Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 03:27
Behavioral task
behavioral1
Sample
8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe
-
Size
335KB
-
MD5
fffbebd419419d68fa919b6d8095e437
-
SHA1
8a9fb1b714eee344992b92923e0096ffcb1baea9
-
SHA256
8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1
-
SHA512
6a8b882c13f184a0f6c4f1243d37c16c9140e8016a405f5fd2cf8fcf21ccf02c366c38a04f7c0d05769837516d0052f706b7f5ce87c5da93c45c5887cee270e9
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRt:R4wFHoSHYHUrAwfMp3CDRt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/1848-1-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2976-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1728-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2540-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1964-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2616-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3060-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1256-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/780-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2820-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1240-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1512-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2936-148-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2936-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1952-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2408-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1952-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1816-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/948-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1648-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1420-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2372-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1584-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1292-336-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2832-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3068-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-400-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/772-481-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/576-480-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/892-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2052-530-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2400-558-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1972-568-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2740-589-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2876-862-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3040-935-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1260-991-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2004-14629-0x0000000076D60000-0x0000000076E7F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2976 tnnnbb.exe 1728 dvjjp.exe 2540 5fxlrxf.exe 1964 1hntht.exe 2776 dvvdd.exe 2780 5lflxxf.exe 2708 9htthh.exe 2616 5vjpj.exe 2760 xrlrxfr.exe 2604 5jddv.exe 3060 llfxfxf.exe 1256 jjvjv.exe 780 rlfxlxr.exe 2820 hnhhtt.exe 1240 vvjdp.exe 1512 bbntnt.exe 2936 9dpvd.exe 1072 5xlxrfr.exe 1952 9thntt.exe 2152 vpdpv.exe 2408 dvjjj.exe 1816 xrxfrrf.exe 1124 9bnnbh.exe 948 ttthbh.exe 608 hbntbh.exe 1544 jjvvd.exe 1648 nnhhtb.exe 492 jdddp.exe 2456 fflrflf.exe 1420 7tnbnn.exe 2100 pvjjj.exe 2428 7frflxl.exe 2412 tnnhth.exe 1928 vvppv.exe 2416 7llflxl.exe 2372 3lffffr.exe 2084 nthtbt.exe 1584 vpjdj.exe 1616 ffxxxfr.exe 2360 lrrlflx.exe 1292 hbnnbh.exe 2792 djdjj.exe 2732 pppjd.exe 2176 lxllrxl.exe 2628 tttbhn.exe 2984 nnbhhh.exe 2832 jdvjv.exe 2764 1xlxxxl.exe 2596 hhbnnn.exe 1252 tnhhtb.exe 2644 ddvvd.exe 3068 fxxfrxr.exe 2268 rlflfxf.exe 836 hbbhtt.exe 1832 3pjpd.exe 2828 xrrxlrf.exe 2660 llxfrrf.exe 1240 3bhhnt.exe 2692 dvpdp.exe 2964 ppjvj.exe 1664 xlxlrfr.exe 1428 lffrfrf.exe 1760 bbbthn.exe 2232 3jvdj.exe -
