbnbb.exe 2832 5vjpj.exe 824 frflllx.exe 2748 rlxrfxf.exe 2140 hbntbb.exe 2640 3pdjd.exe 1596 ddppv.exe 2824 5xlxrrx.exe 2792 nhnbhb.exe 2672 btnhnn.exe 2848 dpjpv.exe 2192 rrfrfrf.exe 2584 1lfxfxf.exe 2800 9bthbt.exe 2288 1pdvj.exe 2720 7pdpd.exe 3068 ffrxlfr.exe 1512 xrflrrf.exe 2868 bbbhnn.exe 1780 vpjvj.exe 1448 jjvjp.exe 2636 rllflfl.exe 2020 lxxllrr.exe 2872 thtthh.exe 2576 3pddj.exe 3020 rlflxxl.exe 2188 btntnn.exe 1940 9bbhhn.exe 1240 ddvpp.exe 2092 lrlrflf.exe 2920 7xllrxl.exe 764 hbhbhh.exe -
resource yara_rule behavioral1/memory/2512-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0012000000015ccc-5.dat upx behavioral1/memory/2512-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016dd0-18.dat upx behavioral1/memory/2880-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2676-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016eb8-36.dat upx behavioral1/memory/3044-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016de4-27.dat upx behavioral1/memory/320-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016edb-45.dat upx behavioral1/files/0x000700000001707c-53.dat upx behavioral1/memory/2672-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000191f6-87.dat upx behavioral1/files/0x0005000000019217-95.dat upx behavioral1/files/0x0005000000019240-105.dat upx behavioral1/files/0x0005000000019259-113.dat upx behavioral1/memory/1960-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2656-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000191d2-79.dat upx behavioral1/files/0x0007000000017403-62.dat upx behavioral1/files/0x00080000000190e1-70.dat upx behavioral1/memory/2820-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1756-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019268-124.dat upx behavioral1/memory/2760-120-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1852-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019275-142.dat upx behavioral1/files/0x0005000000019278-150.dat upx behavioral1/files/0x000500000001926c-133.dat upx behavioral1/memory/1936-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/768-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001929a-159.dat upx behavioral1/files/0x0005000000019319-170.dat upx behavioral1/memory/768-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019365-183.dat upx behavioral1/memory/2108-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2948-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019377-190.dat upx behavioral1/files/0x0005000000019387-201.dat upx behavioral1/memory/2632-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d58-209.dat upx behavioral1/memory/2516-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1624-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193b3-227.dat upx behavioral1/files/0x00050000000193a4-218.dat upx behavioral1/files/0x00050000000193c1-236.dat upx behavioral1/memory/1680-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019433-244.dat