Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 20:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
706feb2bf94464c8f33496effd90174cbb73a28ce6b7086b7e7d5873271a7d8aN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
706feb2bf94464c8f33496effd90174cbb73a28ce6b7086b7e7d5873271a7d8aN.exe
-
Size
454KB
-
MD5
cc905ab927fde0fbf1e47046e6903560
-
SHA1
4e170f185e80d5a095617d92aeb8e90ba64c9af6
-
SHA256
706feb2bf94464c8f33496effd90174cbb73a28ce6b7086b7e7d5873271a7d8a
-
SHA512
9dae4d1b9a00f614183ec7cd5b50cd202393eda5078b51833ec216cec2b9ed42a10a4b6b749035937ceae0e938b16e8e99860b8ee27e5155048066bbd8ddb704
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/1736-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-43-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-78-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-110-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2856-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-142-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2564-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1448-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-196-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/628-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-224-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2432-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-351-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1616-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-355-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2924-360-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2712-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-380-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2056-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-453-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2080-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-556-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-597-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/2752-616-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-673-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1808-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-874-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 276 1dpdp.exe 1808 tnbhtt.exe 2692 ddppd.exe 2808 nhbbtt.exe 2708 vjdjp.exe 2476 5dvvv.exe 2640 5djjp.exe 2600 pjdjp.exe 2156 7jdjp.exe 2176 5jdpd.exe 1560 pddjd.exe 320 vpjpv.exe 2856 1fxfflr.exe 2564 1pdvd.exe 2032 vpjjv.exe 2188 dpdjd.exe 1448 xrrrxxl.exe 2168 dvjjj.exe 1156 xrrxrxl.exe 1876 jjvvd.exe 628 5dpvp.exe 2472 7vpvj.exe 1480 dvjdj.exe 1056 5tnnbb.exe 2432 vvvjv.exe 2064 xxrxrxr.exe 1164 5dvvj.exe 2124 hhhttt.exe 552 pjdjv.exe 764 btntbb.exe 1716 7jdpd.exe 2328 bbbntb.exe 2904 vpjjv.exe 2556 fxrxfff.exe 2728 bhtbnn.exe 2752 7vppd.exe 2780 pdvjv.exe 1616 9fxfxxf.exe 2924 xrrrxrl.exe 2712 bhbhbb.exe 2720 dvvjd.exe 2284 9xrxffl.exe 2056 ffrxffr.exe 1584 nbntnb.exe 112 dvpvj.exe 1548 rllflrl.exe 2908 rrfrlrf.exe 1032 nnhhnt.exe 484 3djjp.exe 2564 pdvvv.exe 1328 xfxrxlx.exe 1964 7hhnhn.exe 1760 5httbb.exe 584 pjvvj.exe 2116 lllrflf.exe 2080 btnnbh.exe 1156 hthntt.exe 3032 dvjvd.exe 448 rlflrxl.exe 2868 xrrlrrr.exe 1948 httbhn.exe 2160 pjpvd.exe 1552 7vpvj.exe 2372 3rlxffr.exe -