resource yara_rule behavioral1/memory/1848-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c00000001226b-5.dat upx behavioral1/memory/2976-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001662e-16.dat upx behavioral1/memory/2976-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1728-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016855-23.dat upx behavioral1/memory/2540-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1964-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c62-32.dat upx behavioral1/memory/2776-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c7b-40.dat upx behavioral1/files/0x0007000000016c84-48.dat upx behavioral1/memory/2708-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016cd1-57.dat upx behavioral1/memory/2780-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000173f1-73.dat upx behavioral1/memory/2616-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016eca-66.dat upx behavioral1/files/0x00060000000173f4-81.dat upx behavioral1/files/0x00060000000173fc-89.dat upx behavioral1/memory/2604-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3060-96-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0006000000017472-97.dat upx behavioral1/memory/1256-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3060-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017487-107.dat upx behavioral1/memory/1256-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174a2-115.dat upx behavioral1/memory/780-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017525-124.dat upx behavioral1/memory/2820-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0014000000018663-131.dat upx behavioral1/memory/1240-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1512-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d00000001866e-140.dat upx behavioral1/files/0x0005000000018687-151.dat upx behavioral1/memory/2936-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018792-157.dat upx behavioral1/memory/1952-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018c1a-166.dat upx behavioral1/memory/2408-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018c26-175.dat upx behavioral1/memory/2152-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1952-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2408-179-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0009000000016307-186.dat upx behavioral1/files/0x0006000000018f53-193.dat upx behavioral1/memory/1816-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/948-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001903b-202.dat upx behavioral1/files/0x00060000000190ce-210.dat upx behavioral1/files/0x00060000000190e0-216.dat upx behavioral1/files/0x00050000000191d4-223.dat upx behavioral1/files/0x00050000000191ff-232.dat upx behavioral1/memory/1648-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001922c-239.dat upx behavioral1/files/0x0005000000019244-246.dat upx behavioral1/memory/1420-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019256-254.dat upx behavioral1/files/0x0005000000019259-261.dat upx behavioral1/memory/2412-274-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2372-285-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2372-291-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2976 