Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 05:29 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe
-
Size
452KB
-
MD5
149534acc986cf8699dc39f999e3ac70
-
SHA1
c36c46766b495cdf3cd5e01fb60d22d54dec6f44
-
SHA256
8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78c
-
SHA512
0939aa90b45ccc8312db9bf82b417231af912ccc05db6ce14d9080d1902c8f841af7bbcc34ace0553b7ec9497c1723c0a8cdd213c15f68e6b033940d51d3e89d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/2460-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-101-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2200-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-156-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1296-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-176-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2424-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-174-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1356-190-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1356-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-204-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1840-213-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/956-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-234-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1600-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-286-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2724-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-520-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2240-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-657-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2196-722-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/812-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-755-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1632-766-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1284-776-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/588-775-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1816-789-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1284-796-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2328-852-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2328-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-1049-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2656-1092-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2268-1096-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1624-1194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2056 ffrllrf.exe 2500 nnbtnt.exe 2764 xllrffl.exe 2712 bbtbbt.exe 2856 jdvjd.exe 2884 3nbbnt.exe 2100 ffxfrfr.exe 2744 tnntnn.exe 2568 dvpvj.exe 2200 3rlrrrx.exe 1252 htnnnh.exe 2908 jvppv.exe 1984 nhnhnb.exe 2972 jvjvv.exe 772 9rllfrx.exe 1564 httbbb.exe 1296 5dvdj.exe 2424 lfllrrx.exe 1672 pdvdp.exe 1356 vpjjp.exe 2028 7lxxlrf.exe 1840 thttnh.exe 956 rfrrrrr.exe 1600 rrllrrf.exe 1652 tnbbbb.exe 2388 jjdpd.exe 612 ppdjv.exe 2160 bbtbnt.exe 1688 dpjjj.exe 2064 3lfllfl.exe 2656 vjddd.exe 2320 llxrflf.exe 