resource yara_rule behavioral1/memory/1736-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-394-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1548-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-919-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-957-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 276 1736 706feb2bf94464c8f33496effd90174cbb73a28ce6b7086b7e7d5873271a7d8aN.exe 30 PID 1736 wrote to memory of 276 1736 706feb2bf94464c8f33496effd90174cbb73a28ce6b7086b7e7d5873271a7d8aN.exe 30 PID 1736 wrote to memory of 276 1736 706feb2bf94464c8f33496effd90174cbb73a28ce6b7086b7e7d5873271a7d8aN.exe 30 PID 1736 wrote to memory of 276 1736 706feb2bf94464c8f33496effd90174cbb73a28ce6b7086b7e7d5873271a7d8aN.exe 30 PID 276 wrote to memory of 1808 276 1dpdp.exe 31 PID 276 wrote to memory of 1808 276 1dpdp.exe 31 PID 276 wrote to memory of 1808 276 1dpdp.exe 31 PID 276 wrote to memory of 1808 276 1dpdp.exe 31 PID 1808 wrote to memory of 2692 1808 tnbhtt.exe 32 PID 1808 wrote to memory of 2692 1808 tnbhtt.exe 32 PID 1808 wrote to memory of 2692 1808 tnbhtt.exe 32 PID 1808 wrote to memory of 2692 1808 tnbhtt.exe 32 PID 2692 wrote to memory of 2808 2692 ddppd.exe 33 PID 2692 wrote to memory of 2808 2692 ddppd.exe 33 PID 2692 wrote to memory of 2808 2692 ddppd.exe 33 PID 2692 wrote to memory of 2808 2692 ddppd.exe 33 PID 2808 wrote to memory of 2708 2808 nhbbtt.exe 34 PID 2808 wrote to memory of 2708 2808 nhbbtt.exe 34 PID 2808 wrote to memory of 2708 2808 nhbbtt.exe 34 PID 2808 wrote to memory of 2708 2808 nhbbtt.exe 34 PID 2708 wrote to memory of 2476 2708 vjdjp.exe 35 PID 2708 wrote to memory of 2476 2708 vjdjp.exe 35 PID 2708 wrote to memory of 2476 2708 vjdjp.exe 35 PID 2708 wrote to memory of 2476 2708 vjdjp.exe 35 PID 2476 wrote to memory of 2640 2476 5dvvv.exe 36 PID 2476 wrote to memory of 2640 2476 5dvvv.exe 36 PID 2476 wrote to memory of 2640 2476 5dvvv.exe 36 PID 2476 wrote to memory of 2640 2476 5dvvv.exe 36 PID 2640 wrote to memory of 2600 2640 5djjp.exe 37 PID 2640 wrote to memory of 2600 2640 5djjp.exe 37 PID 2640 wrote to memory of 2600 2640 5djjp.exe 37 PID 2640 wrote to memory of 2600 2640 5djjp.exe 37 PID 2600 wrote to memory of 2156 2600 pjdjp.exe 38 PID 2600 wrote to memory of 2156 2600 pjdjp.exe 38 PID 2600 wrote to memory of 2156 2600 pjdjp.exe 38 PID 2600 wrote to memory of 2156 2600 pjdjp.exe 38 PID 2156 wrote to memory of 2176 2156 7jdjp.exe 39 PID 2156 wrote to memory of 2176 2156 7jdjp.exe 39 PID 2156 wrote to memory of 