Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 00:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe
-
Size
333KB
-
MD5
7c6e7b29f0132e1a57d9e08f5246076a
-
SHA1
5b72eed62c110d4b5d22562e83e705faf4fb53ff
-
SHA256
9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3
-
SHA512
faeb515a321d231797f5184a0c6a246455cc284d3f321221aa2f9b3d52beb8b5894c6eccfe447ddee935d1d1e30088e59251d4289f504a99fc86608f1741ed51
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPho:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTY
Malware Config
Signatures
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/2104-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-45-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2568-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-93-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/856-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-434-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2832-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-447-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/332-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-278-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1216-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-183-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/584-160-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1684-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-119-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-69-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1276-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-502-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1188-526-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2652-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-563-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/772-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-717-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1692-744-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2088-785-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-797-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-863-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2676-876-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2948-890-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2012-928-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1396-1004-0x0000000001B80000-0x0000000001BAA000-memory.dmp family_blackmoon behavioral1/memory/2060-1041-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1600-1080-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2572-1137-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/776-1144-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2672 hhhbnn.exe 2676 jpvjp.exe 2532 1lfrllx.exe 2848 jdvjp.exe 2568 rflflff.exe 2572 3jjjp.exe 2768 1pjdd.exe 264 3lxlrrr.exe 856 bthbhh.exe 1924 jjvvd.exe 2828 rlxxffl.exe 2384 tnbbhn.exe 2012 jdppd.exe 1684 7llrffl.exe 