Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 02:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe
-
Size
454KB
-
MD5
e1258f33e37bb8e85519387e4160093e
-
SHA1
2b1ff1bd8a4f316580dc51e2b0bf7933415024c7
-
SHA256
8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2
-
SHA512
61ca0decd6a4408585497ca2396522a166c74fe39bed95d7647dcfc0ede5906b2a549134f557aa5ba81653df4e23907051117bab59599fc058d1660fef37d823
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/1240-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-159-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/1060-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-307-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2896-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-870-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-1028-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2344-982-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1536-866-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1292-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-544-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2576-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-413-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1976-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1188-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1188-269-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2388-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-225-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2140-215-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2344-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1108-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1108-131-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1972-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-45-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2336-1081-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2284-1093-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2584-1192-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2480-1198-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1928 rllrflx.exe 2308 rfxxfxf.exe 1720 dpjdj.exe 2284 1rffflr.exe 2724 ntnhth.exe 2872 jjvpd.exe 2728 9fxxlrx.exe 2436 1dddj.exe 2772 7pjpj.exe 2616 1rfxffl.exe 3040 5nhntb.exe 1972 3jddj.exe 1108 5pddp.exe 2788 hhtbbn.exe 2656 3dpdp.exe 1588 5xrfxfr.exe 1060 fxffrrf.exe 756 tthntb.exe 1756 xxllrrf.exe 852 tthntt.exe 2344 dvjvd.exe 2140 xlxllff.exe 2476 rfrllfr.exe 2980 pjvjp.exe 956 5pddj.exe 2164 xxrxxfl.exe 2388 bnbhnt.exe 1188 vvdpp.exe 1652 7fflrrx.exe 1508 hthhnn.exe 2504 dpjjp.exe 1936 frrflfr.exe 2336 hbnbnh.exe 2544 vjjjv.exe 1712 1rfxfxx.exe 2820 rlfflfr.exe 2972 hnnttn.exe 2384 dvppv.exe 2408 vpdvd.exe 2728 rrllllx.exe 2436 1bntbb.exe 2768 pvddd.exe 3044 llxflrf.exe 3048 nhhhnn.exe 1976 pdvvd.exe 2716 9pjdd.exe 2832 xlxrrrx.exe 2896 ttnntn.exe 1680 vvjvv.exe 1752 7ppdj.exe 2736 5xfllrr.exe 1648 nhthtb.exe 2088 pdpvd.exe 2280 3ddjp.exe 996 frrlfxr.exe 2120 9tthhn.exe 840 htnbnn.exe 2840 dvjvj.exe 2836 1rlxflx.exe 1052 rrflrrx.exe 2276 1tnnnn.exe 2576 pjjjd.exe 2692 lffrfrx.exe 2036 tnbnbn.exe -