1848 8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe 30 PID 1848 wrote to memory of 2976 1848 8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe 30 PID 1848 wrote to memory of 2976 1848 8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe 30 PID 1848 wrote to memory of 2976 1848 8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe 30 PID 2976 wrote to memory of 1728 2976 tnnnbb.exe 31 PID 2976 wrote to memory of 1728 2976 tnnnbb.exe 31 PID 2976 wrote to memory of 1728 2976 tnnnbb.exe 31 PID 2976 wrote to memory of 1728 2976 tnnnbb.exe 31 PID 1728 wrote to memory of 2540 1728 dvjjp.exe 32 PID 1728 wrote to memory of 2540 1728 dvjjp.exe 32 PID 1728 wrote to memory of 2540 1728 dvjjp.exe 32 PID 1728 wrote to memory of 2540 1728 dvjjp.exe 32 PID 2540 wrote to memory of 1964 2540 5fxlrxf.exe 33 PID 2540 wrote to memory of 1964 2540 5fxlrxf.exe 33 PID 2540 wrote to memory of 1964 2540 5fxlrxf.exe 33 PID 2540 wrote to memory of 1964 2540 5fxlrxf.exe 33 PID 1964 wrote to memory of 2776 1964 1hntht.exe 34 PID 1964 wrote to memory of 2776 1964 1hntht.exe 34 PID 1964 wrote to memory of 2776 1964 1hntht.exe 34 PID 1964 wrote to memory of 2776 1964 1hntht.exe 34 PID 2776 wrote to memory of 2780 2776 dvvdd.exe 35 PID 2776 wrote to memory of 2780 2776 dvvdd.exe 35 PID 2776 wrote to memory of 2780 2776 dvvdd.exe 35 PID 2776 wrote to memory of 2780 2776 dvvdd.exe 35 PID 2780 wrote to memory of 2708 2780 5lflxxf.exe 36 PID 2780 wrote to memory of 2708 2780 5lflxxf.exe 36 PID 2780 wrote to memory of 2708 2780 5lflxxf.exe 36 PID 2780 wrote to memory of 2708 2780 5lflxxf.exe 36 PID 2708 wrote to memory of 2616 2708 9htthh.exe 37 PID 2708 wrote to memory of 2616 2708 9htthh.exe 37 PID 2708 wrote to memory of 2616 2708 9htthh.exe 37 PID 2708 wrote to memory of 2616 2708 9htthh.exe 37 PID 2616 wrote to memory of 2760 2616 5vjpj.exe 38 PID 2616 wrote to memory of 2760 2616 5vjpj.exe 38 PID 2616 wrote to memory of 2760 2616 5vjpj.exe 38 PID 2616 wrote to memory of 2760 2616 5vjpj.exe 38 PID 2760 wrote to memory of 2604 2760 xrlrxfr.exe 39 PID 2760 wrote to memory of 2604 2760 xrlrxfr.exe 39 PID 2760 wrote to memory of 2604 2760 xrlrxfr.exe 39 PID 2760 wrote to memory of 2604 2760 xrlrxfr.exe 39 PID 2604 wrote to memory of 3060 2604 5jddv.exe 40 PID 2604 wrote to memory of 3060 2604 5jddv.exe 40 PID 2604 wrote to memory of 3060 2604 5jddv.exe 40 PID 2604 wrote to memory of 3060 2604 5jddv.exe 40 PID 3060 wrote to memory of 1256 3060 llfxfxf.exe 41 PID 3060 wrote to memory of 1256 3060 llfxfxf.exe 41 PID 3060 wrote to memory of 1256 3060 llfxfxf.exe 41 PID 3060 wrote to memory of 1256 3060 llfxfxf.exe 41 PID 1256 wrote to memory of 780 1256 jjvjv.exe 42 PID 1256 wrote to memory of 780 1256 jjvjv.exe 42 PID 1256 wrote to memory of 780 1256 jjvjv.exe 42 PID 1256 wrote to memory of 780 1256 jjvjv.exe 42 PID 780 wrote to memory of 2820 780 rlfxlxr.exe 43 PID 780 wrote to memory of 2820 780 rlfxlxr.exe 43 PID 780 wrote to memory of 2820 780 rlfxlxr.exe 43 PID 780 wrote to memory of 2820 780 rlfxlxr.exe 43 PID 2820 wrote to memory of 1240 2820 hnhhtt.exe 44 PID 2820 wrote to memory of 1240 2820 hnhhtt.exe 44 PID 2820 wrote to memory of 1240 2820 hnhhtt.exe 44 PID 2820 wrote to memory of 1240 2820 hnhhtt.exe 44 PID 1240 wrote to memory of 1512 1240 vvjdp.exe 45 PID 1240 wrote to memory of 1512 1240 vvjdp.exe 45 PID 1240 wrote to memory of 1512 1240 vvjdp.exe 45 PID 1240 wrote to memory of 1512 1240 vvjdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe"C:\Users\Admin\AppData\Local\Temp\8f46d4ff037795e4afe8779fca97e8dac3a022dd2082981f95c80f210cd0fad1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\tnnnbb.exec:\tnnnbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\dvjjp.exec:\dvjjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\5fxlrxf.exec:\5fxlrxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\1hntht.exec:\1hntht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\dvvdd.exec:\dvvdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\5lflxxf.exec:\5lflxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\9htthh.exec:\9htthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\5vjpj.exec:\5vjpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\xrlrxfr.exec:\xrlrxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\5jddv.exec:\5jddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\llfxfxf.exec:\llfxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\jjvjv.exec:\jjvjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\rlfxlxr.exec:\rlfxlxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\hnhhtt.exec:\hnhhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\vvjdp.exec:\vvjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\bbntnt.exec:\bbntnt.exe17⤵
- Executes dropped EXE
PID:1512 -
\??\c:\9dpvd.exec:\9dpvd.exe18⤵
- Executes dropped EXE
PID:2936 -
\??\c:\5xlxrfr.exec:\5xlxrfr.exe19⤵
- Executes dropped EXE
PID:1072 -
\??\c:\9thntt.exec:\9thntt.exe20⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vpdpv.exec:\vpdpv.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
\??\c:\dvjjj.exec:\dvjjj.exe22⤵
- Executes dropped EXE
PID:2408 -
\??\c:\xrxfrrf.exec:\xrxfrrf.exe23⤵
- Executes dropped EXE
PID:1816 -
\??\c:\9bnnbh.exec:\9bnnbh.exe24⤵
- Executes dropped EXE
PID:1124 -
\??\c:\ttthbh.exec:\ttthbh.exe25⤵
- Executes dropped EXE
PID:948 -
\??\c:\hbntbh.exec:\hbntbh.exe26⤵
- Executes dropped EXE
PID:608 -
\??\c:\jjvvd.exec:\jjvvd.exe27⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nnhhtb.exec:\nnhhtb.exe28⤵
- Executes dropped EXE
PID:1648 -
\??\c:\jdddp.exec:\jdddp.exe29⤵
- Executes dropped EXE
PID:492 -
\??\c:\fflrflf.exec:\fflrflf.exe30⤵
- Executes dropped EXE
PID:2456 -
\??\c:\7tnbnn.exec:\7tnbnn.exe31⤵
- Executes dropped EXE
PID:1420 -
\??\c:\pvjjj.exec:\pvjjj.exe32⤵
- Executes dropped EXE
PID:2100 -
\??\c:\7frflxl.exec:\7frflxl.exe33⤵
- Executes dropped EXE
PID:2428 -
\??\c:\tnnhth.exec:\tnnhth.exe34⤵
- Executes dropped EXE
PID:2412 -
\??\c:\vvppv.exec:\vvppv.exe35⤵
- Executes dropped EXE
PID:1928 -
\??\c:\7llflxl.exec:\7llflxl.exe36⤵
- Executes dropped EXE
PID:2416 -
\??\c:\3lffffr.exec:\3lffffr.exe37⤵
- Executes dropped EXE
PID:2372 -
\??\c:\nthtbt.exec:\nthtbt.exe38⤵
- Executes dropped EXE
PID:2084 -
\??\c:\vpjdj.exec:\vpjdj.exe39⤵
- Executes dropped EXE
PID:1584 -
\??\c:\ffxxxfr.exec:\ffxxxfr.exe40⤵
- Executes dropped EXE
PID:1616 -
\??\c:\lrrlflx.exec:\lrrlflx.exe41⤵
- Executes dropped EXE
PID:2360 -
\??\c:\hbnnbh.exec:\hbnnbh.exe42⤵
- Executes dropped EXE
PID:1292 -
\??\c:\djdjj.exec:\djdjj.exe43⤵
- Executes dropped EXE
PID:2792 -
\??\c:\pppjd.exec:\pppjd.exe44⤵
- Executes dropped EXE
PID:2732 -
\??\c:\lxllrxl.exec:\lxllrxl.exe45⤵
- Executes dropped EXE
PID:2176 -
\??\c:\tttbhn.exec:\tttbhn.exe46⤵
- Executes dropped EXE
PID:2628 -
\??\c:\nnbhhh.exec:\nnbhhh.exe47⤵
- Executes dropped EXE
PID:2984 -
\??\c:\jdvjv.exec:\jdvjv.exe48⤵
- Executes dropped EXE
PID:2832 -
\??\c:\1xlxxxl.exec:\1xlxxxl.exe49⤵
- Executes dropped EXE
PID:2764 -
\??\c:\hhbnnn.exec:\hhbnnn.exe50⤵
- Executes dropped EXE
PID:2596 -
\??\c:\tnhhtb.exec:\tnhhtb.exe51⤵
- Executes dropped EXE
