Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 00:31
Behavioral task
behavioral1
Sample
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe
-
Size
332KB
-
MD5
557ed787bced7e444ccf6021227a8ce7
-
SHA1
6ea7f7320f3ba030684e9d43f93f296ca0385f44
-
SHA256
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6
-
SHA512
719708aaf8303f4a08f06960bbcf3bca67699d9c006af778eb6f293b074e318c227c0fdcd591872f7b2407fe095c8138f3c9933f2e3b179373574f63ba8566de
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeHN:R4wFHoSHYHUrAwfMp3CDHN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2772-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2848-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3064-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-37-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2904-44-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2904-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2060-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2680-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2256-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2820-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1572-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1480-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2956-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1388-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1388-148-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2000-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2388-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2468-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1960-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/388-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1812-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1292-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1488-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1676-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/992-294-0x0000000077B50000-0x0000000077C6F000-memory.dmp family_blackmoon behavioral1/memory/2788-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2200-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1140-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2988-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2992-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/672-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2084-447-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2500-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2468-475-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2468-491-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2308-563-0x0000000000260000-0x0000000000287000-memory.dmp family_blackmoon behavioral1/memory/3068-577-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/548-641-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1728-647-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1728-653-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2320-787-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2848 dxvjbb.exe 2780 nfhbd.exe 3064 jfvrtr.exe 2904 hhndtbb.exe 2060 jxbbnx.exe 2680 bpxpfh.exe 2256 dpfbt.exe 1988 jttnnbl.exe 1920 vjntpbv.exe 2820 frdxh.exe 2436 xvfltb.exe 3024 xxtfv.exe 1572 xblltr.exe 1480 trvpvxt.exe 2956 fthfthx.exe 1120 hbddj.exe 1388 ndtbjd.exe 2000 lddbxxd.exe 2376 nhjffx.exe 2164 fhphv.exe 2388 nbvxp.exe 2468 hvvjlnr.exe 1960 jpthl.exe 388 xvfllvf.exe 612 npjxxbh.exe 2524 dbtvtdf.exe 1812 ljpnj.exe 1292 lljnhj.exe 1764 vrhvvxt.exe 2576 pblltb.exe 2540 vppjxp.exe 1848 tbrtr.exe 1488 nnbxjfv.exe 1676 hppxtdp.exe 1504 bjdrlxp.exe 2360 lxdjdnp.exe 992 xfbnf.exe 2844 pnvjv.exe 1596 pbvjn.exe 2896 prdbvxx.exe 2200 lnhtnn.exe 3044 ffppp.exe 2796 hlblnjn.exe 2904 vdrrvj.exe 2668 pbjjtjn.exe 2800 pppjpn.exe 2108 hbrrnbl.exe 632 nphdrd.exe 2020 trhvbn.exe 2140 jrpjtxh.exe 2128 dlhtfh.exe 1680 txhdp.exe 2928 vdhvd.exe 3012 lvlxdt.exe 2624 hvbpl.exe 1140 nxjjhnl.exe 2988 xhtpn.exe 2992 bvhvh.exe 2404 xbxhv.exe 320 xlrlj.exe 672 vvhfv.exe 824 phbftr.exe 2084 fntlr.exe 1184 njjjx.exe -