2176 2156 7jdjp.exe 39 PID 2156 wrote to memory of 2176 2156 7jdjp.exe 39 PID 2176 wrote to memory of 1560 2176 5jdpd.exe 40 PID 2176 wrote to memory of 1560 2176 5jdpd.exe 40 PID 2176 wrote to memory of 1560 2176 5jdpd.exe 40 PID 2176 wrote to memory of 1560 2176 5jdpd.exe 40 PID 1560 wrote to memory of 320 1560 pddjd.exe 41 PID 1560 wrote to memory of 320 1560 pddjd.exe 41 PID 1560 wrote to memory of 320 1560 pddjd.exe 41 PID 1560 wrote to memory of 320 1560 pddjd.exe 41 PID 320 wrote to memory of 2856 320 vpjpv.exe 42 PID 320 wrote to memory of 2856 320 vpjpv.exe 42 PID 320 wrote to memory of 2856 320 vpjpv.exe 42 PID 320 wrote to memory of 2856 320 vpjpv.exe 42 PID 2856 wrote to memory of 2564 2856 1fxfflr.exe 43 PID 2856 wrote to memory of 2564 2856 1fxfflr.exe 43 PID 2856 wrote to memory of 2564 2856 1fxfflr.exe 43 PID 2856 wrote to memory of 2564 2856 1fxfflr.exe 43 PID 2564 wrote to memory of 2032 2564 1pdvd.exe 44 PID 2564 wrote to memory of 2032 2564 1pdvd.exe 44 PID 2564 wrote to memory of 2032 2564 1pdvd.exe 44 PID 2564 wrote to memory of 2032 2564 1pdvd.exe 44 PID 2032 wrote to memory of 2188 2032 vpjjv.exe 45 PID 2032 wrote to memory of 2188 2032 vpjjv.exe 45 PID 2032 wrote to memory of 2188 2032 vpjjv.exe 45 PID 2032 wrote to memory of 2188 2032 vpjjv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\706feb2bf94464c8f33496effd90174cbb73a28ce6b7086b7e7d5873271a7d8aN.exe"C:\Users\Admin\AppData\Local\Temp\706feb2bf94464c8f33496effd90174cbb73a28ce6b7086b7e7d5873271a7d8aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\1dpdp.exec:\1dpdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:276 -
\??\c:\tnbhtt.exec:\tnbhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\ddppd.exec:\ddppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\nhbbtt.exec:\nhbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\vjdjp.exec:\vjdjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\5dvvv.exec:\5dvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\5djjp.exec:\5djjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\pjdjp.exec:\pjdjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\7jdjp.exec:\7jdjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\5jdpd.exec:\5jdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\pddjd.exec:\pddjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\vpjpv.exec:\vpjpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\1fxfflr.exec:\1fxfflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\1pdvd.exec:\1pdvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\vpjjv.exec:\vpjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\dpdjd.exec:\dpdjd.exe17⤵
- Executes dropped EXE
PID:2188 -
\??\c:\xrrrxxl.exec:\xrrrxxl.exe18⤵
- Executes dropped EXE
PID:1448 -
\??\c:\dvjjj.exec:\dvjjj.exe19⤵
- Executes dropped EXE
PID:2168 -
\??\c:\xrrxrxl.exec:\xrrxrxl.exe20⤵
- Executes dropped EXE