1584 hhhbnn.exe 1796 9ttbhh.exe 2720 pppvj.exe 2148 5rrxrrl.exe 2724 hhbtbn.exe 2852 hbnhnh.exe 2716 1pdjj.exe 2248 vdvvj.exe 2684 fxrllfx.exe 2736 htthnn.exe 2572 bbthbb.exe 2408 vppvj.exe 2640 xlxlrrx.exe 1624 1xfffxf.exe 640 3bbttb.exe 1964 3jppd.exe 2872 jpppv.exe 2660 3xffllr.exe 772 nhttbt.exe 1940 pdjdj.exe 1944 dpdpv.exe 2004 3xffffl.exe 796 hnttbb.exe 1156 3hhbhh.exe 880 vpjvp.exe 1912 vvpvd.exe 1500 1xfflrx.exe 1928 nnbtbb.exe 1740 hhbnbh.exe 840 7djjv.exe 1284 fxllrxf.exe 1100 bbnnnh.exe -
resource yara_rule behavioral1/memory/2460-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-83-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2568-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-176-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2424-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-657-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2812-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-941-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-962-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-979-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-1194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-1207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-1256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-1269-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2056 2460 8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe 31 PID 2460 wrote to memory of 2056 2460 8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe 31 PID 2460 wrote to memory of 2056 2460 8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe 31 PID 2460 wrote to memory of 2056 2460 8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe 31 PID 2056 wrote to memory of 2500 2056 ffrllrf.exe 32 PID 2056 wrote to memory of 2500 2056 ffrllrf.exe 32 PID 2056 wrote to memory of 2500 2056 ffrllrf.exe 32 PID 2056 wrote to memory of 2500 2056 ffrllrf.exe 32 PID 2500 wrote to memory of 2764 2500 nnbtnt.exe 33 PID 2500 wrote to memory of 2764 2500 nnbtnt.exe 33 PID 2500 wrote to memory of 2764 2500 nnbtnt.exe 33 PID 2500 wrote to memory of 2764 2500 nnbtnt.exe 33 PID 2764 wrote to memory of 2712 2764 xllrffl.exe 34 PID 2764 wrote to memory of 2712 2764 xllrffl.exe 34 PID 2764 wrote to memory of 2712 2764 xllrffl.exe 34 PID 2764 wrote to memory of 2712 2764 xllrffl.exe 34 PID 2712 wrote to memory of 2856 2712 bbtbbt.exe 35 PID 2712 wrote to memory of 2856 2712 bbtbbt.exe 35 PID 2712 wrote to memory of 2856 2712 bbtbbt.exe 35 PID 2712 wrote to memory of 2856 2712 bbtbbt.exe 35 PID 2856 wrote to memory of 2884 2856 jdvjd.exe 36 PID 2856 wrote to memory of 2884 2856 jdvjd.exe 36 PID 2856 wrote to memory of 2884 2856 jdvjd.exe 36 PID 2856 wrote to memory of 2884 2856 jdvjd.exe 36 PID 2884 wrote to memory of 2100 2884 3nbbnt.exe 37 PID 2884 wrote to memory of 2100 2884 3nbbnt.exe 37 PID 2884 wrote to memory of 2100 2884 3nbbnt.exe 37 PID 2884 wrote to memory of 2100 2884 3nbbnt.exe 37 PID 2100 wrote to memory