1988 rrlrfxl.exe 1796 9ttbtt.exe 584 bbhbbh.exe 1628 dvjpd.exe 2700 rfxxlff.exe 2320 jdpjp.exe 2400 dvjjp.exe 2328 xrlrfrx.exe 1852 1hnntt.exe 1216 djvdj.exe 3052 rxfxxll.exe 900 5tnnbt.exe 344 jddpd.exe 3044 lxrrxfl.exe 696 3htbhh.exe 2784 1dvvj.exe 2192 xxrrflr.exe 1588 nbnntt.exe 2880 3vjpd.exe 2764 rrxfxfr.exe 2656 9nntbb.exe 2980 pppjp.exe 2684 jjdpv.exe 2568 9lfxxfl.exe 2696 nhthnt.exe 2956 hbnntn.exe 332 9pjjv.exe 536 jdjjp.exe 1812 lfflllr.exe 988 nhhhnt.exe 1924 btnnnt.exe 2820 5jdvv.exe 2384 rlfflfl.exe 2564 fxfxlrl.exe 316 nhtthb.exe 1964 7tbhnt.exe 1140 pdjjp.exe 1380 1xlllll.exe 2176 rlxrxxx.exe 1084 btnnbn.exe 2832 1nthnn.exe 2700 9vvvj.exe 2412 pjdjp.exe 1076 7rxflrx.exe 664 hhbhhn.exe 2884 hthtth.exe 2184 5dvjp.exe 1532 xrffffx.exe 1276 1thntb.exe 1992 9jjdd.exe -
resource yara_rule behavioral1/memory/2104-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1188-526-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2652-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-1151-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrfxf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2672 2104 9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe 30 PID 2104 wrote to memory of 2672 2104 9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe 30 PID 2104 wrote to memory of 2672 2104 9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe 30 PID 2104 wrote to memory of 2672 2104 9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe 30 PID 2672 wrote to memory of 2676 2672 hhhbnn.exe 31 PID 2672 wrote to memory of 2676 2672 hhhbnn.exe 31 PID 2672 wrote to memory of 2676 2672 hhhbnn.exe 31 PID 2672 wrote to memory of 2676 2672 hhhbnn.exe 31 PID 2676 wrote to memory of 2532 2676 jpvjp.exe 32 PID 2676 wrote to memory of 2532 2676 jpvjp.exe 32 PID 2676 wrote to memory of 2532 2676 jpvjp.exe 32 PID 2676 wrote to memory of 2532 2676 jpvjp.exe 32 PID 2532 wrote to memory of 2848 2532 1lfrllx.exe 33 PID 2532 wrote to memory of 2848 2532 1lfrllx.exe 33 PID 2532 wrote to memory of 2848 2532 1lfrllx.exe 33 PID 2532 wrote to memory of 2848 2532 1lfrllx.exe 33 PID 2848 wrote to memory of 2568 2848 jdvjp.exe 67 PID 2848 wrote to memory of 2568 2848 jdvjp.exe 67 PID 2848 wrote to memory of 2568 2848 jdvjp.exe 67 PID 2848 wrote to memory of 2568 2848 jdvjp.exe 67 PID 2568 wrote to memory of 2572 2568 rflflff.exe 35 PID 2568 wrote to memory of 2572 2568 rflflff.exe 35 PID 2568 wrote to memory of 2572 2568 rflflff.exe 35 PID 2568 wrote to memory of 2572 2568 rflflff.exe 35 PID 2572 wrote to memory of 2768 2572 3jjjp.exe 36 PID 2572 wrote to memory of 2768 2572 3jjjp.exe 36 PID 2572 wrote to memory of 2768 2572 3jjjp.exe 36 PID 2572 wrote to memory of 2768 2572 3jjjp.exe 36 PID 2768 wrote to memory of 264 2768 1pjdd.exe 37 PID 2768 wrote to memory of 264 2768 1pjdd.exe 37 PID 2768 wrote to memory of 264 2768 1pjdd.exe 37 PID 2768 wrote to memory of 264 2768 1pjdd.exe 37 PID 264 