PID:1156 -
\??\c:\jjvvd.exec:\jjvvd.exe21⤵
- Executes dropped EXE
PID:1876 -
\??\c:\5dpvp.exec:\5dpvp.exe22⤵
- Executes dropped EXE
PID:628 -
\??\c:\7vpvj.exec:\7vpvj.exe23⤵
- Executes dropped EXE
PID:2472 -
\??\c:\dvjdj.exec:\dvjdj.exe24⤵
- Executes dropped EXE
PID:1480 -
\??\c:\5tnnbb.exec:\5tnnbb.exe25⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vvvjv.exec:\vvvjv.exe26⤵
- Executes dropped EXE
PID:2432 -
\??\c:\xxrxrxr.exec:\xxrxrxr.exe27⤵
- Executes dropped EXE
PID:2064 -
\??\c:\5dvvj.exec:\5dvvj.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164 -
\??\c:\hhhttt.exec:\hhhttt.exe29⤵
- Executes dropped EXE
PID:2124 -
\??\c:\pjdjv.exec:\pjdjv.exe30⤵
- Executes dropped EXE
PID:552 -
\??\c:\btntbb.exec:\btntbb.exe31⤵
- Executes dropped EXE
PID:764 -
\??\c:\7jdpd.exec:\7jdpd.exe32⤵
- Executes dropped EXE
PID:1716 -
\??\c:\bbbntb.exec:\bbbntb.exe33⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vpjjv.exec:\vpjjv.exe34⤵
- Executes dropped EXE
PID:2904 -
\??\c:\fxrxfff.exec:\fxrxfff.exe35⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bhtbnn.exec:\bhtbnn.exe36⤵
- Executes dropped EXE
PID:2728 -
\??\c:\7vppd.exec:\7vppd.exe37⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pdvjv.exec:\pdvjv.exe38⤵
- Executes dropped EXE
PID:2780 -
\??\c:\9fxfxxf.exec:\9fxfxxf.exe39⤵
- Executes dropped EXE
PID:1616 -
\??\c:\xrrrxrl.exec:\xrrrxrl.exe40⤵
- Executes dropped EXE
PID:2924 -
\??\c:\bhbhbb.exec:\bhbhbb.exe41⤵
- Executes dropped EXE
PID:2712 -
\??\c:\dvvjd.exec:\dvvjd.exe42⤵
- Executes dropped EXE
PID:2720 -
\??\c:\9xrxffl.exec:\9xrxffl.exe43⤵
- Executes dropped EXE
PID:2284 -
\??\c:\ffrxffr.exec:\ffrxffr.exe44⤵
- Executes dropped EXE
PID:2056 -
\??\c:\nbntnb.exec:\nbntnb.exe45⤵
- Executes dropped EXE
PID:1584 -
\??\c:\dvpvj.exec:\dvpvj.exe46⤵
- Executes dropped EXE
PID:112 -
\??\c:\rllflrl.exec:\rllflrl.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
\??\c:\rrfrlrf.exec:\rrfrlrf.exe48⤵
- Executes dropped EXE
PID:2908 -
\??\c:\nnhhnt.exec:\nnhhnt.exe49⤵
- Executes dropped EXE
PID:1032 -
\??\c:\3djjp.exec:\3djjp.exe50⤵
- Executes dropped EXE
PID:484 -
\??\c:\pdvvv.exec:\pdvvv.exe51⤵
- Executes dropped EXE
PID:2564 -
\??\c:\xfxrxlx.exec:\xfxrxlx.exe52⤵
- Executes dropped EXE
PID:1328 -
\??\c:\7hhnhn.exec:\7hhnhn.exe53⤵
- Executes dropped EXE
PID:1964 -
\??\c:\5httbb.exec:\5httbb.exe54⤵
- Executes dropped EXE
PID:1760 -
\??\c:\pjvvj.exec:\pjvvj.exe55⤵
- Executes dropped EXE
PID:584 -
\??\c:\lllrflf.exec:\lllrflf.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116 -
\??\c:\btnnbh.exec:\btnnbh.exe57⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hthntt.exec:\hthntt.exe58⤵
- Executes dropped EXE
PID:1156 -
\??\c:\dvjvd.exec:\dvjvd.exe59⤵
- Executes dropped EXE
PID:3032 -
\??\c:\rlflrxl.exec:\rlflrxl.exe60⤵
- Executes dropped EXE
PID:448 -
\??\c:\xrrlrrr.exec:\xrrlrrr.exe61⤵