of 2744 2100 ffxfrfr.exe 38 PID 2100 wrote to memory of 2744 2100 ffxfrfr.exe 38 PID 2100 wrote to memory of 2744 2100 ffxfrfr.exe 38 PID 2100 wrote to memory of 2744 2100 ffxfrfr.exe 38 PID 2744 wrote to memory of 2568 2744 tnntnn.exe 39 PID 2744 wrote to memory of 2568 2744 tnntnn.exe 39 PID 2744 wrote to memory of 2568 2744 tnntnn.exe 39 PID 2744 wrote to memory of 2568 2744 tnntnn.exe 39 PID 2568 wrote to memory of 2200 2568 dvpvj.exe 40 PID 2568 wrote to memory of 2200 2568 dvpvj.exe 40 PID 2568 wrote to memory of 2200 2568 dvpvj.exe 40 PID 2568 wrote to memory of 2200 2568 dvpvj.exe 40 PID 2200 wrote to memory of 1252 2200 3rlrrrx.exe 41 PID 2200 wrote to memory of 1252 2200 3rlrrrx.exe 41 PID 2200 wrote to memory of 1252 2200 3rlrrrx.exe 41 PID 2200 wrote to memory of 1252 2200 3rlrrrx.exe 41 PID 1252 wrote to memory of 2908 1252 htnnnh.exe 42 PID 1252 wrote to memory of 2908 1252 htnnnh.exe 42 PID 1252 wrote to memory of 2908 1252 htnnnh.exe 42 PID 1252 wrote to memory of 2908 1252 htnnnh.exe 42 PID 2908 wrote to memory of 1984 2908 jvppv.exe 43 PID 2908 wrote to memory of 1984 2908 jvppv.exe 43 PID 2908 wrote to memory of 1984 2908 jvppv.exe 43 PID 2908 wrote to memory of 1984 2908 jvppv.exe 43 PID 1984 wrote to memory of 2972 1984 nhnhnb.exe 44 PID 1984 wrote to memory of 2972 1984 nhnhnb.exe 44 PID 1984 wrote to memory of 2972 1984 nhnhnb.exe 44 PID 1984 wrote to memory of 2972 1984 nhnhnb.exe 44 PID 2972 wrote to memory of 772 2972 jvjvv.exe 45 PID 2972 wrote to memory of 772 2972 jvjvv.exe 45 PID 2972 wrote to memory of 772 2972 jvjvv.exe 45 PID 2972 wrote to memory of 772 2972 jvjvv.exe 45 PID 772 wrote to memory of 1564 772 9rllfrx.exe 46 PID 772 wrote to memory of 1564 772 9rllfrx.exe 46 PID 772 wrote to memory of 1564 772 9rllfrx.exe 46 PID 772 wrote to memory of 1564 772 9rllfrx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe"C:\Users\Admin\AppData\Local\Temp\8d1c452e708557ca7447f501297153aac3554b7135b5e658282e19520bbda78cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\ffrllrf.exec:\ffrllrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\nnbtnt.exec:\nnbtnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\xllrffl.exec:\xllrffl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\bbtbbt.exec:\bbtbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\jdvjd.exec:\jdvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\3nbbnt.exec:\3nbbnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\ffxfrfr.exec:\ffxfrfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\tnntnn.exec:\tnntnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\dvpvj.exec:\dvpvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\3rlrrrx.exec:\3rlrrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\htnnnh.exec:\htnnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\jvppv.exec:\jvppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\nhnhnb.exec:\nhnhnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\jvjvv.exec:\jvjvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\9rllfrx.exec:\9rllfrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\httbbb.exec:\httbbb.exe17⤵