wrote to memory of 856 264 3lxlrrr.exe 38 PID 264 wrote to memory of 856 264 3lxlrrr.exe 38 PID 264 wrote to memory of 856 264 3lxlrrr.exe 38 PID 264 wrote to memory of 856 264 3lxlrrr.exe 38 PID 856 wrote to memory of 1924 856 bthbhh.exe 74 PID 856 wrote to memory of 1924 856 bthbhh.exe 74 PID 856 wrote to memory of 1924 856 bthbhh.exe 74 PID 856 wrote to memory of 1924 856 bthbhh.exe 74 PID 1924 wrote to memory of 2828 1924 jjvvd.exe 40 PID 1924 wrote to memory of 2828 1924 jjvvd.exe 40 PID 1924 wrote to memory of 2828 1924 jjvvd.exe 40 PID 1924 wrote to memory of 2828 1924 jjvvd.exe 40 PID 2828 wrote to memory of 2384 2828 rlxxffl.exe 41 PID 2828 wrote to memory of 2384 2828 rlxxffl.exe 41 PID 2828 wrote to memory of 2384 2828 rlxxffl.exe 41 PID 2828 wrote to memory of 2384 2828 rlxxffl.exe 41 PID 2384 wrote to memory of 2012 2384 tnbbhn.exe 42 PID 2384 wrote to memory of 2012 2384 tnbbhn.exe 42 PID 2384 wrote to memory of 2012 2384 tnbbhn.exe 42 PID 2384 wrote to memory of 2012 2384 tnbbhn.exe 42 PID 2012 wrote to memory of 1684 2012 jdppd.exe 43 PID 2012 wrote to memory of 1684 2012 jdppd.exe 43 PID 2012 wrote to memory of 1684 2012 jdppd.exe 43 PID 2012 wrote to memory of 1684 2012 jdppd.exe 43 PID 1684 wrote to memory of 1988 1684 7llrffl.exe 44 PID 1684 wrote to memory of 1988 1684 7llrffl.exe 44 PID 1684 wrote to memory of 1988 1684 7llrffl.exe 44 PID 1684 wrote to memory of 1988 1684 7llrffl.exe 44 PID 1988 wrote to memory of 1796 1988 rrlrfxl.exe 45 PID 1988 wrote to memory of 1796 1988 rrlrfxl.exe 45 PID 1988 wrote to memory of 1796 1988 rrlrfxl.exe 45 PID 1988 wrote to memory of 1796 1988 rrlrfxl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe"C:\Users\Admin\AppData\Local\Temp\9610fac11473242379955c6fff377d2363cc849b32db5ca73cae9dd805a111a3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\hhhbnn.exec:\hhhbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\jpvjp.exec:\jpvjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\1lfrllx.exec:\1lfrllx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\jdvjp.exec:\jdvjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\rflflff.exec:\rflflff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\3jjjp.exec:\3jjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\1pjdd.exec:\1pjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\3lxlrrr.exec:\3lxlrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\bthbhh.exec:\bthbhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\jjvvd.exec:\jjvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\rlxxffl.exec:\rlxxffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\tnbbhn.exec:\tnbbhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\jdppd.exec:\jdppd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\7llrffl.exec:\7llrffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\rrlrfxl.exec:\rrlrfxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\9ttbtt.exec:\9ttbtt.exe17⤵