upx behavioral1/memory/2380-252-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019446-253.dat upx behavioral1/files/0x0005000000019450-262.dat upx behavioral1/memory/1684-261-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2468-270-0x00000000003A0000-0x00000000003C7000-memory.dmp upx behavioral1/files/0x000500000001945b-272.dat upx behavioral1/files/0x0005000000019465-279.dat upx behavioral1/files/0x000500000001946a-287.dat upx behavioral1/memory/2488-295-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1596-332-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2848-363-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2720-394-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2636-432-0x00000000005C0000-0x00000000005E7000-memory.dmp upx behavioral1/memory/2636-431-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2020-438-0x0000000000220000-0x0000000000247000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflrxf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2880 2512 c74448b2757dda856fae26f3bc86f639c5e509b42b28297787d19ca777ea7d35.exe 31 PID 2512 wrote to memory of 2880 2512 c74448b2757dda856fae26f3bc86f639c5e509b42b28297787d19ca777ea7d35.exe 31 PID 2512 wrote to memory of 2880 2512 c74448b2757dda856fae26f3bc86f639c5e509b42b28297787d19ca777ea7d35.exe 31 PID 2512 wrote to memory of 2880 2512 c74448b2757dda856fae26f3bc86f639c5e509b42b28297787d19ca777ea7d35.exe 31 PID 2880 wrote to memory of 320 2880 vvpdp.exe 32 PID 2880 wrote to memory of 320 2880 vvpdp.exe 32 PID 2880 wrote to memory of 320 2880 vvpdp.exe 32 PID 2880 wrote to memory of 320 2880 vvpdp.exe 32 PID 320 wrote to memory of 3044 320 llrlfrf.exe 33 PID 320 wrote to memory of 3044 320 llrlfrf.exe 33 PID 320 wrote to memory of 3044 320 llrlfrf.exe 33 PID 320 wrote to memory of 3044 320 llrlfrf.exe 33 PID 3044 wrote to memory of 2676 3044 xxxlxlr.exe 34 PID 3044 wrote to memory of 2676 3044 xxxlxlr.exe 34 PID 3044 wrote to memory of 2676 3044 xxxlxlr.exe 34 PID 3044 wrote to memory of 2676 3044 xxxlxlr.exe 34 PID 2676 wrote to memory of 2820 2676 ththbn.exe 35 PID 2676 wrote to memory of 2820 2676 ththbn.exe 35 PID 2676 wrote to memory of 2820 2676 ththbn.exe 35 PID 2676 wrote to memory of 2820 2676 ththbn.exe 35 PID 2820 wrote to memory of 1920 2820 tnhhtt.exe 36 PID 2820 wrote to memory of 1920 2820 tnhhtt.exe 36 PID 2820 wrote to memory of 1920 2820 tnhhtt.exe 36 PID 2820 wrote to memory of 1920 2820 tnhhtt.exe 36 PID 1920 wrote to memory of 2804 1920 jpjjd.exe 37 PID 1920 wrote to memory of 2804 1920 jpjjd.exe 37 PID 1920 wrote to memory of 2804 1920 jpjjd.exe 37 PID 1920 wrote to memory of 2804 1920 jpjjd.exe 37 PID 2804 wrote to memory of 2672 2804 llrxrrf.exe 38 PID 2804 wrote to memory of 2672 2804 llrxrrf.exe 38 PID 2804 wrote to memory of 2672 2804 llrxrrf.exe 38 PID 2804 wrote to memory of 2672 2804 llrxrrf.exe 38 PID 2672 wrote to memory of 2540 2672 7bnnnb.exe 39 PID 2672 