- Executes dropped EXE
PID:1564 -
\??\c:\5dvdj.exec:\5dvdj.exe18⤵
- Executes dropped EXE
PID:1296 -
\??\c:\lfllrrx.exec:\lfllrrx.exe19⤵
- Executes dropped EXE
PID:2424 -
\??\c:\pdvdp.exec:\pdvdp.exe20⤵
- Executes dropped EXE
PID:1672 -
\??\c:\vpjjp.exec:\vpjjp.exe21⤵
- Executes dropped EXE
PID:1356 -
\??\c:\7lxxlrf.exec:\7lxxlrf.exe22⤵
- Executes dropped EXE
PID:2028 -
\??\c:\thttnh.exec:\thttnh.exe23⤵
- Executes dropped EXE
PID:1840 -
\??\c:\rfrrrrr.exec:\rfrrrrr.exe24⤵
- Executes dropped EXE
PID:956 -
\??\c:\rrllrrf.exec:\rrllrrf.exe25⤵
- Executes dropped EXE
PID:1600 -
\??\c:\tnbbbb.exec:\tnbbbb.exe26⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jjdpd.exec:\jjdpd.exe27⤵
- Executes dropped EXE
PID:2388 -
\??\c:\ppdjv.exec:\ppdjv.exe28⤵
- Executes dropped EXE
PID:612 -
\??\c:\bbtbnt.exec:\bbtbnt.exe29⤵
- Executes dropped EXE
PID:2160 -
\??\c:\dpjjj.exec:\dpjjj.exe30⤵
- Executes dropped EXE
PID:1688 -
\??\c:\3lfllfl.exec:\3lfllfl.exe31⤵
- Executes dropped EXE
PID:2064 -
\??\c:\vjddd.exec:\vjddd.exe32⤵
- Executes dropped EXE
PID:2656 -
\??\c:\llxrflf.exec:\llxrflf.exe33⤵
- Executes dropped EXE
PID:2320 -
\??\c:\hhhbnn.exec:\hhhbnn.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\9ttbhh.exec:\9ttbhh.exe35⤵
- Executes dropped EXE
PID:1796 -
\??\c:\pppvj.exec:\pppvj.exe36⤵
- Executes dropped EXE
PID:2720 -
\??\c:\5rrxrrl.exec:\5rrxrrl.exe37⤵
- Executes dropped EXE
PID:2148 -
\??\c:\hhbtbn.exec:\hhbtbn.exe38⤵
- Executes dropped EXE
PID:2724 -
\??\c:\hbnhnh.exec:\hbnhnh.exe39⤵
- Executes dropped EXE
PID:2852 -
\??\c:\1pdjj.exec:\1pdjj.exe40⤵
- Executes dropped EXE
PID:2716 -
\??\c:\vdvvj.exec:\vdvvj.exe41⤵
- Executes dropped EXE
PID:2248 -
\??\c:\fxrllfx.exec:\fxrllfx.exe42⤵
- Executes dropped EXE
PID:2684 -
\??\c:\htthnn.exec:\htthnn.exe43⤵
- Executes dropped EXE
PID:2736 -
\??\c:\bbthbb.exec:\bbthbb.exe44⤵
- Executes dropped EXE
PID:2572 -
\??\c:\vppvj.exec:\vppvj.exe45⤵
- Executes dropped EXE
PID:2408 -
\??\c:\xlxlrrx.exec:\xlxlrrx.exe46⤵
- Executes dropped EXE
PID:2640 -
\??\c:\1xfffxf.exec:\1xfffxf.exe47⤵
- Executes dropped EXE
PID:1624 -
\??\c:\3bbttb.exec:\3bbttb.exe48⤵
- Executes dropped EXE
PID:640 -
\??\c:\3jppd.exec:\3jppd.exe49⤵
- Executes dropped EXE
PID:1964 -
\??\c:\jpppv.exec:\jpppv.exe50⤵
- Executes dropped EXE
PID:2872 -
\??\c:\3xffllr.exec:\3xffllr.exe51⤵
- Executes dropped EXE
PID:2660 -
\??\c:\nhttbt.exec:\nhttbt.exe52⤵
- Executes dropped EXE
PID:772 -
\??\c:\pdjdj.exec:\pdjdj.exe53⤵
- Executes dropped EXE
PID:1940 -
\??\c:\dpdpv.exec:\dpdpv.exe54⤵
- Executes dropped EXE
PID:1944 -
\??\c:\3xffffl.exec:\3xffffl.exe55⤵
- Executes dropped EXE
PID:2004 -
\??\c:\hnttbb.exec:\hnttbb.exe56⤵
- Executes dropped EXE
PID:796 -
\??\c:\3hhbhh.exec:\3hhbhh.exe57⤵
- Executes dropped EXE
PID:1156 -
\??\c:\vpjvp.exec:\vpjvp.exe58⤵
- Executes dropped EXE
PID:880 -
\??\c:\vvpvd.exec:\vvpvd.exe59⤵
