Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 04:08 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe
-
Size
455KB
-
MD5
18ea8309a3cc695ac88b5b916e556070
-
SHA1
31ee1084ac6d99eeb7ed0dd989448422c684278d
-
SHA256
cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9
-
SHA512
5d1d98b9583720d025af06fe4be97e39537575e7a48c01bb49407ec9e2fbf0f77b65d2cecc67b3eb72c87d48ee4e14fc47d2e0e059dd5389cd21ea2f04979be1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2920-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-57-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2460-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1428-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-148-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2068-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/664-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-477-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2296-492-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2476-364-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2564-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/344-679-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2924-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1288-777-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2988 jdpvj.exe 2756 nhbtbb.exe 2848 rlfffff.exe 2496 lxlffxx.exe 2488 djjpp.exe 2460 llffllx.exe 2628 3pvvv.exe 2940 rlxrrrr.exe 768 7hhhnn.exe 1428 rlrxxxf.exe 2700 tnthtt.exe 2812 jdpjp.exe 2932 bhttnt.exe 1948 vpjpv.exe 2000 5rllxrx.exe 1688 bhhbhn.exe 1932 frlxlff.exe 2024 nnbthn.exe 1908 ffflflx.exe 2068 lfrrxxf.exe 2352 jdvdp.exe 3008 fflxllx.exe 664 hbhtbn.exe 1572 jjvpj.exe 1116 rlxxffl.exe 1740 tnnbnb.exe 1272 xxrxlfr.exe 1912 1vvdp.exe 1308 xrxfrrf.exe 2908 btbbhh.exe 872 tnhhtb.exe 1596 vvpvd.exe 1600 3lffflr.exe 2564 3tntbb.exe 2768 ffllxlx.exe 2716 fxlrxfl.exe 2848 jjdvp.exe 2660 vvjjp.exe 2800 1xffxff.exe 2476 5hbbhn.exe 2508 5htttt.exe 2952 vjjvj.exe 2732 rxrlxrf.exe 332 nhnnbh.exe 1080 1vpjp.exe 2672 vjddj.exe 2796 1xflxfl.exe 2824 nnhntt.exe 2812 7jjdj.exe 1920 rlrrllr.exe 1644 rrflxxf.exe 1948 3bttbh.exe 2368 vpvvd.exe 1992 9vjjj.exe 1048 rlxfrrx.exe 1932 lfllrrx.exe 1904 thtbbb.exe 1892 7ppdd.exe 2296 pjvvp.exe 348 frllrlr.exe 2352 tbbnnh.exe 1484 hhtbbb.exe 2072 djjvd.exe 2128 3rrflrx.exe -
resource yara_rule behavioral1/memory/2920-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/272-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/356-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-777-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2108-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-885-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2988 2920 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 28 PID 2920 wrote to memory of 2988 2920 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 28 PID 2920 wrote to memory of 2988 2920 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 28 PID 2920 wrote to memory of 2988 2920 cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe 28 PID 2988 wrote to memory of 2756 2988 jdpvj.exe 29 PID 2988 wrote to memory of 2756 2988 jdpvj.exe 29 PID 2988 wrote to memory of 2756 2988 jdpvj.exe 29 PID 2988 wrote to memory of 2756 2988 jdpvj.exe 29 PID 2756 wrote to memory of 2848 2756 nhbtbb.exe 30 PID 2756 wrote to memory of 2848 2756 