wrote to memory of 2540 2672 7bnnnb.exe 39 PID 2672 wrote to memory of 2540 2672 7bnnnb.exe 39 PID 2672 wrote to memory of 2540 2672 7bnnnb.exe 39 PID 2540 wrote to memory of 2656 2540 1nnhht.exe 40 PID 2540 wrote to memory of 2656 2540 1nnhht.exe 40 PID 2540 wrote to memory of 2656 2540 1nnhht.exe 40 PID 2540 wrote to memory of 2656 2540 1nnhht.exe 40 PID 2656 wrote to memory of 1960 2656 5vvvj.exe 41 PID 2656 wrote to memory of 1960 2656 5vvvj.exe 41 PID 2656 wrote to memory of 1960 2656 5vvvj.exe 41 PID 2656 wrote to memory of 1960 2656 5vvvj.exe 41 PID 1960 wrote to memory of 636 1960 pppjv.exe 42 PID 1960 wrote to memory of 636 1960 pppjv.exe 42 PID 1960 wrote to memory of 636 1960 pppjv.exe 42 PID 1960 wrote to memory of 636 1960 pppjv.exe 42 PID 636 wrote to memory of 2760 636 rrlrfrx.exe 43 PID 636 wrote to memory of 2760 636 rrlrfrx.exe 43 PID 636 wrote to memory of 2760 636 rrlrfrx.exe 43 PID 636 wrote to memory of 2760 636 rrlrfrx.exe 43 PID 2760 wrote to memory of 1756 2760 1tttnt.exe 44 PID 2760 wrote to memory of 1756 2760 1tttnt.exe 44 PID 2760 wrote to memory of 1756 2760 1tttnt.exe 44 PID 2760 wrote to memory of 1756 2760 1tttnt.exe 44 PID 1756 wrote to memory of 1852 1756 ffxflrl.exe 45 PID 1756 wrote to memory of 1852 1756 ffxflrl.exe 45 PID 1756 wrote to memory of 1852 1756 ffxflrl.exe 45 PID 1756 wrote to memory of 1852 1756 ffxflrl.exe 45 PID 1852 wrote to memory of 2360 1852 fxrfrfx.exe 46 PID 1852 wrote to memory of 2360 1852 fxrfrfx.exe 46 PID 1852 wrote to memory of 2360 1852 fxrfrfx.exe 46 PID 1852 wrote to memory of 2360 1852 fxrfrfx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c74448b2757dda856fae26f3bc86f639c5e509b42b28297787d19ca777ea7d35.exe"C:\Users\Admin\AppData\Local\Temp\c74448b2757dda856fae26f3bc86f639c5e509b42b28297787d19ca777ea7d35.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\vvpdp.exec:\vvpdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\llrlfrf.exec:\llrlfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\xxxlxlr.exec:\xxxlxlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\ththbn.exec:\ththbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\tnhhtt.exec:\tnhhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\jpjjd.exec:\jpjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\llrxrrf.exec:\llrxrrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\7bnnnb.exec:\7bnnnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\1nnhht.exec:\1nnhht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\5vvvj.exec:\5vvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\pppjv.exec:\pppjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\rrlrfrx.exec:\rrlrfrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\1tttnt.exec:\1tttnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\ffxflrl.exec:\ffxflrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\fxrfrfx.exec:\fxrfrfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\btttbn.exec:\btttbn.exe17⤵
