Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 04:34 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d354798421e5e3f3196b7637eab823e73964e6db7fe4d8cfa9c5ebb3e75946ba.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d354798421e5e3f3196b7637eab823e73964e6db7fe4d8cfa9c5ebb3e75946ba.exe
-
Size
454KB
-
MD5
550c45de5c2b4519939890d0dc7dcb4e
-
SHA1
92abeae36c99e3983d3c694c61933805ae365168
-
SHA256
d354798421e5e3f3196b7637eab823e73964e6db7fe4d8cfa9c5ebb3e75946ba
-
SHA512
67afb6bb480ce849843e0964bf4ee9933acfcc43705b76c67e99a05a932dd9c2f8dc219aff32485ab38a0d64ea737ebf3d547c1813041fdd09f1a9f235a988c6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/3052-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-37-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2756-35-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2580-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-112-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2780-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1068-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/552-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1368-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-417-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2164-424-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2404-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/544-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-680-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-699-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1664-708-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1264-773-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2064-941-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/580-972-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-1049-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2552-1146-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2656 ntnbtb.exe 2816 vjjjp.exe 2756 3bhhhh.exe 2580 pjdjp.exe 2712 vpjpj.exe 2564 hhnhht.exe 2984 jjpjj.exe 1044 pjdvd.exe 3000 llrxrxr.exe 2372 dpvpj.exe 2780 xrlxrxr.exe 1404 ddjdv.exe 868 lllrlxx.exe 1792 nnntnh.exe 1736 5flflxr.exe 2924 nnbbnh.exe 1068 fxfxxxl.exe 552 bbbhth.exe 2036 djvpd.exe 408 ddjpp.exe 2116 rrrfrfx.exe 1368 1nthth.exe 1868 hntnnt.exe 2424 vvpdp.exe 1132 1hbtnb.exe 1772 rxxllfx.exe 2448 nthhtn.exe 2936 jjjjv.exe 1272 ttbnbh.exe 824 vdjvv.exe 1700 hhnbht.exe 1608 9lrrrrl.exe 2692 tntntt.exe 1592 7rxrffx.exe 2900 tttttn.exe 2384 pjpjd.exe 2772 fffrfrl.exe 2568 hhhthn.exe 2748 jppjd.exe 2560 lxrrfll.exe 496 3tthth.exe 2248 dpvjd.exe 1516 rfrrfff.exe 1952 bhthnn.exe 1500 5pjvj.exe 3028 rffffrr.exe 2156 htthtb.exe 2164 vdjdp.exe 2316 fffxrfx.exe 2532 bnhthn.exe 1636 bbbnhn.exe 1792 pvpjp.exe 592 xfrrlrr.exe 2404 3bbnbh.exe 1808 jjdpj.exe 2396 frxrlxf.exe 552 1tntbn.exe 2192 ddvjv.exe 1692 fflrlrl.exe 1976 tbbtnt.exe 1992 jppjv.exe 1824 xrllxrf.exe 1616 bbbtnb.exe 1868 7jvvj.exe -