- Executes dropped EXE
PID:1796 -
\??\c:\bbhbbh.exec:\bbhbbh.exe18⤵
- Executes dropped EXE
PID:584 -
\??\c:\dvjpd.exec:\dvjpd.exe19⤵
- Executes dropped EXE
PID:1628 -
\??\c:\rfxxlff.exec:\rfxxlff.exe20⤵
- Executes dropped EXE
PID:2700 -
\??\c:\jdpjp.exec:\jdpjp.exe21⤵
- Executes dropped EXE
PID:2320 -
\??\c:\dvjjp.exec:\dvjjp.exe22⤵
- Executes dropped EXE
PID:2400 -
\??\c:\xrlrfrx.exec:\xrlrfrx.exe23⤵
- Executes dropped EXE
PID:2328 -
\??\c:\1hnntt.exec:\1hnntt.exe24⤵
- Executes dropped EXE
PID:1852 -
\??\c:\djvdj.exec:\djvdj.exe25⤵
- Executes dropped EXE
PID:1216 -
\??\c:\rxfxxll.exec:\rxfxxll.exe26⤵
- Executes dropped EXE
PID:3052 -
\??\c:\5tnnbt.exec:\5tnnbt.exe27⤵
- Executes dropped EXE
PID:900 -
\??\c:\jddpd.exec:\jddpd.exe28⤵
- Executes dropped EXE
PID:344 -
\??\c:\lxrrxfl.exec:\lxrrxfl.exe29⤵
- Executes dropped EXE
PID:3044 -
\??\c:\3htbhh.exec:\3htbhh.exe30⤵
- Executes dropped EXE
PID:696 -
\??\c:\1dvvj.exec:\1dvvj.exe31⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xxrrflr.exec:\xxrrflr.exe32⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nbnntt.exec:\nbnntt.exe33⤵
- Executes dropped EXE
PID:1588 -
\??\c:\3vjpd.exec:\3vjpd.exe34⤵
- Executes dropped EXE
PID:2880 -
\??\c:\rrxfxfr.exec:\rrxfxfr.exe35⤵
- Executes dropped EXE
PID:2764 -
\??\c:\9nntbb.exec:\9nntbb.exe36⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pppjp.exec:\pppjp.exe37⤵
- Executes dropped EXE
PID:2980 -
\??\c:\jjdpv.exec:\jjdpv.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\9lfxxfl.exec:\9lfxxfl.exe39⤵
- Executes dropped EXE
PID:2568 -
\??\c:\nhthnt.exec:\nhthnt.exe40⤵
- Executes dropped EXE
PID:2696 -
\??\c:\hbnntn.exec:\hbnntn.exe41⤵
- Executes dropped EXE
PID:2956 -
\??\c:\9pjjv.exec:\9pjjv.exe42⤵
- Executes dropped EXE
PID:332 -
\??\c:\jdjjp.exec:\jdjjp.exe43⤵
- Executes dropped EXE
PID:536 -
\??\c:\lfflllr.exec:\lfflllr.exe44⤵
- Executes dropped EXE
PID:1812 -
\??\c:\nhhhnt.exec:\nhhhnt.exe45⤵
- Executes dropped EXE
PID:988 -
\??\c:\btnnnt.exec:\btnnnt.exe46⤵
- Executes dropped EXE
PID:1924 -
\??\c:\5jdvv.exec:\5jdvv.exe47⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rlfflfl.exec:\rlfflfl.exe48⤵
- Executes dropped EXE
PID:2384 -
\??\c:\fxfxlrl.exec:\fxfxlrl.exe49⤵
- Executes dropped EXE
PID:2564 -
\??\c:\nhtthb.exec:\nhtthb.exe50⤵
- Executes dropped EXE
PID:316 -
\??\c:\7tbhnt.exec:\7tbhnt.exe51⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pdjjp.exec:\pdjjp.exe52⤵
- Executes dropped EXE
PID:1140 -
\??\c:\1xlllll.exec:\1xlllll.exe53⤵
- Executes dropped EXE
PID:1380 -
\??\c:\rlxrxxx.exec:\rlxrxxx.exe54⤵
- Executes dropped EXE
PID:2176 -
\??\c:\btnnbn.exec:\btnnbn.exe55⤵
- Executes dropped EXE
PID:1084 -
\??\c:\1nthnn.exec:\1nthnn.exe56⤵
- Executes dropped EXE
PID:2832 -
\??\c:\9vvvj.exec:\9vvvj.exe57⤵
- Executes dropped EXE
PID:2700 -
\??\c:\pjdjp.exec:\pjdjp.exe58⤵
- Executes dropped EXE
PID:2412 -
\??\c:\7rxflrx.exec:\7rxflrx.exe59⤵
- Executes dropped EXE