- Executes dropped EXE
PID:2360 -
\??\c:\3tbttn.exec:\3tbttn.exe18⤵
- Executes dropped EXE
PID:1936 -
\??\c:\tntbhn.exec:\tntbhn.exe19⤵
- Executes dropped EXE
PID:768 -
\??\c:\vvvpj.exec:\vvvpj.exe20⤵
- Executes dropped EXE
PID:2948 -
\??\c:\3xflxff.exec:\3xflxff.exe21⤵
- Executes dropped EXE
PID:2108 -
\??\c:\vdvpj.exec:\vdvpj.exe22⤵
- Executes dropped EXE
PID:2632 -
\??\c:\ttnbth.exec:\ttnbth.exe23⤵
- Executes dropped EXE
PID:2516 -
\??\c:\dvvdp.exec:\dvvdp.exe24⤵
- Executes dropped EXE
PID:3024 -
\??\c:\ntnbtb.exec:\ntnbtb.exe25⤵
- Executes dropped EXE
PID:1624 -
\??\c:\vdpjj.exec:\vdpjj.exe26⤵
- Executes dropped EXE
PID:2224 -
\??\c:\llflrxl.exec:\llflrxl.exe27⤵
- Executes dropped EXE
PID:1680 -
\??\c:\1bnnhh.exec:\1bnnhh.exe28⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hbbbht.exec:\hbbbht.exe29⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jvddd.exec:\jvddd.exe30⤵
- Executes dropped EXE
PID:2468 -
\??\c:\bhbhhn.exec:\bhbhhn.exe31⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hbtbtb.exec:\hbtbtb.exe32⤵
- Executes dropped EXE
PID:1028 -
\??\c:\lfrlxxf.exec:\lfrlxxf.exe33⤵
- Executes dropped EXE
PID:2488 -
\??\c:\nhbnbb.exec:\nhbnbb.exe34⤵
- Executes dropped EXE
PID:2504 -
\??\c:\5vjpj.exec:\5vjpj.exe35⤵
- Executes dropped EXE
PID:2832 -
\??\c:\frflllx.exec:\frflllx.exe36⤵
- Executes dropped EXE
PID:824 -
\??\c:\rlxrfxf.exec:\rlxrfxf.exe37⤵
- Executes dropped EXE
PID:2748 -
\??\c:\hbntbb.exec:\hbntbb.exe38⤵
- Executes dropped EXE
PID:2140 -
\??\c:\3pdjd.exec:\3pdjd.exe39⤵
- Executes dropped EXE
PID:2640 -
\??\c:\ddppv.exec:\ddppv.exe40⤵
- Executes dropped EXE
PID:1596 -
\??\c:\5xlxrrx.exec:\5xlxrrx.exe41⤵
- Executes dropped EXE
PID:2824 -
\??\c:\nhnbhb.exec:\nhnbhb.exe42⤵
- Executes dropped EXE
PID:2792 -
\??\c:\btnhnn.exec:\btnhnn.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\dpjpv.exec:\dpjpv.exe44⤵
- Executes dropped EXE
PID:2848 -
\??\c:\rrfrfrf.exec:\rrfrfrf.exe45⤵
- Executes dropped EXE
PID:2192 -
\??\c:\1lfxfxf.exec:\1lfxfxf.exe46⤵
- Executes dropped EXE
PID:2584 -
\??\c:\9bthbt.exec:\9bthbt.exe47⤵
- Executes dropped EXE
PID:2800 -
\??\c:\1pdvj.exec:\1pdvj.exe48⤵
- Executes dropped EXE
PID:2288 -
\??\c:\7pdpd.exec:\7pdpd.exe49⤵
- Executes dropped EXE
PID:2720 -
\??\c:\ffrxlfr.exec:\ffrxlfr.exe50⤵
- Executes dropped EXE
PID:3068 -
\??\c:\xrflrrf.exec:\xrflrrf.exe51⤵
- Executes dropped EXE
PID:1512 -
\??\c:\bbbhnn.exec:\bbbhnn.exe52⤵
- Executes dropped EXE
PID:2868 -
\??\c:\vpjvj.exec:\vpjvj.exe53⤵
- Executes dropped EXE
PID:1780 -
\??\c:\jjvjp.exec:\jjvjp.exe54⤵
- Executes dropped EXE
PID:1448 -
\??\c:\rllflfl.exec:\rllflfl.exe55⤵
- Executes dropped EXE
PID:2636 -
\??\c:\lxxllrr.exec:\lxxllrr.exe56⤵
- Executes dropped EXE
PID:2020 -
\??\c:\thtthh.exec:\thtthh.exe57⤵
- Executes dropped EXE
PID:2872 -
\??\c:\3pddj.exec:\3pddj.exe58⤵
- Executes dropped EXE
PID:2576 -
\??\c:\rlflxxl.exec:\rlflxxl.exe59⤵
- Executes dropped EXE