resource yara_rule behavioral1/memory/2772-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2772-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000012262-9.dat upx behavioral1/memory/2772-8-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2780-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000162e9-17.dat upx behavioral1/memory/2848-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2780-25-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2780-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016458-26.dat upx behavioral1/memory/3064-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001658d-35.dat upx behavioral1/memory/2904-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000900000001660b-46.dat upx behavioral1/files/0x0014000000015e9a-53.dat upx behavioral1/memory/2060-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000167e3-61.dat upx behavioral1/memory/2680-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2256-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d2c-70.dat upx behavioral1/files/0x0002000000018334-77.dat upx behavioral1/memory/2820-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019326-84.dat upx behavioral1/memory/2820-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001932a-94.dat upx behavioral1/files/0x0005000000019394-100.dat upx behavioral1/files/0x00050000000193a0-107.dat upx behavioral1/memory/1572-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1480-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193b8-115.dat upx behavioral1/memory/1480-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193c7-125.dat upx behavioral1/files/0x0005000000019470-133.dat upx behavioral1/memory/2956-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019480-140.dat upx behavioral1/memory/1388-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019489-150.dat upx behavioral1/memory/2000-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001948c-159.dat upx behavioral1/memory/2376-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019490-167.dat upx behavioral1/files/0x00050000000194a3-175.dat upx behavioral1/memory/2388-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2468-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194eb-182.dat upx behavioral1/files/0x00050000000194ef-192.dat upx behavioral1/memory/2468-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1960-199-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001950f-200.dat upx behavioral1/memory/388-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019515-209.dat upx behavioral1/files/0x0005000000019547-215.dat upx behavioral1/memory/2524-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001957c-223.dat upx behavioral1/memory/1812-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195a7-231.dat upx behavioral1/memory/1292-238-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195a9-239.dat upx behavioral1/files/0x00050000000195ab-246.dat upx behavioral1/files/0x00050000000195ad-253.dat upx behavioral1/files/0x00050000000195af-260.dat upx behavioral1/memory/1488-269-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1676-276-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2360-287-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvnvpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fhtjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdnjvpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpjjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrbdvhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trdxphp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrjxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbbffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhpx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrppvxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trhvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlblvxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjfrrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfnnjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbrdxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbjjpx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jldhvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddrxlrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxbfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpppf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlfjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnvjrn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxbvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtnbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djblr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlljt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrbtdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2848 2772 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 30 PID 2772 wrote to memory of 2848 2772 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 30 PID 2772 wrote to memory of 2848 2772 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 30 PID 2772 wrote to memory of 2848 2772 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 30 PID 2848 wrote to memory of 2780 2848 dxvjbb.exe 31 PID 2848 wrote to memory of 2780 2848 dxvjbb.exe 31 PID 2848 wrote to memory of 2780 2848 dxvjbb.exe 31 PID 2848 wrote to memory of 2780 2848 dxvjbb.exe 31 PID 2780 wrote to memory of 3064 2780 nfhbd.exe 32 PID 2780 wrote to memory of 3064 2780 nfhbd.exe 32 PID 2780 wrote to memory of 3064 2780 nfhbd.exe 32 PID 2780 wrote to memory of 3064 2780 nfhbd.exe 32 PID 3064 wrote to memory of 2904 3064 jfvrtr.exe 33 PID 3064 wrote to memory of 2904 3064 jfvrtr.exe 33 PID 3064 wrote to memory of 2904 3064 jfvrtr.exe 33 PID 3064 wrote to memory of 2904 3064 jfvrtr.exe 33 PID 2904 wrote to memory of 2060 2904 hhndtbb.exe 34 PID 2904 wrote to memory of 2060 2904 hhndtbb.exe 34 PID 2904 wrote to memory of 2060 2904 hhndtbb.exe 34 PID 2904 wrote to memory of 2060 2904 hhndtbb.exe 34 PID 2060 wrote to memory of 2680 2060 jxbbnx.exe 35 PID 2060 wrote to memory of 2680 2060 jxbbnx.exe 35 PID 2060 wrote to memory of 2680 2060 jxbbnx.exe 35 PID 2060 wrote to memory of 2680 2060 jxbbnx.exe 35 PID 2680 wrote to memory of 2256 2680 bpxpfh.exe 36 PID 2680 wrote to memory of 2256 2680 bpxpfh.exe 36 PID 2680 wrote to memory of 2256 2680 bpxpfh.exe 36 PID 2680 wrote to memory of 2256 2680 bpxpfh.exe 36 PID 2256 wrote to memory of 1988 2256 dpfbt.exe 37 PID 2256 wrote to memory of 1988 2256 dpfbt.exe 37 PID 2256 wrote to memory of 1988 2256 dpfbt.exe 37 PID 2256 wrote to memory of 1988 2256 dpfbt.exe 37 PID 1988 wrote to memory of 1920 1988 jttnnbl.exe 38 PID 1988 wrote to memory of 1920 1988 jttnnbl.exe 38 PID 1988 wrote to memory of 1920 1988 jttnnbl.exe 38 PID 1988 wrote to memory of 1920 1988 jttnnbl.exe 38 PID 1920 wrote to memory of 2820 1920 vjntpbv.exe 39 PID 1920 wrote to memory of 2820 1920 vjntpbv.exe 39 PID 1920 wrote to memory of 2820 1920 vjntpbv.exe 39 PID 1920 wrote to memory of 2820 1920 vjntpbv.exe 39 PID 2820 wrote to memory of 2436 2820 frdxh.exe 40 PID 2820 wrote to memory of 2436 2820 frdxh.exe 40 PID 2820 wrote to memory of 2436 2820 frdxh.exe 40 PID 2820 wrote to memory of 2436 2820 frdxh.exe 40 PID 2436 wrote to memory of 3024 2436 xvfltb.exe 41 PID 2436 wrote to memory of 3024 2436 xvfltb.exe 41 PID 2436 wrote to memory of 3024 2436 xvfltb.exe 41 PID 2436 wrote to memory of 3024 2436 xvfltb.exe 41 PID 3024 wrote to memory of 1572 3024 xxtfv.exe 42 PID 3024 wrote to memory of 1572 3024 xxtfv.exe 42 PID 3024 wrote to memory of 1572 3024 xxtfv.exe 42 PID 3024 wrote to memory of 1572 3024 xxtfv.exe 42 PID 1572 wrote to memory of 1480 1572 xblltr.exe 43 PID 1572 wrote to memory