nhbtbb.exe 30 PID 2756 wrote to memory of 2848 2756 nhbtbb.exe 30 PID 2756 wrote to memory of 2848 2756 nhbtbb.exe 30 PID 2848 wrote to memory of 2496 2848 rlfffff.exe 31 PID 2848 wrote to memory of 2496 2848 rlfffff.exe 31 PID 2848 wrote to memory of 2496 2848 rlfffff.exe 31 PID 2848 wrote to memory of 2496 2848 rlfffff.exe 31 PID 2496 wrote to memory of 2488 2496 lxlffxx.exe 32 PID 2496 wrote to memory of 2488 2496 lxlffxx.exe 32 PID 2496 wrote to memory of 2488 2496 lxlffxx.exe 32 PID 2496 wrote to memory of 2488 2496 lxlffxx.exe 32 PID 2488 wrote to memory of 2460 2488 djjpp.exe 33 PID 2488 wrote to memory of 2460 2488 djjpp.exe 33 PID 2488 wrote to memory of 2460 2488 djjpp.exe 33 PID 2488 wrote to memory of 2460 2488 djjpp.exe 33 PID 2460 wrote to memory of 2628 2460 llffllx.exe 34 PID 2460 wrote to memory of 2628 2460 llffllx.exe 34 PID 2460 wrote to memory of 2628 2460 llffllx.exe 34 PID 2460 wrote to memory of 2628 2460 llffllx.exe 34 PID 2628 wrote to memory of 2940 2628 3pvvv.exe 35 PID 2628 wrote to memory of 2940 2628 3pvvv.exe 35 PID 2628 wrote to memory of 2940 2628 3pvvv.exe 35 PID 2628 wrote to memory of 2940 2628 3pvvv.exe 35 PID 2940 wrote to memory of 768 2940 rlxrrrr.exe 36 PID 2940 wrote to memory of 768 2940 rlxrrrr.exe 36 PID 2940 wrote to memory of 768 2940 rlxrrrr.exe 36 PID 2940 wrote to memory of 768 2940 rlxrrrr.exe 36 PID 768 wrote to memory of 1428 768 7hhhnn.exe 37 PID 768 wrote to memory of 1428 768 7hhhnn.exe 37 PID 768 wrote to memory of 1428 768 7hhhnn.exe 37 PID 768 wrote to memory of 1428 768 7hhhnn.exe 37 PID 1428 wrote to memory of 2700 1428 rlrxxxf.exe 38 PID 1428 wrote to memory of 2700 1428 rlrxxxf.exe 38 PID 1428 wrote to memory of 2700 1428 rlrxxxf.exe 38 PID 1428 wrote to memory of 2700 1428 rlrxxxf.exe 38 PID 2700 wrote to memory of 2812 2700 tnthtt.exe 39 PID 2700 wrote to memory of 2812 2700 tnthtt.exe 39 PID 2700 wrote to memory of 2812 2700 tnthtt.exe 39 PID 2700 wrote to memory of 2812 2700 tnthtt.exe 39 PID 2812 wrote to memory of 2932 2812 jdpjp.exe 40 PID 2812 wrote to memory of 2932 2812 jdpjp.exe 40 PID 2812 wrote to memory of 2932 2812 jdpjp.exe 40 PID 2812 wrote to memory of 2932 2812 jdpjp.exe 40 PID 2932 wrote to memory of 1948 2932 bhttnt.exe 41 PID 2932 wrote to memory of 1948 2932 bhttnt.exe 41 PID 2932 wrote to memory of 1948 2932 bhttnt.exe 41 PID 2932 wrote to memory of 1948 2932 bhttnt.exe 41 PID 1948 wrote to memory of 2000 1948 vpjpv.exe 42 PID 1948 wrote to memory of 2000 1948 vpjpv.exe 42 PID 1948 wrote to memory of 2000 1948 vpjpv.exe 42 PID 1948 wrote to memory of 2000 1948 vpjpv.exe 42 PID 2000 wrote to memory of 1688 2000 5rllxrx.exe 43 PID 2000 wrote to memory of 1688 2000 5rllxrx.exe 43 PID 2000 wrote to memory of 1688 2000 5rllxrx.exe 43 PID 2000 wrote to memory of 1688 2000 5rllxrx.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe"C:\Users\Admin\AppData\Local\Temp\cbe7f102d97e8ca4275d0dad97be9296150f3d0805aa40b9dbcf9b09347748d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\jdpvj.exec:\jdpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\nhbtbb.exec:\nhbtbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\rlfffff.exec:\rlfffff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\lxlffxx.exec:\lxlffxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\djjpp.exec:\djjpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