resource yara_rule behavioral1/memory/1240-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-889-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1188-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-1047-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-1096-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-1122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-1129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-1185-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1240 wrote to memory of 1928 1240 8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe 162 PID 1240 wrote to memory of 1928 1240 8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe 162 PID 1240 wrote to memory of 1928 1240 8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe 162 PID 1240 wrote to memory of 1928 1240 8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe 162 PID 1928 wrote to memory of 2308 1928 rllrflx.exe 31 PID 1928 wrote to memory of 2308 1928 rllrflx.exe 31 PID 1928 wrote to memory of 2308 1928 rllrflx.exe 31 PID 1928 wrote to memory of 2308 1928 rllrflx.exe 31 PID 2308 wrote to memory of 1720 2308 rfxxfxf.exe 32 PID 2308 wrote to memory of 1720 2308 rfxxfxf.exe 32 PID 2308 wrote to memory of 1720 2308 rfxxfxf.exe 32 PID 2308 wrote to memory of 1720 2308 rfxxfxf.exe 32 PID 1720 wrote to memory of 2284 1720 dpjdj.exe 33 PID 1720 wrote to memory of 2284 1720 dpjdj.exe 33 PID 1720 wrote to memory of 2284 1720 dpjdj.exe 33 PID 1720 wrote to memory of 2284 1720 dpjdj.exe 33 PID 2284 wrote to memory of 2724 2284 1rffflr.exe 34 PID 2284 wrote to memory of 2724 2284 1rffflr.exe 34 PID 2284 wrote to memory of 2724 2284 1rffflr.exe 34 PID 2284 wrote to memory of 2724 2284 1rffflr.exe 34 PID 2724 wrote to memory of 2872 2724 ntnhth.exe 35 PID 2724 wrote to memory of 2872 2724 ntnhth.exe 35 PID 2724 wrote to memory of 2872 2724 ntnhth.exe 35 PID 2724 wrote to memory of 2872 2724 ntnhth.exe 35 PID 2872 wrote to memory of 2728 2872 jjvpd.exe 36 PID 2872 wrote to memory of 2728 2872 jjvpd.exe 36 PID 2872 wrote to memory of 2728 2872 jjvpd.exe 36 PID 2872 wrote to memory of 2728 2872 jjvpd.exe 36 PID 2728 wrote to memory of 2436 2728 9fxxlrx.exe 37 PID 2728 wrote to memory of 2436 2728 9fxxlrx.exe 37 PID 2728 wrote to memory of 2436 2728 9fxxlrx.exe 37 PID 2728 wrote to memory of 2436 2728 9fxxlrx.exe 37 PID 2436 wrote to memory of 2772 2436 1dddj.exe 38 PID 2436 wrote to memory of 2772 2436 1dddj.exe 38 PID 2436 wrote to memory of 2772 2436 1dddj.exe 38 PID 2436 wrote to memory of 2772 2436 1dddj.exe 38 PID 2772 wrote to memory of 