PID:1252 -
\??\c:\ddvvd.exec:\ddvvd.exe52⤵
- Executes dropped EXE
PID:2644 -
\??\c:\fxxfrxr.exec:\fxxfrxr.exe53⤵
- Executes dropped EXE
PID:3068 -
\??\c:\rlflfxf.exec:\rlflfxf.exe54⤵
- Executes dropped EXE
PID:2268 -
\??\c:\hbbhtt.exec:\hbbhtt.exe55⤵
- Executes dropped EXE
PID:836 -
\??\c:\3pjpd.exec:\3pjpd.exe56⤵
- Executes dropped EXE
PID:1832 -
\??\c:\xrrxlrf.exec:\xrrxlrf.exe57⤵
- Executes dropped EXE
PID:2828 -
\??\c:\llxfrrf.exec:\llxfrrf.exe58⤵
- Executes dropped EXE
PID:2660 -
\??\c:\3bhhnt.exec:\3bhhnt.exe59⤵
- Executes dropped EXE
PID:1240 -
\??\c:\dvpdp.exec:\dvpdp.exe60⤵
- Executes dropped EXE
PID:2692 -
\??\c:\ppjvj.exec:\ppjvj.exe61⤵
- Executes dropped EXE
PID:2964 -
\??\c:\xlxlrfr.exec:\xlxlrfr.exe62⤵
- Executes dropped EXE
PID:1664 -
\??\c:\lffrfrf.exec:\lffrfrf.exe63⤵
- Executes dropped EXE
PID:1428 -
\??\c:\bbbthn.exec:\bbbthn.exe64⤵
- Executes dropped EXE
PID:1760 -
\??\c:\3jvdj.exec:\3jvdj.exe65⤵
- Executes dropped EXE
PID:2232 -
\??\c:\pjdpp.exec:\pjdpp.exe66⤵PID:2040
-
\??\c:\5xflxfr.exec:\5xflxfr.exe67⤵PID:2528
-
\??\c:\bhhhnt.exec:\bhhhnt.exe68⤵PID:576
-
\??\c:\nhhnnt.exec:\nhhnnt.exe69⤵PID:1812
-
\??\c:\ppjdv.exec:\ppjdv.exe70⤵PID:1184
-
\??\c:\xxxlllf.exec:\xxxlllf.exe71⤵PID:1612
-
\??\c:\5llfrfl.exec:\5llfrfl.exe72⤵PID:772
-
\??\c:\bbtbhn.exec:\bbtbhn.exe73⤵PID:1532
-
\??\c:\pjdvj.exec:\pjdvj.exe74⤵PID:1656
-
\??\c:\lfxlxlf.exec:\lfxlxlf.exe75⤵PID:892
-
\??\c:\rlxfrxl.exec:\rlxfrxl.exe76⤵PID:2000
-
\??\c:\3nhtbn.exec:\3nhtbn.exe77⤵PID:2168
-
\??\c:\hbbbtb.exec:\hbbbtb.exe78⤵PID:2424
-
\??\c:\ddvjp.exec:\ddvjp.exe79⤵PID:2552
-
\??\c:\xrrlxfx.exec:\xrrlxfx.exe80⤵PID:2108
-
\??\c:\lfrxffl.exec:\lfrxffl.exe81⤵PID:2052
-
\??\c:\nhbtbb.exec:\nhbtbb.exe82⤵PID:2428
-
\??\c:\pjddp.exec:\pjddp.exe83⤵PID:1856
-
\??\c:\vvjvp.exec:\vvjvp.exe84⤵PID:1912
-
\??\c:\frfxlxf.exec:\frfxlxf.exe85⤵PID:3024
-
\??\c:\tnntht.exec:\tnntht.exe86⤵PID:2400
-
\??\c:\3bbbtb.exec:\3bbbtb.exe87⤵PID:2500
-
\??\c:\pvvdp.exec:\pvvdp.exe88⤵PID:1972
-
\??\c:\3ffflll.exec:\3ffflll.exe89⤵PID:2520
-
\??\c:\llxlxrf.exec:\llxlxrf.exe90⤵PID:2360
-
\??\c:\btttht.exec:\btttht.exe91⤵PID:2748
-
\??\c:\ddpvd.exec:\ddpvd.exe92⤵PID:2740
-
\??\c:\jvddd.exec:\jvddd.exe93⤵PID:2860
-
\??\c:\rxfrflf.exec:\rxfrflf.exe94⤵PID:1984
-
\??\c:\hbtntn.exec:\hbtntn.exe95⤵PID:2628
-
\??\c:\bthnth.exec:\bthnth.exe96⤵PID:2300
-
\??\c:\jdjjp.exec:\jdjjp.exe97⤵PID:2832
-
\??\c:\xxrxllx.exec:\xxrxllx.exe98⤵PID:2640
-
\??\c:\fflxlrf.exec:\fflxlrf.exe99⤵PID:2592
-
\??\c:\nhntbh.exec:\nhntbh.exe100⤵PID:2304
-
\??\c:\jjvjd.exec:\jjvjd.exe101⤵PID:3064
-
\??\c:\pdppv.exec:\pdppv.exe102⤵PID:524
-
\??\c:\xrffflr.exec:\xrffflr.exe103⤵PID:2836
-
\??\c:\nhntbh.exec:\nhntbh.exe104⤵PID:1480
-
\??\c:\nhnnnn.exec:\nhnnnn.exe105⤵PID:2632
-
\??\c:\jjvdv.exec:\jjvdv.exe106⤵PID:1536
-
\??\c:\5lrxrxl.exec:\5lrxrxl.exe107⤵PID:1516
-
\??\c:\9xlrfrx.exec:\9xlrfrx.exe108⤵PID:2908
-
\??\c:\bbhbth.exec:\bbhbth.exe109⤵PID:2840
-
\??\c:\ppjvj.exec:\ppjvj.exe110⤵PID:2936
-
\??\c:\rxlxrlf.exec:\rxlxrlf.exe111⤵PID:2228
-
\??\c:\fxxllxr.exec:\fxxllxr.exe112⤵PID:1452
-
\??\c:\9nttbh.exec:\9nttbh.exe113⤵PID:2676
-
\??\c:\ttnbhn.exec:\ttnbhn.exe114⤵PID:480
-
\??\c:\pjvvj.exec:\pjvvj.exe115⤵PID:2132
-
\??\c:\ffxxlll.exec:\ffxxlll.exe116⤵PID:2040
-
\??\c:\fffxflr.exec:\fffxflr.exe117⤵PID:392
-
\??\c:\bbnnth.exec:\bbnnth.exe118⤵PID:576
-
\??\c:\ppdpd.exec:\ppdpd.exe119⤵PID:372
-
\??\c:\lfxlxlf.exec:\lfxlxlf.exe120⤵PID:1184
-
\??\c:\rlxrxfr.exec:\rlxrxfr.exe121⤵
- System Location Discovery: System Language Discovery
PID:1380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-