Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 16:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe
-
Size
456KB
-
MD5
ca09624799ae23990ff7158dae4864a0
-
SHA1
142f121b416cd0f14676ca8d9ef1ba2d9477c18a
-
SHA256
c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ff
-
SHA512
a1a481941f07e7e6f9c48c14eaccfd7793fa442495eef9d4bf8606a2751622e32873453719adbc57f04377ca89815ef9a458f7d44406eb7cef8ff5ff013b27d4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR84:q7Tc2NYHUrAwfMp3CDRF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2416-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-24-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2992-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-46-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2836-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-60-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2096-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-108-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1956-123-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1956-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-249-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1420-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-262-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-290-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2584-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-318-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1512-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/600-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/600-365-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1292-424-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/820-438-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1500-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-452-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2212-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-492-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1376-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-527-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2412-546-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2412-567-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1436-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-575-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1940-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-615-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2836-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-668-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1828-688-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1956-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-734-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2416 vpjjv.exe 2992 3hbnnn.exe 2800 dvvpp.exe 2920 nhthnt.exe 2836 frrfffl.exe 2096 xfrfrrf.exe 2728 60800.exe 2824 nhtntn.exe 2748 pdppv.exe 1280 tnhhnb.exe 2076 42844.exe 1956 2084066.exe 2448 lffxflx.exe 1988 024222.exe 1844 626064.exe 772 e04804.exe 2692 802248.exe 1028 820804.exe 2216 04666.exe 544 3bbttn.exe 2796 420028.exe 644 rfrxxxr.exe 1968 tnbbhh.exe 1528 a8000.exe 1572 826028.exe 1720 q84066.exe 1420 nbnnbb.exe 2404 rlrrxff.exe 2328 242682.exe 2584 7dvvd.exe 2568 280640.exe 2264 2688440.exe 1512 u088484.exe 2892 42884.exe 2820 rfrrxrr.exe 2912 bthhbb.exe 600 u482206.exe 2816 dpjvv.exe 2972 lfxfflx.exe 2096 w24028.exe 2812 o288400.exe 2964 jvjdd.exe 1048 64666.exe 2140 480622.exe 728 0800668.exe 920 9lrlfff.exe 768 i640220.exe 2064 vpjjv.exe 1292 e28400.exe 1660 thtbhb.exe 820 24062.exe 1500 m6006.exe 2952 420666.exe 772 5vppv.exe 1008 vjddj.exe 2212 pjddv.exe 2228 pjvpj.exe 2492 o088462.exe 2944 dvjjv.exe 2796 jpvvv.exe 1892 2004884.exe 1948 vpvvd.exe 1788 vjppj.exe 1376 8600664.exe -