resource yara_rule behavioral1/memory/3052-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1068-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/552-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-773-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2436-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-910-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-972-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/660-985-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-1074-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-1087-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-1133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-1146-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2656 3052 d354798421e5e3f3196b7637eab823e73964e6db7fe4d8cfa9c5ebb3e75946ba.exe 31 PID 3052 wrote to memory of 2656 3052 d354798421e5e3f3196b7637eab823e73964e6db7fe4d8cfa9c5ebb3e75946ba.exe 31 PID 3052 wrote to memory of 2656 3052 d354798421e5e3f3196b7637eab823e73964e6db7fe4d8cfa9c5ebb3e75946ba.exe 31 PID 3052 wrote to memory of 2656 3052 d354798421e5e3f3196b7637eab823e73964e6db7fe4d8cfa9c5ebb3e75946ba.exe 31 PID 2656 wrote to memory of 2816 2656 ntnbtb.exe 32 PID 2656 wrote to memory of 2816 2656 ntnbtb.exe 32 PID 2656 wrote to memory of 2816 2656 ntnbtb.exe 32 PID 2656 wrote to memory of 2816 2656 ntnbtb.exe 32 PID 2816 wrote to memory of 2756 2816 vjjjp.exe 33 PID 2816 wrote to memory of 2756 2816 vjjjp.exe 33 PID 2816 wrote to memory of 2756 2816 vjjjp.exe 33 PID 2816 wrote to memory of 2756 2816 vjjjp.exe 33 PID 2756 wrote to memory of 2580 2756 3bhhhh.exe 34 PID 2756 wrote to memory of 2580 2756 3bhhhh.exe 34 PID 2756 wrote to memory of 2580 2756 3bhhhh.exe 34 PID 2756 wrote to memory of 2580 2756 3bhhhh.exe 34 PID 2580 wrote to memory of 2712 2580 pjdjp.exe 35 PID 2580 wrote to memory of 2712 2580 pjdjp.exe 35 PID 2580 wrote to memory of 2712 2580 pjdjp.exe 35 PID 2580 wrote to memory of 2712 2580 pjdjp.exe 35 PID 2712 wrote to memory of 2564 2712 vpjpj.exe 36 PID 2712 wrote to memory of 2564 2712 vpjpj.exe 36 PID 2712 wrote to memory of 2564 2712 vpjpj.exe 36 PID 2712 wrote to memory of 2564 2712 vpjpj.exe 36 PID 2564 wrote to memory of 2984 2564 hhnhht.exe 37 PID 2564 wrote to memory of 2984 2564 hhnhht.exe 37 PID 2564 wrote to memory of 2984 2564 hhnhht.exe 37 PID 2564 wrote to memory of 2984 2564 hhnhht.exe 37 PID 2984 wrote to memory of 1044 2984 jjpjj.exe 38 PID 2984 wrote to memory of 1044 2984 jjpjj.exe 38 PID 2984 wrote to memory of 1044 2984 jjpjj.exe 38 PID 2984 wrote to memory of 1044 2984 jjpjj.exe 38 PID 1044 wrote to memory of 3000 1044 pjdvd.exe 39 PID 1044 wrote to memory of 3000 1044 pjdvd.exe 39 PID 1044 wrote to memory of 3000 1044 pjdvd.exe 39 PID 1044 wrote to memory of 3000 1044 pjdvd.exe 39 PID 3000 wrote to memory of 2372 