of 1480 1572 xblltr.exe 43 PID 1572 wrote to memory of 1480 1572 xblltr.exe 43 PID 1572 wrote to memory of 1480 1572 xblltr.exe 43 PID 1480 wrote to memory of 2956 1480 trvpvxt.exe 44 PID 1480 wrote to memory of 2956 1480 trvpvxt.exe 44 PID 1480 wrote to memory of 2956 1480 trvpvxt.exe 44 PID 1480 wrote to memory of 2956 1480 trvpvxt.exe 44 PID 2956 wrote to memory of 1120 2956 fthfthx.exe 45 PID 2956 wrote to memory of 1120 2956 fthfthx.exe 45 PID 2956 wrote to memory of 1120 2956 fthfthx.exe 45 PID 2956 wrote to memory of 1120 2956 fthfthx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe"C:\Users\Admin\AppData\Local\Temp\c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\dxvjbb.exec:\dxvjbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\nfhbd.exec:\nfhbd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\jfvrtr.exec:\jfvrtr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\hhndtbb.exec:\hhndtbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\jxbbnx.exec:\jxbbnx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\bpxpfh.exec:\bpxpfh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\dpfbt.exec:\dpfbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\jttnnbl.exec:\jttnnbl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\vjntpbv.exec:\vjntpbv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\frdxh.exec:\frdxh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\xvfltb.exec:\xvfltb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\xxtfv.exec:\xxtfv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\xblltr.exec:\xblltr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\trvpvxt.exec:\trvpvxt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\fthfthx.exec:\fthfthx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\hbddj.exec:\hbddj.exe17⤵
- Executes dropped EXE
PID:1120 -
\??\c:\ndtbjd.exec:\ndtbjd.exe18⤵
- Executes dropped EXE
PID:1388 -
\??\c:\lddbxxd.exec:\lddbxxd.exe19⤵
- Executes dropped EXE
PID:2000 -
\??\c:\nhjffx.exec:\nhjffx.exe20⤵
- Executes dropped EXE
PID:2376 -
\??\c:\fhphv.exec:\fhphv.exe21⤵
- Executes dropped EXE
PID:2164 -
\??\c:\nbvxp.exec:\nbvxp.exe22⤵
- Executes dropped EXE
PID:2388 -
\??\c:\hvvjlnr.exec:\hvvjlnr.exe23⤵
- Executes dropped EXE
PID:2468 -
\??\c:\jpthl.exec:\jpthl.exe24⤵
- Executes dropped EXE
PID:1960 -
\??\c:\xvfllvf.exec:\xvfllvf.exe25⤵
- Executes dropped EXE
PID:388 -
\??\c:\npjxxbh.exec:\npjxxbh.exe26⤵
- Executes dropped EXE
PID:612 -
\??\c:\dbtvtdf.exec:\dbtvtdf.exe27⤵
- Executes dropped EXE
PID:2524 -
\??\c:\ljpnj.exec:\ljpnj.exe28⤵
- Executes dropped EXE
PID:1812 -
\??\c:\lljnhj.exec:\lljnhj.exe29⤵
- Executes dropped EXE
PID:1292 -
\??\c:\vrhvvxt.exec:\vrhvvxt.exe30⤵
- Executes dropped EXE
PID:1764 -
\??\c:\pblltb.exec:\pblltb.exe31⤵
- Executes dropped EXE
PID:2576 -
\??\c:\vppjxp.exec:\vppjxp.exe32⤵
- Executes dropped EXE
PID:2540 -
\??\c:\tbrtr.exec:\tbrtr.exe33⤵
- Executes dropped EXE
PID:1848 -
\??\c:\nnbxjfv.exec:\nnbxjfv.exe34⤵
- Executes dropped EXE
PID:1488 -
\??\c:\hppxtdp.exec:\hppxtdp.exe35⤵
- Executes dropped EXE
PID:1676 -
\??\c:\bjdrlxp.exec:\bjdrlxp.exe36⤵
- Executes dropped EXE
PID:1504 -
\??\c:\lxdjdnp.exec:\lxdjdnp.exe37⤵
- Executes dropped EXE
PID:2360 -
\??\c:\xfbnf.exec:\xfbnf.exe38⤵
- Executes dropped EXE
PID:992 -
\??\c:\fvbtl.exec:\fvbtl.exe39⤵PID:2788
-
\??\c:\pnvjv.exec:\pnvjv.exe40⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pbvjn.exec:\pbvjn.exe41⤵
- Executes dropped EXE
PID:1596 -
\??\c:\prdbvxx.exec:\prdbvxx.exe42⤵
- Executes dropped EXE
PID:2896 -
\??\c:\lnhtnn.exec:\lnhtnn.exe43⤵
- Executes dropped EXE
PID:2200 -
\??\c:\ffppp.exec:\ffppp.exe44⤵
- Executes dropped EXE
PID:3044 -
\??\c:\hlblnjn.exec:\hlblnjn.exe45⤵
- Executes dropped EXE
PID:2796 -
\??\c:\vdrrvj.exec:\vdrrvj.exe46⤵
- Executes dropped EXE
PID:2904 -
\??\c:\pbjjtjn.exec:\pbjjtjn.exe47⤵
- Executes dropped EXE
PID:2668 -
\??\c:\pppjpn.exec:\pppjpn.exe48⤵
- Executes dropped EXE