resource yara_rule behavioral1/memory/2416-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-44-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2096-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-438-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1500-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-492-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1948-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-575-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2464-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-734-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1812-759-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i468064.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2416 2264 c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe 31 PID 2264 wrote to memory of 2416 2264 c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe 31 PID 2264 wrote to memory of 2416 2264 c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe 31 PID 2264 wrote to memory of 2416 2264 c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe 31 PID 2416 wrote to memory of 2992 2416 vpjjv.exe 32 PID 2416 wrote to memory of 2992 2416 vpjjv.exe 32 PID 2416 wrote to memory of 2992 2416 vpjjv.exe 32 PID 2416 wrote to memory of 2992 2416 vpjjv.exe 32 PID 2992 wrote to memory of 2800 2992 3hbnnn.exe 33 PID 2992 wrote to memory of 2800 2992 3hbnnn.exe 33 PID 2992 wrote to memory of 2800 2992 3hbnnn.exe 33 PID 2992 wrote to memory of 2800 2992 3hbnnn.exe 33 PID 2800 wrote to memory of 2920 2800 dvvpp.exe 34 PID 2800 wrote to memory of 2920 2800 dvvpp.exe 34 PID 2800 wrote to memory of 2920 2800 dvvpp.exe 34 PID 2800 wrote to memory of 2920 2800 dvvpp.exe 34 PID 2920 wrote to memory of 2836 2920 nhthnt.exe 35 PID 2920 wrote to memory of 2836 2920 nhthnt.exe 35 PID 2920 wrote to memory of 2836 2920 nhthnt.exe 35 PID 2920 wrote to memory of 2836 2920 nhthnt.exe 35 PID 2836 wrote to memory of 2096 2836 frrfffl.exe 36 PID 2836 wrote to memory of 2096 2836 frrfffl.exe 36 PID 2836 wrote to memory of 2096 2836 frrfffl.exe 36 PID 2836 wrote to memory of 2096 2836 frrfffl.exe 36 PID 2096 wrote to memory of 2728 2096 xfrfrrf.exe 37 PID 2096 wrote to memory of 2728 2096 xfrfrrf.exe 37 PID 2096 wrote to memory of 2728 2096 xfrfrrf.exe 37 PID 2096 wrote to memory of 2728 2096 xfrfrrf.exe 37 PID 2728 wrote to memory of 2824 2728 60800.exe 38 PID 2728 wrote to memory of 2824 2728 60800.exe 38 PID 2728 wrote to memory of 2824 2728 60800.exe 38 PID 2728 wrote to memory of 2824 2728 60800.exe 38 PID 2824 wrote to memory of 2748 2824 nhtntn.exe 39 PID 2824 wrote to memory of 2748 2824 nhtntn.exe 39 PID 2824 wrote to memory of 2748 2824 nhtntn.exe 39 PID 2824 wrote to memory of 2748 2824 nhtntn.exe 39 PID 2748 wrote to memory of 1280 2748 pdppv.exe 40 PID 2748 wrote to memory of 1280 2748 pdppv.exe 40 PID 2748 wrote to memory of 1280 2748 pdppv.exe 40 PID 2748 wrote to memory of 1280 2748 pdppv.exe 40 PID 1280 wrote to memory of 2076 1280 tnhhnb.exe 41 PID 1280 wrote to memory of 2076 1280 tnhhnb.exe 41 PID 1280 wrote to memory of 2076 1280 tnhhnb.exe 41 PID 1280 wrote to memory of 2076 1280 tnhhnb.exe 41 PID 2076 wrote to memory of 1956 2076 42844.exe 42 PID 2076 wrote to memory of 1956 2076 42844.exe 42 PID 2076 wrote to memory of 1956 2076 42844.exe 42 PID 2076 wrote to memory of 1956 2076 42844.exe 42 PID 1956 wrote to memory of 2448 1956 2084066.exe 43 PID 1956 wrote to memory of 2448 1956 2084066.exe 43 PID 1956 wrote to memory of 2448 1956 2084066.exe 43 PID 1956 wrote to memory of 2448 1956 2084066.exe 43 PID 2448 wrote to memory of 1988 2448 lffxflx.exe 44 PID 2448 wrote to memory of 1988 2448 lffxflx.exe 44 PID 2448 wrote to memory of 1988 2448 lffxflx.exe 44 PID 2448 wrote to memory of 1988 2448 lffxflx.exe 44 PID 1988 wrote to memory of 1844 1988 024222.exe 45 PID 1988 wrote to memory of 1844 1988 024222.exe 45 PID 1988 wrote to memory of 1844 1988 024222.exe 45 PID 1988 wrote to memory of 1844 1988 024222.exe 45 PID 1844 wrote to memory of 772 1844 626064.exe 46 PID 1844 wrote to memory of 772 1844 626064.exe 46 PID 1844 wrote to memory of 772 1844 626064.exe 46 PID 1844 wrote to memory of 772 1844 626064.