2616 2772 7pjpj.exe 39 PID 2772 wrote to memory of 2616 2772 7pjpj.exe 39 PID 2772 wrote to memory of 2616 2772 7pjpj.exe 39 PID 2772 wrote to memory of 2616 2772 7pjpj.exe 39 PID 2616 wrote to memory of 3040 2616 1rfxffl.exe 40 PID 2616 wrote to memory of 3040 2616 1rfxffl.exe 40 PID 2616 wrote to memory of 3040 2616 1rfxffl.exe 40 PID 2616 wrote to memory of 3040 2616 1rfxffl.exe 40 PID 3040 wrote to memory of 1972 3040 5nhntb.exe 41 PID 3040 wrote to memory of 1972 3040 5nhntb.exe 41 PID 3040 wrote to memory of 1972 3040 5nhntb.exe 41 PID 3040 wrote to memory of 1972 3040 5nhntb.exe 41 PID 1972 wrote to memory of 1108 1972 3jddj.exe 42 PID 1972 wrote to memory of 1108 1972 3jddj.exe 42 PID 1972 wrote to memory of 1108 1972 3jddj.exe 42 PID 1972 wrote to memory of 1108 1972 3jddj.exe 42 PID 1108 wrote to memory of 2788 1108 5pddp.exe 43 PID 1108 wrote to memory of 2788 1108 5pddp.exe 43 PID 1108 wrote to memory of 2788 1108 5pddp.exe 43 PID 1108 wrote to memory of 2788 1108 5pddp.exe 43 PID 2788 wrote to memory of 2656 2788 hhtbbn.exe 44 PID 2788 wrote to memory of 2656 2788 hhtbbn.exe 44 PID 2788 wrote to memory of 2656 2788 hhtbbn.exe 44 PID 2788 wrote to memory of 2656 2788 hhtbbn.exe 44 PID 2656 wrote to memory of 1588 2656 3dpdp.exe 45 PID 2656 wrote to memory of 1588 2656 3dpdp.exe 45 PID 2656 wrote to memory of 1588 2656 3dpdp.exe 45 PID 2656 wrote to memory of 1588 2656 3dpdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe"C:\Users\Admin\AppData\Local\Temp\8ba26561faf188ebcb38e04a1ec84cadab5ebcef782249b02f9f606e1ab63da2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\rllrflx.exec:\rllrflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\rfxxfxf.exec:\rfxxfxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\dpjdj.exec:\dpjdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\1rffflr.exec:\1rffflr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\ntnhth.exec:\ntnhth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\jjvpd.exec:\jjvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\9fxxlrx.exec:\9fxxlrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\1dddj.exec:\1dddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\7pjpj.exec:\7pjpj.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\1rfxffl.exec:\1rfxffl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\5nhntb.exec:\5nhntb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\3jddj.exec:\3jddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\5pddp.exec:\5pddp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\hhtbbn.exec:\hhtbbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\3dpdp.exec:\3dpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\5xrfxfr.exec:\5xrfxfr.exe17⤵
- Executes dropped EXE
PID:1588 -
\??\c:\fxffrrf.exec:\fxffrrf.exe18⤵
- Executes dropped EXE
PID:1060 -
\??\c:\tthntb.exec:\tthntb.exe19⤵