PID:3020 -
\??\c:\btntnn.exec:\btntnn.exe60⤵
- Executes dropped EXE
PID:2188 -
\??\c:\9bbhhn.exec:\9bbhhn.exe61⤵
- Executes dropped EXE
PID:1940 -
\??\c:\ddvpp.exec:\ddvpp.exe62⤵
- Executes dropped EXE
PID:1240 -
\??\c:\lrlrflf.exec:\lrlrflf.exe63⤵
- Executes dropped EXE
PID:2092 -
\??\c:\7xllrxl.exec:\7xllrxl.exe64⤵
- Executes dropped EXE
PID:2920 -
\??\c:\hbhbhh.exec:\hbhbhh.exe65⤵
- Executes dropped EXE
PID:764 -
\??\c:\pjdjp.exec:\pjdjp.exe66⤵PID:3024
-
\??\c:\1dvvj.exec:\1dvvj.exe67⤵PID:3040
-
\??\c:\fflrxrl.exec:\fflrxrl.exe68⤵PID:1068
-
\??\c:\bbthth.exec:\bbthth.exe69⤵PID:1540
-
\??\c:\vpvpv.exec:\vpvpv.exe70⤵PID:2168
-
\??\c:\ddvjp.exec:\ddvjp.exe71⤵PID:1804
-
\??\c:\xfrfrlr.exec:\xfrfrlr.exe72⤵PID:1684
-
\??\c:\bthnbn.exec:\bthnbn.exe73⤵PID:1812
-
\??\c:\hnnbhn.exec:\hnnbhn.exe74⤵PID:2292
-
\??\c:\7jpvp.exec:\7jpvp.exe75⤵PID:1076
-
\??\c:\xrlfrfx.exec:\xrlfrfx.exe76⤵PID:2052
-
\??\c:\3nbhtt.exec:\3nbhtt.exe77⤵PID:1872
-
\??\c:\nhtbtb.exec:\nhtbtb.exe78⤵PID:2876
-
\??\c:\vddjp.exec:\vddjp.exe79⤵PID:2616
-
\??\c:\rllrxxx.exec:\rllrxxx.exe80⤵PID:2732
-
\??\c:\rrflfll.exec:\rrflfll.exe81⤵PID:2736
-
\??\c:\hbnbtb.exec:\hbnbtb.exe82⤵PID:2688
-
\??\c:\vvppd.exec:\vvppd.exe83⤵PID:1600
-
\??\c:\lfrrffx.exec:\lfrrffx.exe84⤵PID:2696
-
\??\c:\lxrlrlr.exec:\lxrlrlr.exe85⤵PID:2836
-
\??\c:\9ththh.exec:\9ththh.exe86⤵PID:1316
-
\??\c:\dpvpp.exec:\dpvpp.exe87⤵PID:2788
-
\??\c:\pvvdd.exec:\pvvdd.exe88⤵PID:2984
-
\??\c:\1xfxflx.exec:\1xfxflx.exe89⤵PID:2568
-
\??\c:\tttthn.exec:\tttthn.exe90⤵PID:2556
-
\??\c:\btnbnb.exec:\btnbnb.exe91⤵PID:2112
-
\??\c:\ddjpd.exec:\ddjpd.exe92⤵PID:1676
-
\??\c:\rrxlxrl.exec:\rrxlxrl.exe93⤵PID:2668
-
\??\c:\xxfxllx.exec:\xxfxllx.exe94⤵PID:1488
-
\??\c:\nnhtht.exec:\nnhtht.exe95⤵PID:2760
-
\??\c:\3vpvj.exec:\3vpvj.exe96⤵PID:664
-
\??\c:\pppdp.exec:\pppdp.exe97⤵PID:1444
-
\??\c:\rxrlflx.exec:\rxrlflx.exe98⤵PID:2524
-
\??\c:\9xllxrl.exec:\9xllxrl.exe99⤵PID:804
-
\??\c:\tbbbtn.exec:\tbbbtn.exe100⤵PID:1704
-
\??\c:\jjpvj.exec:\jjpvj.exe101⤵PID:3012
-
\??\c:\jjjjj.exec:\jjjjj.exe102⤵PID:3036
-
\??\c:\fflrlrl.exec:\fflrlrl.exe103⤵PID:2968
-
\??\c:\bhnntb.exec:\bhnntb.exe104⤵PID:2300
-
\??\c:\nhbbth.exec:\nhbbth.exe105⤵PID:2136
-
\??\c:\7vdjj.exec:\7vdjj.exe106⤵PID:2716
-
\??\c:\xrlllfr.exec:\xrlllfr.exe107⤵PID:1240
-
\??\c:\3fxfrxf.exec:\3fxfrxf.exe108⤵PID:3008
-
\??\c:\ttbhtb.exec:\ttbhtb.exe109⤵PID:964
-
\??\c:\5dpvp.exec:\5dpvp.exe110⤵PID:1792
-
\??\c:\vvpjv.exec:\vvpjv.exe111⤵PID:3024
-
\??\c:\xrlllrx.exec:\xrlllrx.exe112⤵PID:2152
-
\??\c:\nhbbhn.exec:\nhbbhn.exe113⤵PID:1068
-
\??\c:\3hbnth.exec:\3hbnth.exe114⤵PID:1808
-
\??\c:\3vvjd.exec:\3vvjd.exe115⤵PID:848
-
\??\c:\pjvjv.exec:\pjvjv.exe116⤵PID:2908
-
\??\c:\rlllxfl.exec:\rlllxfl.exe117⤵PID:2332
-
\??\c:\hhbnth.exec:\hhbnth.exe118⤵PID:3032
-
\??\c:\nbhbbn.exec:\nbhbbn.exe119⤵PID:924
-
\??\c:\dpddj.exec:\dpddj.exe120⤵PID:2952
-
\??\c:\9xrlfrl.exec:\9xrlfrl.exe121⤵PID:2204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-