3000 llrxrxr.exe 40 PID 3000 wrote to memory of 2372 3000 llrxrxr.exe 40 PID 3000 wrote to memory of 2372 3000 llrxrxr.exe 40 PID 3000 wrote to memory of 2372 3000 llrxrxr.exe 40 PID 2372 wrote to memory of 2780 2372 dpvpj.exe 41 PID 2372 wrote to memory of 2780 2372 dpvpj.exe 41 PID 2372 wrote to memory of 2780 2372 dpvpj.exe 41 PID 2372 wrote to memory of 2780 2372 dpvpj.exe 41 PID 2780 wrote to memory of 1404 2780 xrlxrxr.exe 42 PID 2780 wrote to memory of 1404 2780 xrlxrxr.exe 42 PID 2780 wrote to memory of 1404 2780 xrlxrxr.exe 42 PID 2780 wrote to memory of 1404 2780 xrlxrxr.exe 42 PID 1404 wrote to memory of 868 1404 ddjdv.exe 43 PID 1404 wrote to memory of 868 1404 ddjdv.exe 43 PID 1404 wrote to memory of 868 1404 ddjdv.exe 43 PID 1404 wrote to memory of 868 1404 ddjdv.exe 43 PID 868 wrote to memory of 1792 868 lllrlxx.exe 44 PID 868 wrote to memory of 1792 868 lllrlxx.exe 44 PID 868 wrote to memory of 1792 868 lllrlxx.exe 44 PID 868 wrote to memory of 1792 868 lllrlxx.exe 44 PID 1792 wrote to memory of 1736 1792 nnntnh.exe 45 PID 1792 wrote to memory of 1736 1792 nnntnh.exe 45 PID 1792 wrote to memory of 1736 1792 nnntnh.exe 45 PID 1792 wrote to memory of 1736 1792 nnntnh.exe 45 PID 1736 wrote to memory of 2924 1736 5flflxr.exe 46 PID 1736 wrote to memory of 2924 1736 5flflxr.exe 46 PID 1736 wrote to memory of 2924 1736 5flflxr.exe 46 PID 1736 wrote to memory of 2924 1736 5flflxr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d354798421e5e3f3196b7637eab823e73964e6db7fe4d8cfa9c5ebb3e75946ba.exe"C:\Users\Admin\AppData\Local\Temp\d354798421e5e3f3196b7637eab823e73964e6db7fe4d8cfa9c5ebb3e75946ba.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\ntnbtb.exec:\ntnbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\vjjjp.exec:\vjjjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\3bhhhh.exec:\3bhhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\pjdjp.exec:\pjdjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\vpjpj.exec:\vpjpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\hhnhht.exec:\hhnhht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\jjpjj.exec:\jjpjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\pjdvd.exec:\pjdvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\llrxrxr.exec:\llrxrxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\dpvpj.exec:\dpvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\xrlxrxr.exec:\xrlxrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\ddjdv.exec:\ddjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\lllrlxx.exec:\lllrlxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\nnntnh.exec:\nnntnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\5flflxr.exec:\5flflxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\nnbbnh.exec:\nnbbnh.exe17⤵
- Executes dropped EXE
PID:2924 -
\??\c:\fxfxxxl.exec:\fxfxxxl.exe18⤵
- Executes dropped EXE