- Executes dropped EXE
PID:756 -
\??\c:\xxllrrf.exec:\xxllrrf.exe20⤵
- Executes dropped EXE
PID:1756 -
\??\c:\tthntt.exec:\tthntt.exe21⤵
- Executes dropped EXE
PID:852 -
\??\c:\dvjvd.exec:\dvjvd.exe22⤵
- Executes dropped EXE
PID:2344 -
\??\c:\xlxllff.exec:\xlxllff.exe23⤵
- Executes dropped EXE
PID:2140 -
\??\c:\rfrllfr.exec:\rfrllfr.exe24⤵
- Executes dropped EXE
PID:2476 -
\??\c:\pjvjp.exec:\pjvjp.exe25⤵
- Executes dropped EXE
PID:2980 -
\??\c:\5pddj.exec:\5pddj.exe26⤵
- Executes dropped EXE
PID:956 -
\??\c:\xxrxxfl.exec:\xxrxxfl.exe27⤵
- Executes dropped EXE
PID:2164 -
\??\c:\bnbhnt.exec:\bnbhnt.exe28⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vvdpp.exec:\vvdpp.exe29⤵
- Executes dropped EXE
PID:1188 -
\??\c:\7fflrrx.exec:\7fflrrx.exe30⤵
- Executes dropped EXE
PID:1652 -
\??\c:\hthhnn.exec:\hthhnn.exe31⤵
- Executes dropped EXE
PID:1508 -
\??\c:\dpjjp.exec:\dpjjp.exe32⤵
- Executes dropped EXE
PID:2504 -
\??\c:\frrflfr.exec:\frrflfr.exe33⤵
- Executes dropped EXE
PID:1936 -
\??\c:\hbnbnh.exec:\hbnbnh.exe34⤵
- Executes dropped EXE
PID:2336 -
\??\c:\vjjjv.exec:\vjjjv.exe35⤵
- Executes dropped EXE
PID:2544 -
\??\c:\1rfxfxx.exec:\1rfxfxx.exe36⤵
- Executes dropped EXE
PID:1712 -
\??\c:\rlfflfr.exec:\rlfflfr.exe37⤵
- Executes dropped EXE
PID:2820 -
\??\c:\hnnttn.exec:\hnnttn.exe38⤵
- Executes dropped EXE
PID:2972 -
\??\c:\dvppv.exec:\dvppv.exe39⤵
- Executes dropped EXE
PID:2384 -
\??\c:\vpdvd.exec:\vpdvd.exe40⤵
- Executes dropped EXE
PID:2408 -
\??\c:\rrllllx.exec:\rrllllx.exe41⤵
- Executes dropped EXE
PID:2728 -
\??\c:\1bntbb.exec:\1bntbb.exe42⤵
- Executes dropped EXE
PID:2436 -
\??\c:\pvddd.exec:\pvddd.exe43⤵
- Executes dropped EXE
PID:2768 -
\??\c:\llxflrf.exec:\llxflrf.exe44⤵
- Executes dropped EXE
PID:3044 -
\??\c:\nhhhnn.exec:\nhhhnn.exe45⤵
- Executes dropped EXE
PID:3048 -
\??\c:\pdvvd.exec:\pdvvd.exe46⤵
- Executes dropped EXE
PID:1976 -
\??\c:\9pjdd.exec:\9pjdd.exe47⤵
- Executes dropped EXE
PID:2716 -
\??\c:\xlxrrrx.exec:\xlxrrrx.exe48⤵
- Executes dropped EXE
PID:2832 -
\??\c:\ttnntn.exec:\ttnntn.exe49⤵
- Executes dropped EXE
PID:2896 -
\??\c:\vvjvv.exec:\vvjvv.exe50⤵
- Executes dropped EXE
PID:1680 -
\??\c:\7ppdj.exec:\7ppdj.exe51⤵
- Executes dropped EXE
PID:1752 -
\??\c:\5xfllrr.exec:\5xfllrr.exe52⤵
- Executes dropped EXE
PID:2736 -
\??\c:\nhthtb.exec:\nhthtb.exe53⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pdpvd.exec:\pdpvd.exe54⤵
- Executes dropped EXE
PID:2088 -
\??\c:\3ddjp.exec:\3ddjp.exe55⤵
- Executes dropped EXE
PID:2280 -
\??\c:\frrlfxr.exec:\frrlfxr.exe56⤵
- Executes dropped EXE
PID:996 -
\??\c:\9tthhn.exec:\9tthhn.exe57⤵
- Executes dropped EXE
PID:2120 -
\??\c:\htnbnn.exec:\htnbnn.exe58⤵
- Executes dropped EXE
PID:840 -
\??\c:\dvjvj.exec:\dvjvj.exe59⤵
- Executes dropped EXE
PID:2840 -
\??\c:\1rlxflx.exec:\1rlxflx.exe60⤵
- Executes dropped EXE
PID:2836 -
\??\c:\rrflrrx.exec:\rrflrrx.exe61⤵