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe"C:\Users\Admin\AppData\Local\Temp\c6e223a85a8efe759fa26e0a1968e2bf2dea012d02f41a5f33bdaf4b2d69c1ffN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\vpjjv.exec:\vpjjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\3hbnnn.exec:\3hbnnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\dvvpp.exec:\dvvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\nhthnt.exec:\nhthnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\frrfffl.exec:\frrfffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\xfrfrrf.exec:\xfrfrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\60800.exec:\60800.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\nhtntn.exec:\nhtntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\pdppv.exec:\pdppv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\tnhhnb.exec:\tnhhnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\42844.exec:\42844.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\2084066.exec:\2084066.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\lffxflx.exec:\lffxflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\024222.exec:\024222.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\626064.exec:\626064.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\e04804.exec:\e04804.exe17⤵
- Executes dropped EXE
PID:772 -
\??\c:\802248.exec:\802248.exe18⤵
- Executes dropped EXE
PID:2692 -
\??\c:\820804.exec:\820804.exe19⤵
- Executes dropped EXE
PID:1028 -
\??\c:\04666.exec:\04666.exe20⤵
- Executes dropped EXE
PID:2216 -
\??\c:\3bbttn.exec:\3bbttn.exe21⤵
- Executes dropped EXE
PID:544 -
\??\c:\420028.exec:\420028.exe22⤵
- Executes dropped EXE
PID:2796 -
\??\c:\rfrxxxr.exec:\rfrxxxr.exe23⤵
- Executes dropped EXE
PID:644 -
\??\c:\tnbbhh.exec:\tnbbhh.exe24⤵
- Executes dropped EXE
PID:1968 -
\??\c:\a8000.exec:\a8000.exe25⤵
- Executes dropped EXE
PID:1528 -
\??\c:\826028.exec:\826028.exe26⤵
- Executes dropped EXE
PID:1572 -
\??\c:\q84066.exec:\q84066.exe27⤵
- Executes dropped EXE
PID:1720 -
\??\c:\nbnnbb.exec:\nbnnbb.exe28⤵
- Executes dropped EXE
PID:1420 -
\??\c:\rlrrxff.exec:\rlrrxff.exe29⤵
- Executes dropped EXE
PID:2404 -
\??\c:\242682.exec:\242682.exe30⤵
- Executes dropped EXE
PID:2328 -
\??\c:\7dvvd.exec:\7dvvd.exe31⤵
- Executes dropped EXE
PID:2584 -
\??\c:\280640.exec:\280640.exe32⤵
- Executes dropped EXE
PID:2568 -
\??\c:\2688440.exec:\2688440.exe33⤵
- Executes dropped EXE
PID:2264 -
\??\c:\u088484.exec:\u088484.exe34⤵
- Executes dropped EXE
PID:1512 -
\??\c:\42884.exec:\42884.exe35⤵
- Executes dropped EXE
PID:2892 -
\??\c:\rfrrxrr.exec:\rfrrxrr.exe36⤵
- Executes dropped EXE
PID:2820 -
\??\c:\bthhbb.exec:\bthhbb.exe37⤵
- Executes dropped EXE
PID:2912 -
\??\c:\u482206.exec:\u482206.exe38⤵
- Executes dropped EXE
PID:600 -
\??\c:\dpjvv.exec:\dpjvv.exe39⤵
- Executes dropped EXE
PID:2816 -
\??\c:\lfxfflx.exec:\lfxfflx.exe40⤵
- Executes dropped EXE
PID:2972 -
\??\c:\w24028.exec:\w24028.exe41⤵
- Executes dropped EXE
PID:2096 -
\??\c:\o288400.exec:\o288400.exe42⤵
- Executes dropped EXE
PID:2812 -
\??\c:\jvjdd.exec:\jvjdd.exe43⤵
- Executes dropped EXE
PID:2964 -
\??\c:\64666.exec:\64666.exe44⤵
- Executes dropped EXE
PID:1048 -
\??\c:\480622.exec:\480622.exe45⤵
- Executes dropped EXE
PID:2140 -
\??\c:\0800668.exec:\0800668.exe46⤵
- Executes dropped EXE
PID:728 -
\??\c:\9lrlfff.exec:\9lrlfff.exe47⤵
- Executes dropped EXE