PID:1068 -
\??\c:\bbbhth.exec:\bbbhth.exe19⤵
- Executes dropped EXE
PID:552 -
\??\c:\djvpd.exec:\djvpd.exe20⤵
- Executes dropped EXE
PID:2036 -
\??\c:\ddjpp.exec:\ddjpp.exe21⤵
- Executes dropped EXE
PID:408 -
\??\c:\rrrfrfx.exec:\rrrfrfx.exe22⤵
- Executes dropped EXE
PID:2116 -
\??\c:\1nthth.exec:\1nthth.exe23⤵
- Executes dropped EXE
PID:1368 -
\??\c:\hntnnt.exec:\hntnnt.exe24⤵
- Executes dropped EXE
PID:1868 -
\??\c:\vvpdp.exec:\vvpdp.exe25⤵
- Executes dropped EXE
PID:2424 -
\??\c:\1hbtnb.exec:\1hbtnb.exe26⤵
- Executes dropped EXE
PID:1132 -
\??\c:\rxxllfx.exec:\rxxllfx.exe27⤵
- Executes dropped EXE
PID:1772 -
\??\c:\nthhtn.exec:\nthhtn.exe28⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jjjjv.exec:\jjjjv.exe29⤵
- Executes dropped EXE
PID:2936 -
\??\c:\ttbnbh.exec:\ttbnbh.exe30⤵
- Executes dropped EXE
PID:1272 -
\??\c:\vdjvv.exec:\vdjvv.exe31⤵
- Executes dropped EXE
PID:824 -
\??\c:\hhnbht.exec:\hhnbht.exe32⤵
- Executes dropped EXE
PID:1700 -
\??\c:\9lrrrrl.exec:\9lrrrrl.exe33⤵
- Executes dropped EXE
PID:1608 -
\??\c:\tntntt.exec:\tntntt.exe34⤵
- Executes dropped EXE
PID:2692 -
\??\c:\7rxrffx.exec:\7rxrffx.exe35⤵
- Executes dropped EXE
PID:1592 -
\??\c:\tttttn.exec:\tttttn.exe36⤵
- Executes dropped EXE
PID:2900 -
\??\c:\pjpjd.exec:\pjpjd.exe37⤵
- Executes dropped EXE
PID:2384 -
\??\c:\fffrfrl.exec:\fffrfrl.exe38⤵
- Executes dropped EXE
PID:2772 -
\??\c:\hhhthn.exec:\hhhthn.exe39⤵
- Executes dropped EXE
PID:2568 -
\??\c:\jppjd.exec:\jppjd.exe40⤵
- Executes dropped EXE
PID:2748 -
\??\c:\lxrrfll.exec:\lxrrfll.exe41⤵
- Executes dropped EXE
PID:2560 -
\??\c:\3tthth.exec:\3tthth.exe42⤵
- Executes dropped EXE
PID:496 -
\??\c:\dpvjd.exec:\dpvjd.exe43⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rfrrfff.exec:\rfrrfff.exe44⤵
- Executes dropped EXE
PID:1516 -
\??\c:\bhthnn.exec:\bhthnn.exe45⤵
- Executes dropped EXE
PID:1952 -
\??\c:\5pjvj.exec:\5pjvj.exe46⤵
- Executes dropped EXE
PID:1500 -
\??\c:\rffffrr.exec:\rffffrr.exe47⤵
- Executes dropped EXE
PID:3028 -
\??\c:\htthtb.exec:\htthtb.exe48⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vdjdp.exec:\vdjdp.exe49⤵
- Executes dropped EXE
PID:2164 -
\??\c:\fffxrfx.exec:\fffxrfx.exe50⤵
- Executes dropped EXE
PID:2316 -
\??\c:\bnhthn.exec:\bnhthn.exe51⤵
- Executes dropped EXE
PID:2532 -
\??\c:\bbbnhn.exec:\bbbnhn.exe52⤵
- Executes dropped EXE
PID:1636 -
\??\c:\pvpjp.exec:\pvpjp.exe53⤵
- Executes dropped EXE
PID:1792 -
\??\c:\xfrrlrr.exec:\xfrrlrr.exe54⤵
- Executes dropped EXE
PID:592 -
\??\c:\3bbnbh.exec:\3bbnbh.exe55⤵
- Executes dropped EXE
PID:2404 -
\??\c:\jjdpj.exec:\jjdpj.exe56⤵
- Executes dropped EXE
PID:1808 -
\??\c:\frxrlxf.exec:\frxrlxf.exe57⤵
- Executes dropped EXE
PID:2396 -
\??\c:\1tntbn.exec:\1tntbn.exe58⤵
- Executes dropped EXE
PID:552 -
\??\c:\ddvjv.exec:\ddvjv.exe59⤵
- Executes dropped EXE
PID:2192 -
\??\c:\fflrlrl.exec:\fflrlrl.exe60⤵
- Executes dropped EXE