- Executes dropped EXE
PID:2868 -
\??\c:\httbhn.exec:\httbhn.exe62⤵
- Executes dropped EXE
PID:1948 -
\??\c:\pjpvd.exec:\pjpvd.exe63⤵
- Executes dropped EXE
PID:2160 -
\??\c:\7vpvj.exec:\7vpvj.exe64⤵
- Executes dropped EXE
PID:1552 -
\??\c:\3rlxffr.exec:\3rlxffr.exe65⤵
- Executes dropped EXE
PID:2372 -
\??\c:\hbbntt.exec:\hbbntt.exe66⤵PID:1840
-
\??\c:\ddvpv.exec:\ddvpv.exe67⤵PID:844
-
\??\c:\5vvvd.exec:\5vvvd.exe68⤵PID:1748
-
\??\c:\rrllffx.exec:\rrllffx.exe69⤵PID:888
-
\??\c:\nhbnbh.exec:\nhbnbh.exe70⤵PID:2124
-
\??\c:\9bttbb.exec:\9bttbb.exe71⤵PID:2540
-
\??\c:\9djdv.exec:\9djdv.exe72⤵PID:1608
-
\??\c:\llflrxl.exec:\llflrxl.exe73⤵PID:2412
-
\??\c:\bbnbhn.exec:\bbnbhn.exe74⤵PID:2440
-
\??\c:\nbtbhn.exec:\nbtbhn.exe75⤵PID:2164
-
\??\c:\pjddp.exec:\pjddp.exe76⤵PID:2740
-
\??\c:\rfxfflr.exec:\rfxfflr.exe77⤵PID:2260
-
\??\c:\tnhbtt.exec:\tnhbtt.exe78⤵PID:2804
-
\??\c:\tnhnbb.exec:\tnhnbb.exe79⤵PID:2752
-
\??\c:\vpvpp.exec:\vpvpp.exe80⤵PID:2780
-
\??\c:\7rrrlrl.exec:\7rrrlrl.exe81⤵PID:2476
-
\??\c:\hhnhth.exec:\hhnhth.exe82⤵PID:2620
-
\??\c:\jpdpv.exec:\jpdpv.exe83⤵PID:1720
-
\??\c:\vvvvj.exec:\vvvvj.exe84⤵PID:2892
-
\??\c:\1rrrflf.exec:\1rrrflf.exe85⤵PID:2184
-
\??\c:\7nttbh.exec:\7nttbh.exe86⤵
- System Location Discovery: System Language Discovery
PID:1236 -
\??\c:\dvdpv.exec:\dvdpv.exe87⤵PID:2176
-
\??\c:\dpddj.exec:\dpddj.exe88⤵PID:2688
-
\??\c:\5fxffxx.exec:\5fxffxx.exe89⤵PID:1640
-
\??\c:\nbnttb.exec:\nbnttb.exe90⤵PID:2952
-
\??\c:\nhbnbb.exec:\nhbnbb.exe91⤵PID:776
-
\??\c:\dvppd.exec:\dvppd.exe92⤵PID:2364
-
\??\c:\rrlrxrx.exec:\rrlrxrx.exe93⤵PID:316
-
\??\c:\hhnthh.exec:\hhnthh.exe94⤵PID:1352
-
\??\c:\tnntbb.exec:\tnntbb.exe95⤵PID:1996
-
\??\c:\1jppv.exec:\1jppv.exe96⤵PID:1800
-
\??\c:\3lflrrr.exec:\3lflrrr.exe97⤵PID:1012
-
\??\c:\fxrrllf.exec:\fxrrllf.exe98⤵PID:2168
-
\??\c:\7tnbhn.exec:\7tnbhn.exe99⤵PID:2316
-
\??\c:\vpddj.exec:\vpddj.exe100⤵PID:2132
-
\??\c:\3lfxflr.exec:\3lfxflr.exe101⤵PID:2128
-
\??\c:\ffrxlrf.exec:\ffrxlrf.exe102⤵PID:3032
-
\??\c:\5bbbbb.exec:\5bbbbb.exe103⤵PID:448
-
\??\c:\dvjdv.exec:\dvjdv.exe104⤵PID:1620
-
\??\c:\pdvpd.exec:\pdvpd.exe105⤵PID:1344
-
\??\c:\xrfflrf.exec:\xrfflrf.exe106⤵PID:1684
-
\??\c:\tttttt.exec:\tttttt.exe107⤵PID:2996
-
\??\c:\hnhnth.exec:\hnhnth.exe108⤵PID:2432
-
\??\c:\5pjjj.exec:\5pjjj.exe109⤵PID:2064
-
\??\c:\ppjjd.exec:\ppjjd.exe110⤵PID:2052
-
\??\c:\9lfxrxl.exec:\9lfxrxl.exe111⤵PID:3044
-
\??\c:\thhnbb.exec:\thhnbb.exe112⤵PID:1968
-
\??\c:\pjjvj.exec:\pjjvj.exe113⤵PID:552
-
\??\c:\1dppd.exec:\1dppd.exe114⤵PID:2540
-
\??\c:\7fxxffl.exec:\7fxxffl.exe115⤵PID:1268
-
\??\c:\hbhnbb.exec:\hbhnbb.exe116⤵PID:1600
-
\??\c:\hnhnbb.exec:\hnhnbb.exe117⤵PID:2468
-
\??\c:\dvvvd.exec:\dvvvd.exe118⤵PID:1808
-
\??\c:\rlfrxrf.exec:\rlfrxrf.exe119⤵PID:2756
-
\??\c:\hbhnbh.exec:\hbhnbh.exe120⤵PID:2884
-
\??\c:\pjvdp.exec:\pjvdp.exe121⤵PID:3004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-