PID:920 -
\??\c:\i640220.exec:\i640220.exe48⤵
- Executes dropped EXE
PID:768 -
\??\c:\vpjjv.exec:\vpjjv.exe49⤵
- Executes dropped EXE
PID:2064 -
\??\c:\e28400.exec:\e28400.exe50⤵
- Executes dropped EXE
PID:1292 -
\??\c:\thtbhb.exec:\thtbhb.exe51⤵
- Executes dropped EXE
PID:1660 -
\??\c:\24062.exec:\24062.exe52⤵
- Executes dropped EXE
PID:820 -
\??\c:\m6006.exec:\m6006.exe53⤵
- Executes dropped EXE
PID:1500 -
\??\c:\420666.exec:\420666.exe54⤵
- Executes dropped EXE
PID:2952 -
\??\c:\5vppv.exec:\5vppv.exe55⤵
- Executes dropped EXE
PID:772 -
\??\c:\vjddj.exec:\vjddj.exe56⤵
- Executes dropped EXE
PID:1008 -
\??\c:\pjddv.exec:\pjddv.exe57⤵
- Executes dropped EXE
PID:2212 -
\??\c:\pjvpj.exec:\pjvpj.exe58⤵
- Executes dropped EXE
PID:2228 -
\??\c:\o088462.exec:\o088462.exe59⤵
- Executes dropped EXE
PID:2492 -
\??\c:\dvjjv.exec:\dvjjv.exe60⤵
- Executes dropped EXE
PID:2944 -
\??\c:\jpvvv.exec:\jpvvv.exe61⤵
- Executes dropped EXE
PID:2796 -
\??\c:\2004884.exec:\2004884.exe62⤵
- Executes dropped EXE
PID:1892 -
\??\c:\vpvvd.exec:\vpvvd.exe63⤵
- Executes dropped EXE
PID:1948 -
\??\c:\vjppj.exec:\vjppj.exe64⤵
- Executes dropped EXE
PID:1788 -
\??\c:\8600664.exec:\8600664.exe65⤵
- Executes dropped EXE
PID:1376 -
\??\c:\1htbbt.exec:\1htbbt.exe66⤵PID:1572
-
\??\c:\486244.exec:\486244.exe67⤵PID:336
-
\??\c:\g8662.exec:\g8662.exe68⤵PID:2412
-
\??\c:\2080444.exec:\2080444.exe69⤵PID:1420
-
\??\c:\llrfflx.exec:\llrfflx.exe70⤵PID:980
-
\??\c:\jdvdd.exec:\jdvdd.exe71⤵PID:2496
-
\??\c:\3jpdd.exec:\3jpdd.exe72⤵PID:1436
-
\??\c:\k60620.exec:\k60620.exe73⤵PID:2240
-
\??\c:\6028484.exec:\6028484.exe74⤵PID:2336
-
\??\c:\s2446.exec:\s2446.exe75⤵PID:2340
-
\??\c:\nbnhhh.exec:\nbnhhh.exe76⤵PID:1940
-
\??\c:\4868880.exec:\4868880.exe77⤵PID:2464
-
\??\c:\hhnhnb.exec:\hhnhnb.exe78⤵PID:2992
-
\??\c:\i682228.exec:\i682228.exe79⤵PID:2960
-
\??\c:\lfrrrrr.exec:\lfrrrrr.exe80⤵PID:2924
-
\??\c:\jjvjv.exec:\jjvjv.exe81⤵PID:2836
-
\??\c:\82000.exec:\82000.exe82⤵PID:2288
-
\??\c:\xlrxfrf.exec:\xlrxfrf.exe83⤵PID:2988
-
\??\c:\jdpdp.exec:\jdpdp.exe84⤵PID:2760
-
\??\c:\048466.exec:\048466.exe85⤵PID:2824
-
\??\c:\dvpvv.exec:\dvpvv.exe86⤵PID:2780
-
\??\c:\426628.exec:\426628.exe87⤵PID:1212
-
\??\c:\80828.exec:\80828.exe88⤵PID:2072
-
\??\c:\frflrrl.exec:\frflrrl.exe89⤵PID:1828
-
\??\c:\808666.exec:\808666.exe90⤵PID:2144
-
\??\c:\4822602.exec:\4822602.exe91⤵PID:1956
-
\??\c:\204462.exec:\204462.exe92⤵PID:1672
-
\??\c:\086066.exec:\086066.exe93⤵PID:1360
-
\??\c:\lxfxffl.exec:\lxfxffl.exe94⤵PID:1988
-
\??\c:\a8624.exec:\a8624.exe95⤵PID:1560
-
\??\c:\7jvvd.exec:\7jvvd.exe96⤵PID:3028
-
\??\c:\nbhnnt.exec:\nbhnnt.exe97⤵PID:2896
-
\??\c:\882642.exec:\882642.exe98⤵PID:2692
-
\??\c:\dpjjd.exec:\dpjjd.exe99⤵PID:1028
-
\??\c:\6088088.exec:\6088088.exe100⤵PID:2212
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe101⤵PID:1812
-
\??\c:\jdvpd.exec:\jdvpd.exe102⤵PID:2492
-
\??\c:\0828608.exec:\0828608.exe103⤵PID:1544
-
\??\c:\nhtnhb.exec:\nhtnhb.exe104⤵PID:788
-
\??\c:\rfrxfrf.exec:\rfrxfrf.exe105⤵PID:1368
-
\??\c:\48068.exec:\48068.exe106⤵PID:2304
-
\??\c:\8646840.exec:\8646840.exe107⤵PID:1452
-
\??\c:\260284.exec:\260284.exe108⤵PID:1376
-
\??\c:\w42462.exec:\w42462.exe109⤵PID:1736
-
\??\c:\9xrfrxr.exec:\9xrfrxr.exe110⤵PID:824
-
\??\c:\48680.exec:\48680.exe111⤵PID:1696
-
\??\c:\o224668.exec:\o224668.exe112⤵PID:2332
-
\??\c:\5frllll.exec:\5frllll.exe113⤵PID:2572
-
\??\c:\5vddd.exec:\5vddd.exe114⤵PID:1944
-
\??\c:\i426440.exec:\i426440.exe115⤵PID:1136
-
\??\c:\tnhhnn.exec:\tnhhnn.exe116⤵PID:2260
-
\??\c:\1lxfllr.exec:\1lxfllr.exe117⤵PID:2352
-
\??\c:\m4284.exec:\m4284.exe118⤵PID:1532
-
\??\c:\vpjpd.exec:\vpjpd.exe119⤵PID:1512
-
\??\c:\8206884.exec:\8206884.exe120⤵PID:1940
-
\??\c:\xrfrflf.exec:\xrfrflf.exe121⤵PID:2856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-