PID:1692 -
\??\c:\tbbtnt.exec:\tbbtnt.exe61⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jppjv.exec:\jppjv.exe62⤵
- Executes dropped EXE
PID:1992 -
\??\c:\xrllxrf.exec:\xrllxrf.exe63⤵
- Executes dropped EXE
PID:1824 -
\??\c:\bbbtnb.exec:\bbbtnb.exe64⤵
- Executes dropped EXE
PID:1616 -
\??\c:\7jvvj.exec:\7jvvj.exe65⤵
- Executes dropped EXE
PID:1868 -
\??\c:\ffxlfll.exec:\ffxlfll.exe66⤵PID:2424
-
\??\c:\7nhbht.exec:\7nhbht.exe67⤵PID:544
-
\??\c:\vjppp.exec:\vjppp.exe68⤵PID:1040
-
\??\c:\fffrfrr.exec:\fffrfrr.exe69⤵PID:1784
-
\??\c:\nhtbht.exec:\nhtbht.exe70⤵PID:2256
-
\??\c:\jddjv.exec:\jddjv.exe71⤵PID:2440
-
\??\c:\llrlfll.exec:\llrlfll.exe72⤵PID:1924
-
\??\c:\bhttnb.exec:\bhttnb.exe73⤵PID:824
-
\??\c:\vjjvp.exec:\vjjvp.exe74⤵PID:2952
-
\??\c:\xflrlfx.exec:\xflrlfx.exe75⤵PID:1380
-
\??\c:\tnnhtb.exec:\tnnhtb.exe76⤵PID:2760
-
\??\c:\5jvdp.exec:\5jvdp.exe77⤵PID:2768
-
\??\c:\vpdjv.exec:\vpdjv.exe78⤵PID:2676
-
\??\c:\frxrrll.exec:\frxrrll.exe79⤵PID:2792
-
\??\c:\tnntnt.exec:\tnntnt.exe80⤵PID:2172
-
\??\c:\vvjpp.exec:\vvjpp.exe81⤵PID:2808
-
\??\c:\lxfxrrf.exec:\lxfxrrf.exe82⤵PID:2860
-
\??\c:\hhnbhn.exec:\hhnbhn.exe83⤵PID:2716
-
\??\c:\jdvdj.exec:\jdvdj.exe84⤵PID:2560
-
\??\c:\fllfxlf.exec:\fllfxlf.exe85⤵PID:496
-
\??\c:\7htttn.exec:\7htttn.exe86⤵PID:2984
-
\??\c:\3ppvp.exec:\3ppvp.exe87⤵PID:1516
-
\??\c:\frllrrl.exec:\frllrrl.exe88⤵PID:2644
-
\??\c:\nttbth.exec:\nttbth.exe89⤵PID:2108
-
\??\c:\ddvjp.exec:\ddvjp.exe90⤵PID:2776
-
\??\c:\fffrlrf.exec:\fffrlrf.exe91⤵PID:1580
-
\??\c:\hbtbnt.exec:\hbtbnt.exe92⤵PID:600
-
\??\c:\lxxfxxl.exec:\lxxfxxl.exe93⤵PID:868
-
\??\c:\9bhbhn.exec:\9bhbhn.exe94⤵PID:2012
-
\??\c:\jppjj.exec:\jppjj.exe95⤵PID:856
-
\??\c:\ffxlxll.exec:\ffxlxll.exe96⤵PID:1664
-
\??\c:\bhnhht.exec:\bhnhht.exe97⤵PID:1648
-
\??\c:\dvpvj.exec:\dvpvj.exe98⤵PID:2176
-
\??\c:\hnntht.exec:\hnntht.exe99⤵PID:1808
-
\??\c:\dvdvd.exec:\dvdvd.exe100⤵PID:2296
-
\??\c:\lrflxfr.exec:\lrflxfr.exe101⤵PID:1112
-
\??\c:\nbhthb.exec:\nbhthb.exe102⤵PID:1932
-
\??\c:\jdpjp.exec:\jdpjp.exe103⤵PID:1408
-
\??\c:\llxflrl.exec:\llxflrl.exe104⤵PID:1316
-
\??\c:\5tthtt.exec:\5tthtt.exe105⤵PID:1992
-
\??\c:\tnnthn.exec:\tnnthn.exe106⤵PID:1264
-
\??\c:\jdvdd.exec:\jdvdd.exe107⤵PID:1708
-
\??\c:\xxllffx.exec:\xxllffx.exe108⤵PID:1348
-
\??\c:\bbbhbn.exec:\bbbhbn.exe109⤵PID:2424
-
\??\c:\pvpjj.exec:\pvpjj.exe110⤵PID:1748
-
\??\c:\pdvjj.exec:\pdvjj.exe111⤵PID:1456
-
\??\c:\flfxlrl.exec:\flfxlrl.exe112⤵PID:620
-
\??\c:\hnhnbn.exec:\hnhnbn.exe113⤵PID:892
-
\??\c:\7jddp.exec:\7jddp.exe114⤵PID:3024
-
\??\c:\fxxfrxr.exec:\fxxfrxr.exe115⤵PID:1888
-
\??\c:\fxlrffr.exec:\fxlrffr.exe116⤵PID:2288
-
\??\c:\nnhtbn.exec:\nnhtbn.exe117⤵PID:2436
-
\??\c:\pvvpv.exec:\pvvpv.exe118⤵PID:2944
-
\??\c:\frxfrff.exec:\frxfrff.exe119⤵PID:2764
-
\??\c:\tnnthn.exec:\tnnthn.exe120⤵PID:2656
-
\??\c:\vjdvv.exec:\vjdvv.exe121⤵PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-