\llffllx.exec:\llffllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\3pvvv.exec:\3pvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\rlxrrrr.exec:\rlxrrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\7hhhnn.exec:\7hhhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\rlrxxxf.exec:\rlrxxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\tnthtt.exec:\tnthtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\jdpjp.exec:\jdpjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\bhttnt.exec:\bhttnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\vpjpv.exec:\vpjpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\5rllxrx.exec:\5rllxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\bhhbhn.exec:\bhhbhn.exe17⤵
- Executes dropped EXE
PID:1688 -
\??\c:\frlxlff.exec:\frlxlff.exe18⤵
- Executes dropped EXE
PID:1932 -
\??\c:\nnbthn.exec:\nnbthn.exe19⤵
- Executes dropped EXE
PID:2024 -
\??\c:\ffflflx.exec:\ffflflx.exe20⤵
- Executes dropped EXE
PID:1908 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe21⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jdvdp.exec:\jdvdp.exe22⤵
- Executes dropped EXE
PID:2352 -
\??\c:\fflxllx.exec:\fflxllx.exe23⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hbhtbn.exec:\hbhtbn.exe24⤵
- Executes dropped EXE
PID:664 -
\??\c:\jjvpj.exec:\jjvpj.exe25⤵
- Executes dropped EXE
PID:1572 -
\??\c:\rlxxffl.exec:\rlxxffl.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
\??\c:\tnnbnb.exec:\tnnbnb.exe27⤵
- Executes dropped EXE
PID:1740 -
\??\c:\xxrxlfr.exec:\xxrxlfr.exe28⤵
- Executes dropped EXE
PID:1272 -
\??\c:\1vvdp.exec:\1vvdp.exe29⤵
- Executes dropped EXE
PID:1912 -
\??\c:\xrxfrrf.exec:\xrxfrrf.exe30⤵
- Executes dropped EXE
PID:1308 -
\??\c:\btbbhh.exec:\btbbhh.exe31⤵
- Executes dropped EXE
PID:2908 -
\??\c:\tnhhtb.exec:\tnhhtb.exe32⤵
- Executes dropped EXE
PID:872 -
\??\c:\vvpvd.exec:\vvpvd.exe33⤵
- Executes dropped EXE
PID:1596 -
\??\c:\3lffflr.exec:\3lffflr.exe34⤵
- Executes dropped EXE
PID:1600 -
\??\c:\3tntbb.exec:\3tntbb.exe35⤵
- Executes dropped EXE
PID:2564 -
\??\c:\ffllxlx.exec:\ffllxlx.exe36⤵
- Executes dropped EXE
PID:2768 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe37⤵
- Executes dropped EXE
PID:2716 -
\??\c:\jjdvp.exec:\jjdvp.exe38⤵
- Executes dropped EXE
PID:2848 -
\??\c:\vvjjp.exec:\vvjjp.exe39⤵
- Executes dropped EXE
PID:2660 -
\??\c:\1xffxff.exec:\1xffxff.exe40⤵
- Executes dropped EXE
PID:2800 -
\??\c:\5hbbhn.exec:\5hbbhn.exe41⤵
- Executes dropped EXE
PID:2476 -
\??\c:\5htttt.exec:\5htttt.exe42⤵
- Executes dropped EXE
PID:2508 -
\??\c:\vjjvj.exec:\vjjvj.exe43⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rxrlxrf.exec:\rxrlxrf.exe44⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nhnnbh.exec:\nhnnbh.exe45⤵
- Executes dropped EXE
PID:332 -
\??\c:\1vpjp.exec:\1vpjp.exe46⤵
- Executes dropped EXE
PID:1080 -
\??\c:\vjddj.exec:\vjddj.exe47⤵
- Executes dropped EXE
PID:2672 -
\??\c:\1xflxfl.exec:\1xflxfl.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
\??\c:\nnhntt.exec:\nnhntt.exe49⤵
- Executes dropped EXE
PID:2824 -
\??\c:\7jjdj.exec:\7jjdj.exe50⤵
- Executes dropped EXE
PID:2812 -
\??\c:\rlrrllr.exec:\rlrrllr.exe51⤵
- Executes dropped EXE
PID:1920 -
\??\c:\rrflxxf.exec:\rrflxxf.exe52⤵
- Executes dropped EXE
PID:1644 -
\??\c:\3bttbh.exec:\3bttbh.exe53⤵
- Executes dropped EXE