- Executes dropped EXE
PID:1052 -
\??\c:\1tnnnn.exec:\1tnnnn.exe62⤵
- Executes dropped EXE
PID:2276 -
\??\c:\pjjjd.exec:\pjjjd.exe63⤵
- Executes dropped EXE
PID:2576 -
\??\c:\lffrfrx.exec:\lffrfrx.exe64⤵
- Executes dropped EXE
PID:2692 -
\??\c:\tnbnbn.exec:\tnbnbn.exe65⤵
- Executes dropped EXE
PID:2036 -
\??\c:\tthbnb.exec:\tthbnb.exe66⤵PID:3032
-
\??\c:\ddvvd.exec:\ddvvd.exe67⤵PID:1632
-
\??\c:\xfxfxlf.exec:\xfxfxlf.exe68⤵
- System Location Discovery: System Language Discovery
PID:1132 -
\??\c:\rlflxlr.exec:\rlflxlr.exe69⤵PID:1384
-
\??\c:\tnhnnt.exec:\tnhnnt.exe70⤵PID:760
-
\??\c:\hhbnbh.exec:\hhbnbh.exe71⤵PID:1692
-
\??\c:\jjjdd.exec:\jjjdd.exe72⤵PID:2248
-
\??\c:\jjpdp.exec:\jjpdp.exe73⤵PID:2272
-
\??\c:\rfffxxf.exec:\rfffxxf.exe74⤵PID:2864
-
\??\c:\7lflxxl.exec:\7lflxxl.exe75⤵PID:2804
-
\??\c:\9nbnbb.exec:\9nbnbb.exe76⤵PID:2700
-
\??\c:\5ppjp.exec:\5ppjp.exe77⤵PID:2956
-
\??\c:\vppvj.exec:\vppvj.exe78⤵PID:1156
-
\??\c:\rrlrffr.exec:\rrlrffr.exe79⤵PID:2740
-
\??\c:\llflllf.exec:\llflllf.exe80⤵PID:2868
-
\??\c:\bbtbth.exec:\bbtbth.exe81⤵PID:2668
-
\??\c:\ntbnbh.exec:\ntbnbh.exe82⤵PID:2772
-
\??\c:\jjdvp.exec:\jjdvp.exe83⤵PID:1492
-
\??\c:\ppjpv.exec:\ppjpv.exe84⤵PID:468
-
\??\c:\llflffx.exec:\llflffx.exe85⤵PID:292
-
\??\c:\hbbhtt.exec:\hbbhtt.exe86⤵PID:776
-
\??\c:\bbtbnn.exec:\bbtbnn.exe87⤵PID:2112
-
\??\c:\jpjvd.exec:\jpjvd.exe88⤵PID:2888
-
\??\c:\pjvjd.exec:\pjvjd.exe89⤵PID:2892
-
\??\c:\1fflrrl.exec:\1fflrrl.exe90⤵PID:2776
-
\??\c:\tttbnh.exec:\tttbnh.exe91⤵PID:1680
-
\??\c:\9bhhhh.exec:\9bhhhh.exe92⤵PID:1516
-
\??\c:\pjdjv.exec:\pjdjv.exe93⤵PID:1160
-
\??\c:\xlxfflx.exec:\xlxfflx.exe94⤵PID:3056
-
\??\c:\bhbbnt.exec:\bhbbnt.exe95⤵PID:1940
-
\??\c:\htbttt.exec:\htbttt.exe96⤵PID:2912
-
\??\c:\1dvdp.exec:\1dvdp.exe97⤵PID:2288
-
\??\c:\pvjpj.exec:\pvjpj.exe98⤵PID:996
-
\??\c:\lllrflr.exec:\lllrflr.exe99⤵PID:408
-
\??\c:\hhbhnt.exec:\hhbhnt.exe100⤵PID:3000
-
\??\c:\hhbbhh.exec:\hhbbhh.exe101⤵PID:2608
-
\??\c:\jjdpd.exec:\jjdpd.exe102⤵PID:2260
-
\??\c:\pjvdd.exec:\pjvdd.exe103⤵PID:2452
-
\??\c:\xrlllrf.exec:\xrlllrf.exe104⤵PID:1448
-
\??\c:\htnhth.exec:\htnhth.exe105⤵PID:2276
-
\??\c:\9nbbnh.exec:\9nbbnh.exe106⤵PID:1088
-
\??\c:\ddvdp.exec:\ddvdp.exe107⤵PID:336
-
\??\c:\xrlrrxl.exec:\xrlrrxl.exe108⤵PID:3028
-
\??\c:\tnbthn.exec:\tnbthn.exe109⤵PID:1796
-
\??\c:\7bnbtb.exec:\7bnbtb.exe110⤵PID:1292
-
\??\c:\jdvpj.exec:\jdvpj.exe111⤵PID:3024
-
\??\c:\djvjj.exec:\djvjj.exe112⤵PID:1384
-
\??\c:\fxrrffr.exec:\fxrrffr.exe113⤵PID:2400
-
\??\c:\3hnntn.exec:\3hnntn.exe114⤵PID:1948
-
\??\c:\thhhtb.exec:\thhhtb.exe115⤵PID:1664
-
\??\c:\7vdjp.exec:\7vdjp.exe116⤵PID:1712
-
\??\c:\djvpp.exec:\djvpp.exe117⤵PID:2724
-
\??\c:\lflrlrx.exec:\lflrlrx.exe118⤵PID:1284
-
\??\c:\1rffllf.exec:\1rffllf.exe119⤵PID:2872
-
\??\c:\tnbbhh.exec:\tnbbhh.exe120⤵PID:2936
-
\??\c:\vpjpp.exec:\vpjpp.exe121⤵PID:3068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-