PID:1076 -
\??\c:\hhbhhn.exec:\hhbhhn.exe60⤵
- Executes dropped EXE
PID:664 -
\??\c:\hthtth.exec:\hthtth.exe61⤵
- Executes dropped EXE
PID:2884 -
\??\c:\5dvjp.exec:\5dvjp.exe62⤵
- Executes dropped EXE
PID:2184 -
\??\c:\xrffffx.exec:\xrffffx.exe63⤵
- Executes dropped EXE
PID:1532 -
\??\c:\1thntb.exec:\1thntb.exe64⤵
- Executes dropped EXE
PID:1276 -
\??\c:\9jjdd.exec:\9jjdd.exe65⤵
- Executes dropped EXE
PID:1992 -
\??\c:\ffxlrxr.exec:\ffxlrxr.exe66⤵PID:2188
-
\??\c:\3tnthn.exec:\3tnthn.exe67⤵PID:2124
-
\??\c:\dvddj.exec:\dvddj.exe68⤵PID:1800
-
\??\c:\fxxlfrf.exec:\fxxlfrf.exe69⤵PID:1188
-
\??\c:\9bnbhh.exec:\9bnbhh.exe70⤵PID:884
-
\??\c:\5xlrxxf.exec:\5xlrxxf.exe71⤵PID:1564
-
\??\c:\xrfflrx.exec:\xrfflrx.exe72⤵PID:1408
-
\??\c:\pdppv.exec:\pdppv.exe73⤵PID:1596
-
\??\c:\pjvpp.exec:\pjvpp.exe74⤵PID:2652
-
\??\c:\bhhttb.exec:\bhhttb.exe75⤵PID:2716
-
\??\c:\dvdjd.exec:\dvdjd.exe76⤵PID:2632
-
\??\c:\rrllflr.exec:\rrllflr.exe77⤵PID:2548
-
\??\c:\btbnbb.exec:\btbnbb.exe78⤵PID:2452
-
\??\c:\jvdvv.exec:\jvdvv.exe79⤵PID:1908
-
\??\c:\vpddj.exec:\vpddj.exe80⤵PID:2528
-
\??\c:\rxrxlrf.exec:\rxrxlrf.exe81⤵PID:2572
-
\??\c:\1httbh.exec:\1httbh.exe82⤵PID:2952
-
\??\c:\thttbt.exec:\thttbt.exe83⤵PID:2540
-
\??\c:\frxrlrx.exec:\frxrlrx.exe84⤵PID:1696
-
\??\c:\fxlrrlr.exec:\fxlrrlr.exe85⤵PID:756
-
\??\c:\bbhthh.exec:\bbhthh.exe86⤵PID:536
-
\??\c:\5jdpv.exec:\5jdpv.exe87⤵PID:716
-
\??\c:\jdpvj.exec:\jdpvj.exe88⤵PID:772
-
\??\c:\rfrlrlx.exec:\rfrlrlx.exe89⤵PID:2004
-
\??\c:\5hnnhn.exec:\5hnnhn.exe90⤵PID:1948
-
\??\c:\jvdjj.exec:\jvdjj.exe91⤵PID:1672
-
\??\c:\xflxxll.exec:\xflxxll.exe92⤵PID:1488
-
\??\c:\nbnhnt.exec:\nbnhnt.exe93⤵PID:1424
-
\??\c:\pjvdj.exec:\pjvdj.exe94⤵PID:632
-
\??\c:\vvdjp.exec:\vvdjp.exe95⤵PID:2364
-
\??\c:\5lrlllr.exec:\5lrlllr.exe96⤵PID:2620
-
\??\c:\nhtbbh.exec:\nhtbbh.exe97⤵PID:1628
-
\??\c:\vjpvv.exec:\vjpvv.exe98⤵PID:1652
-
\??\c:\pdddd.exec:\pdddd.exe99⤵PID:2432
-
\??\c:\rlrfrfl.exec:\rlrfrfl.exe100⤵PID:2412
-
\??\c:\9nbbnn.exec:\9nbbnn.exe101⤵PID:1076
-
\??\c:\vjvvv.exec:\vjvvv.exe102⤵PID:664
-
\??\c:\5jvvp.exec:\5jvvp.exe103⤵PID:1692
-
\??\c:\rllrfxx.exec:\rllrfxx.exe104⤵PID:2184
-
\??\c:\7bhhnh.exec:\7bhhnh.exe105⤵PID:1936
-
\??\c:\dvjdj.exec:\dvjdj.exe106⤵PID:604
-
\??\c:\dddpv.exec:\dddpv.exe107⤵PID:1008
-
\??\c:\rlrxxfl.exec:\rlrxxfl.exe108⤵PID:2188
-
\??\c:\hhnbnt.exec:\hhnbnt.exe109⤵PID:2088
-
\??\c:\vvppp.exec:\vvppp.exe110⤵PID:796
-
\??\c:\rlflxxl.exec:\rlflxxl.exe111⤵PID:2964
-
\??\c:\7lrxfff.exec:\7lrxfff.exe112⤵PID:884
-
\??\c:\nnbnht.exec:\nnbnht.exe113⤵PID:2192
-
\??\c:\jjdjj.exec:\jjdjj.exe114⤵PID:1588
-
\??\c:\vvppj.exec:\vvppj.exe115⤵PID:308
-
\??\c:\9fxflxf.exec:\9fxflxf.exe116⤵PID:2640
-
\??\c:\xlffrrr.exec:\xlffrrr.exe117⤵PID:2764
-
\??\c:\hbtbhh.exec:\hbtbhh.exe118⤵PID:888
-
\??\c:\ppdjv.exec:\ppdjv.exe119⤵PID:2524
-
\??\c:\rxxrxxl.exec:\rxxrxxl.exe120⤵PID:1732
-
\??\c:\xrflflx.exec:\xrflflx.exe121⤵PID:2796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-