PID:1948 -
\??\c:\vpvvd.exec:\vpvvd.exe54⤵
- Executes dropped EXE
PID:2368 -
\??\c:\9vjjj.exec:\9vjjj.exe55⤵
- Executes dropped EXE
PID:1992 -
\??\c:\rlxfrrx.exec:\rlxfrrx.exe56⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lfllrrx.exec:\lfllrrx.exe57⤵
- Executes dropped EXE
PID:1932 -
\??\c:\thtbbb.exec:\thtbbb.exe58⤵
- Executes dropped EXE
PID:1904 -
\??\c:\7ppdd.exec:\7ppdd.exe59⤵
- Executes dropped EXE
PID:1892 -
\??\c:\pjvvp.exec:\pjvvp.exe60⤵
- Executes dropped EXE
PID:2296 -
\??\c:\frllrlr.exec:\frllrlr.exe61⤵
- Executes dropped EXE
PID:348 -
\??\c:\tbbnnh.exec:\tbbnnh.exe62⤵
- Executes dropped EXE
PID:2352 -
\??\c:\hhtbbb.exec:\hhtbbb.exe63⤵
- Executes dropped EXE
PID:1484 -
\??\c:\djjvd.exec:\djjvd.exe64⤵
- Executes dropped EXE
PID:2072 -
\??\c:\3rrflrx.exec:\3rrflrx.exe65⤵
- Executes dropped EXE
PID:2128 -
\??\c:\hthntt.exec:\hthntt.exe66⤵PID:1692
-
\??\c:\dvdjp.exec:\dvdjp.exe67⤵PID:1112
-
\??\c:\rfrlllr.exec:\rfrlllr.exe68⤵PID:112
-
\??\c:\thtthh.exec:\thtthh.exe69⤵PID:552
-
\??\c:\dpjdp.exec:\dpjdp.exe70⤵PID:2216
-
\??\c:\1lxflxl.exec:\1lxflxl.exe71⤵PID:2184
-
\??\c:\3tbtnh.exec:\3tbtnh.exe72⤵PID:2852
-
\??\c:\dvjjv.exec:\dvjjv.exe73⤵PID:288
-
\??\c:\ntnnnb.exec:\ntnnnb.exe74⤵PID:2380
-
\??\c:\vpddp.exec:\vpddp.exe75⤵PID:1792
-
\??\c:\nthhnt.exec:\nthhnt.exe76⤵PID:2588
-
\??\c:\pjvdp.exec:\pjvdp.exe77⤵PID:2088
-
\??\c:\3rffxxf.exec:\3rffxxf.exe78⤵PID:2384
-
\??\c:\5jpdp.exec:\5jpdp.exe79⤵PID:2564
-
\??\c:\fflxffl.exec:\fflxffl.exe80⤵PID:2768
-
\??\c:\hbtntn.exec:\hbtntn.exe81⤵PID:2648
-
\??\c:\dvjjp.exec:\dvjjp.exe82⤵PID:2844
-
\??\c:\rrlllfr.exec:\rrlllfr.exe83⤵PID:2496
-
\??\c:\nnbbnn.exec:\nnbbnn.exe84⤵PID:2592
-
\??\c:\tnhtnh.exec:\tnhtnh.exe85⤵PID:2712
-
\??\c:\ddppj.exec:\ddppj.exe86⤵PID:2536
-
\??\c:\rrxflfr.exec:\rrxflfr.exe87⤵PID:272
-
\??\c:\hbnttt.exec:\hbnttt.exe88⤵PID:2772
-
\??\c:\1pvdp.exec:\1pvdp.exe89⤵PID:344
-
\??\c:\9vppv.exec:\9vppv.exe90⤵PID:2924
-
\??\c:\3lxfrrr.exec:\3lxfrrr.exe91⤵PID:2688
-
\??\c:\bthhnh.exec:\bthhnh.exe92⤵PID:2820
-
\??\c:\jvppp.exec:\jvppp.exe93⤵PID:1576
-
\??\c:\djppp.exec:\djppp.exe94⤵PID:580
-
\??\c:\5lxxffx.exec:\5lxxffx.exe95⤵PID:1020
-
\??\c:\1nhbhn.exec:\1nhbhn.exe96⤵PID:356
-
\??\c:\nbnnnh.exec:\nbnnnh.exe97⤵PID:2364
-
\??\c:\vjvdj.exec:\vjvdj.exe98⤵PID:1684
-
\??\c:\7xrlrrx.exec:\7xrlrrx.exe99⤵PID:2188
-
\??\c:\rlxxfxl.exec:\rlxxfxl.exe100⤵PID:1460
-
\??\c:\5bhhhb.exec:\5bhhhb.exe101⤵PID:2636
-
\??\c:\jjvjp.exec:\jjvjp.exe102⤵PID:1884
-
\??\c:\7llrxfl.exec:\7llrxfl.exe103⤵PID:2324
-
\??\c:\bhhtth.exec:\bhhtth.exe104⤵PID:1288
-
\??\c:\thbhhn.exec:\thbhhn.exe105⤵PID:1592
-
\??\c:\vvpvj.exec:\vvpvj.exe106⤵PID:2108
-
\??\c:\fxxfxff.exec:\fxxfxff.exe107⤵PID:2312
-
\??\c:\frfxrrx.exec:\frfxrrx.exe108⤵PID:2424
-
\??\c:\bntbhh.exec:\bntbhh.exe109⤵PID:944
-
\??\c:\jdvdd.exec:\jdvdd.exe110⤵PID:2128
-
\??\c:\5rlrlll.exec:\5rlrlll.exe111⤵PID:1692
-
\??\c:\frlxfff.exec:\frlxfff.exe112⤵PID:1112
-
\??\c:\nbthnt.exec:\nbthnt.exe113⤵PID:112
-
\??\c:\vdpvd.exec:\vdpvd.exe114⤵PID:1200
-
\??\c:\llxfllr.exec:\llxfllr.exe115⤵PID:2216
-
\??\c:\hhtbhh.exec:\hhtbhh.exe116⤵PID:2140
-
\??\c:\dvpdd.exec:\dvpdd.exe117⤵PID:2980
-
\??\c:\5pddd.exec:\5pddd.exe118⤵PID:288
-
\??\c:\rlxxrrf.exec:\rlxxrrf.exe119⤵PID:1520
-
\??\c:\bthtbb.exec:\bthtbb.exe120⤵PID:2076
-
\??\c:\3hthbh.exec:\3hthbh.exe121⤵PID:3004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-