- Executes dropped EXE
PID:1912 -
\??\c:\1xfflrx.exec:\1xfflrx.exe60⤵
- Executes dropped EXE
PID:1500 -
\??\c:\nnbtbb.exec:\nnbtbb.exe61⤵
- Executes dropped EXE
PID:1928 -
\??\c:\hhbnbh.exec:\hhbnbh.exe62⤵
- Executes dropped EXE
PID:1740 -
\??\c:\7djjv.exec:\7djjv.exe63⤵
- Executes dropped EXE
PID:840 -
\??\c:\fxllrxf.exec:\fxllrxf.exe64⤵
- Executes dropped EXE
PID:1284 -
\??\c:\bbnnnh.exec:\bbnnnh.exe65⤵
- Executes dropped EXE
PID:1100 -
\??\c:\nbhbbh.exec:\nbhbbh.exe66⤵PID:3056
-
\??\c:\7dvvd.exec:\7dvvd.exe67⤵PID:2476
-
\??\c:\lxlflfl.exec:\lxlflfl.exe68⤵PID:1788
-
\??\c:\rfxxflx.exec:\rfxxflx.exe69⤵PID:2240
-
\??\c:\tnhtbh.exec:\tnhtbh.exe70⤵PID:1188
-
\??\c:\btbthb.exec:\btbthb.exe71⤵PID:1756
-
\??\c:\dvjjj.exec:\dvjjj.exe72⤵PID:2472
-
\??\c:\xlxrffr.exec:\xlxrffr.exe73⤵PID:2032
-
\??\c:\nbnnht.exec:\nbnnht.exe74⤵PID:1560
-
\??\c:\bttbbh.exec:\bttbbh.exe75⤵PID:1808
-
\??\c:\ddpjp.exec:\ddpjp.exe76⤵PID:2888
-
\??\c:\xrffrrr.exec:\xrffrrr.exe77⤵PID:2664
-
\??\c:\xlffllr.exec:\xlffllr.exe78⤵PID:2780
-
\??\c:\hhtbhn.exec:\hhtbhn.exe79⤵PID:2280
-
\??\c:\3vpjj.exec:\3vpjj.exe80⤵PID:2704
-
\??\c:\dvjdp.exec:\dvjdp.exe81⤵PID:3004
-
\??\c:\llxrxxl.exec:\llxrxxl.exe82⤵PID:2848
-
\??\c:\fxrrrrx.exec:\fxrrrrx.exe83⤵PID:2916
-
\??\c:\hthnbb.exec:\hthnbb.exe84⤵PID:2248
-
\??\c:\nbhbhh.exec:\nbhbhh.exe85⤵PID:2636
-
\??\c:\pdpjp.exec:\pdpjp.exe86⤵PID:540
-
\??\c:\rffxffl.exec:\rffxffl.exe87⤵PID:2692
-
\??\c:\3bnhhb.exec:\3bnhhb.exe88⤵PID:2408
-
\??\c:\nhbhnt.exec:\nhbhnt.exe89⤵PID:1776
-
\??\c:\5ppjj.exec:\5ppjj.exe90⤵PID:2560
-
\??\c:\vjppp.exec:\vjppp.exe91⤵PID:2800
-
\??\c:\xrlrlrr.exec:\xrlrlrr.exe92⤵PID:2812
-
\??\c:\xrxfrxl.exec:\xrxfrxl.exe93⤵PID:1720
-
\??\c:\7ntbnn.exec:\7ntbnn.exe94⤵PID:2672
-
\??\c:\jdddp.exec:\jdddp.exe95⤵PID:772
-
\??\c:\xlxfxxx.exec:\xlxfxxx.exe96⤵PID:1940
-
\??\c:\9rlflrr.exec:\9rlflrr.exe97⤵PID:2968
-
\??\c:\1ntthn.exec:\1ntthn.exe98⤵PID:2004
-
\??\c:\jvdjd.exec:\jvdjd.exe99⤵PID:2196
-
\??\c:\dpjjj.exec:\dpjjj.exe100⤵PID:1156
-
\??\c:\lxlrffl.exec:\lxlrffl.exe101⤵PID:812
-
\??\c:\9hnhhh.exec:\9hnhhh.exe102⤵PID:2028
-
\??\c:\bnttbn.exec:\bnttbn.exe103⤵PID:1272
-
\??\c:\vjvvv.exec:\vjvvv.exe104⤵PID:588
-
\??\c:\5fllllr.exec:\5fllllr.exe105⤵PID:1612
-
\??\c:\lxfffxf.exec:\lxfffxf.exe106⤵PID:1632
-
\??\c:\bhbbnt.exec:\bhbbnt.exe107⤵PID:1284
-
\??\c:\vpppd.exec:\vpppd.exe108⤵PID:1568
-
\??\c:\jpjvp.exec:\jpjvp.exe109⤵PID:1816
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe110⤵PID:2388
-
\??\c:\nhnntn.exec:\nhnntn.exe111⤵PID:2392
-
\??\c:\7nthbb.exec:\7nthbb.exe112⤵PID:352
-
\??\c:\dpjvp.exec:\dpjvp.exe113⤵PID:1688
-
\??\c:\1fxrlff.exec:\1fxrlff.exe114⤵PID:1728
-
\??\c:\rrflrfl.exec:\rrflrfl.exe115⤵PID:2268
-
\??\c:\hhnbnn.exec:\hhnbnn.exe116⤵PID:2468
-
\??\c:\pppvj.exec:\pppvj.exe117⤵PID:1588
-
\??\c:\3rlxxrr.exec:\3rlxxrr.exe118⤵PID:2324
-
\??\c:\9llllrr.exec:\9llllrr.exe119⤵PID:2328
-
\??\c:\ntthtb.exec:\ntthtb.exe120⤵PID:2700
-
\??\c:\ppdjd.exec:\ppdjd.exe121⤵PID:2720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-