PID:2800 -
\??\c:\hbrrnbl.exec:\hbrrnbl.exe49⤵
- Executes dropped EXE
PID:2108 -
\??\c:\nphdrd.exec:\nphdrd.exe50⤵
- Executes dropped EXE
PID:632 -
\??\c:\trhvbn.exec:\trhvbn.exe51⤵
- Executes dropped EXE
PID:2020 -
\??\c:\jrpjtxh.exec:\jrpjtxh.exe52⤵
- Executes dropped EXE
PID:2140 -
\??\c:\dlhtfh.exec:\dlhtfh.exe53⤵
- Executes dropped EXE
PID:2128 -
\??\c:\txhdp.exec:\txhdp.exe54⤵
- Executes dropped EXE
PID:1680 -
\??\c:\vdhvd.exec:\vdhvd.exe55⤵
- Executes dropped EXE
PID:2928 -
\??\c:\lvlxdt.exec:\lvlxdt.exe56⤵
- Executes dropped EXE
PID:3012 -
\??\c:\hvbpl.exec:\hvbpl.exe57⤵
- Executes dropped EXE
PID:2624 -
\??\c:\nxjjhnl.exec:\nxjjhnl.exe58⤵
- Executes dropped EXE
PID:1140 -
\??\c:\xhtpn.exec:\xhtpn.exe59⤵
- Executes dropped EXE
PID:2988 -
\??\c:\bvhvh.exec:\bvhvh.exe60⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xbxhv.exec:\xbxhv.exe61⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xlrlj.exec:\xlrlj.exe62⤵
- Executes dropped EXE
PID:320 -
\??\c:\vvhfv.exec:\vvhfv.exe63⤵
- Executes dropped EXE
PID:672 -
\??\c:\phbftr.exec:\phbftr.exe64⤵
- Executes dropped EXE
PID:824 -
\??\c:\fntlr.exec:\fntlr.exe65⤵
- Executes dropped EXE
PID:2084 -
\??\c:\njjjx.exec:\njjjx.exe66⤵
- Executes dropped EXE
PID:1184 -
\??\c:\nvnrx.exec:\nvnrx.exe67⤵PID:2168
-
\??\c:\plbdth.exec:\plbdth.exe68⤵PID:2572
-
\??\c:\vvrlbdd.exec:\vvrlbdd.exe69⤵PID:2500
-
\??\c:\trhdrjb.exec:\trhdrjb.exe70⤵PID:2468
-
\??\c:\prbndb.exec:\prbndb.exe71⤵PID:2532
-
\??\c:\xnvjrn.exec:\xnvjrn.exe72⤵
- System Location Discovery: System Language Discovery
PID:848 -
\??\c:\lnbfrtd.exec:\lnbfrtd.exe73⤵PID:1724
-
\??\c:\ftpthp.exec:\ftpthp.exe74⤵PID:612
-
\??\c:\ptfdb.exec:\ptfdb.exe75⤵PID:1340
-
\??\c:\htpbb.exec:\htpbb.exe76⤵PID:1536
-
\??\c:\nlxph.exec:\nlxph.exe77⤵PID:1772
-
\??\c:\dbbffj.exec:\dbbffj.exe78⤵
- System Location Discovery: System Language Discovery
PID:788 -
\??\c:\pdvnvpr.exec:\pdvnvpr.exe79⤵
- System Location Discovery: System Language Discovery
PID:1464 -
\??\c:\dtlvf.exec:\dtlvf.exe80⤵PID:1516
-
\??\c:\brxtl.exec:\brxtl.exe81⤵PID:1304
-
\??\c:\xtxhvn.exec:\xtxhvn.exe82⤵PID:2220
-
\??\c:\ldnpr.exec:\ldnpr.exe83⤵PID:2308
-
\??\c:\hdnjv.exec:\hdnjv.exe84⤵PID:2464
-
\??\c:\xtxxh.exec:\xtxxh.exe85⤵PID:1816
-
\??\c:\jjdfff.exec:\jjdfff.exe86⤵PID:1504
-
\??\c:\brndvxl.exec:\brndvxl.exe87⤵PID:2760
-
\??\c:\dnbrhb.exec:\dnbrhb.exe88⤵PID:2872
-
\??\c:\vxfrdb.exec:\vxfrdb.exe89⤵PID:3068
-
\??\c:\vxrpttb.exec:\vxrpttb.exe90⤵PID:2848
-
\??\c:\phnnrf.exec:\phnnrf.exe91⤵PID:1600
-
\??\c:\llbvfx.exec:\llbvfx.exe92⤵PID:2216
-
\??\c:\phjtjp.exec:\phjtjp.exe93⤵PID:2756
-
\??\c:\rfxhn.exec:\rfxhn.exe94⤵PID:2664
-
\??\c:\bfrhdp.exec:\bfrhdp.exe95⤵PID:2660
-
\??\c:\dlnvbtp.exec:\dlnvbtp.exe96⤵PID:1712
-
\??\c:\rbbdt.exec:\rbbdt.exe97⤵PID:2828
-
\??\c:\rtvdd.exec:\rtvdd.exe98⤵PID:2580
-
\??\c:\jjbrn.exec:\jjbrn.exe99⤵PID:2176
-
\??\c:\nxnhp.exec:\nxnhp.exe100⤵PID:548
-
\??\c:\jdvph.exec:\jdvph.exe101⤵PID:1148
-
\??\c:\lvlrpr.exec:\lvlrpr.exe102⤵PID:1728
-
\??\c:\tlxflrh.exec:\tlxflrh.exe103⤵PID:2996
-
\??\c:\vjthfn.exec:\vjthfn.exe104⤵PID:1492
-
\??\c:\xrbrt.exec:\xrbrt.exe105⤵PID:2980
-
\??\c:\rdjrr.exec:\rdjrr.exe106⤵PID:1572
-
\??\c:\bdjdjft.exec:\bdjdjft.exe107⤵PID:3020
-
\??\c:\flfrfj.exec:\flfrfj.exe108⤵
- System Location Discovery: System Language Discovery
PID:2984 -
\??\c:\xdlftxn.exec:\xdlftxn.exe109⤵PID:2976
-
\??\c:\rxnljxh.exec:\rxnljxh.exe110⤵PID:1992
-
\??\c:\rvrpbvr.exec:\rvrpbvr.exe111⤵PID:2404
-
\??\c:\nvhtp.exec:\nvhtp.exe112⤵PID:320
-
\??\c:\rjdthtn.exec:\rjdthtn.exe113⤵PID:2000
-
\??\c:\tblfv.exec:\tblfv.exe114⤵PID:824
-
\??\c:\tfpfxr.exec:\tfpfxr.exe115⤵PID:2084
-
\??\c:\bhvxpj.exec:\bhvxpj.exe116⤵PID:2372
-
\??\c:\pxlrfr.exec:\pxlrfr.exe117⤵PID:2164
-
\??\c:\trfvhrx.exec:\trfvhrx.exe118⤵PID:1700
-
\??\c:\hdjdnlf.exec:\hdjdnlf.exe119⤵PID:2500
-
\??\c:\hjrnr.exec:\hjrnr.exe120⤵PID:1840
-
\??\c:\vrbpxdf.exec:\vrbpxdf.exe121⤵PID:2064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-