Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 09:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe
-
Size
456KB
-
MD5
96d736de445423e91092d64062b8c150
-
SHA1
026654d8464b98668913aa9f16807ef1d7a6ea75
-
SHA256
f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846feb
-
SHA512
2990c6e7dd161cb084fb2b0c2f05bc0e5c3872463f78c916d5b7674aa43c84248ac32adf9e2c7412e67e77566685389d1b3549a4970d3a6abdb9f7aea9b78821
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRy:q7Tc2NYHUrAwfMp3CDRy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/2444-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-53-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2880-73-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2876-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-125-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1332-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-145-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2980-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-220-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2436-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-248-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1900-255-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2076-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-324-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2100-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-379-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2952-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-437-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-456-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1936-476-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1532-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-484-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2248-486-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/352-541-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2284-582-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-866-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2900-885-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2752-900-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2028-966-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1936-1014-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2616-1183-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2196 djpjd.exe 2328 llflrxl.exe 2568 hhbbth.exe 2400 dvvpj.exe 892 jjjvd.exe 2904 bbttht.exe 2880 dppjp.exe 2888 9vjpd.exe 2876 frrlrll.exe 2632 7bntnn.exe 2160 vpdpv.exe 1716 5dppp.exe 840 5xlrrrf.exe 1332 vpjvj.exe 1640 lrfrrrr.exe 2872 tbnbhb.exe 2980 pjpdj.exe 3016 hhbhbn.exe 1912 dvjpv.exe 2344 dvjpv.exe 2356 dvpdj.exe 996 bbbnnn.exe 3068 vpdjv.exe 856 3hbtbn.exe 2436 dvvvp.exe 2156 tnhnbh.exe 1376 vvpdd.exe 1900 rxxrlfr.exe 2076 hhtttb.exe 1636 fxrrxxf.exe 992 3bbtth.exe 2080 rrxlrlf.exe 2236 nnnnht.exe 2300 pjvdj.exe 1884 rllrflf.exe 1760 9hbhbb.exe 2712 dvvjv.exe 2560 xrrxfll.exe 2100 xffxlrf.exe 2580 nbthhh.exe 2956 9dvvd.exe 3036 xxrrffl.exe 2644 5hbbnn.exe 2732 3btthn.exe 2788 vdjpv.exe 2052 xrlrflr.exe 2692 1hhnbn.exe 2160 hhhnhn.exe 848 ddvjp.exe 1180 1xrxflx.exe 1200 tbttnn.exe 2352 7nhnbh.exe 2848 dvpjv.exe 2952 lxrrflr.exe 2312 tnnthn.exe 1860 jjvvv.exe 1936 9lxlxxf.exe 2184 7frrflr.exe 2140 nhnthh.exe 1532 jjdjv.exe 2248 rlxxflf.exe 1516 hbhntt.exe 304 jdvdj.exe 1712 jjjvv.exe -
resource yara_rule behavioral1/memory/2444-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-108-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/840-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-379-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2952-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-469-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1532-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-1014-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1724-1082-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-1085-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-1170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-1254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-1316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-1378-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fffrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2196 2444 f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe 30 PID 2444 wrote to memory of 2196 2444 f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe 30 PID 2444 wrote to memory of 2196 2444 f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe 30 PID 2444 wrote to memory of 2196 2444 f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe 30 PID 2196 wrote to memory of 2328 2196 djpjd.exe 31 PID 2196 wrote to memory of 2328 2196 djpjd.exe 31 PID 2196 wrote to memory of 2328 2196 djpjd.exe 31 PID 2196 wrote to memory of 2328 2196 djpjd.exe 31 PID 2328 wrote to memory of 2568 2328 llflrxl.exe 32 PID 2328 wrote to memory of 2568 2328 llflrxl.exe 32 PID 2328 wrote to memory of 2568 2328 llflrxl.exe 32 PID 2328 wrote to memory of 2568 2328 llflrxl.exe 32 PID 2568 wrote to memory of 2400 2568 hhbbth.exe 33 PID 2568 wrote to memory of 2400 2568 hhbbth.exe 33 PID 2568 wrote to memory of 2400 2568 hhbbth.exe 33 PID 2568 wrote to memory of 2400 2568 hhbbth.exe 33 PID 2400 wrote to memory of 892 2400 dvvpj.exe 34 PID 2400 wrote to memory of 892 2400 dvvpj.exe 34 PID 2400 wrote to memory of 892 2400 dvvpj.exe 34 PID 2400 wrote to memory of 892 2400 dvvpj.exe 34 PID 892 wrote to memory of 2904 892 jjjvd.exe 35 PID 892 wrote to memory of 2904 892 jjjvd.exe 35 PID 892 wrote to memory of 2904 892 jjjvd.exe 35 PID 892 wrote to memory of 2904 892 jjjvd.exe 35 PID 2904 wrote to memory of 2880 2904 bbttht.exe 36 PID 2904 wrote to memory of 2880 2904 bbttht.exe 36 PID 2904 wrote to memory of 2880 2904 bbttht.exe 36 PID 2904 wrote to memory of 2880 2904 bbttht.exe 36 PID 2880 wrote to memory of 2888 2880 dppjp.exe 37 PID 2880 wrote to memory of 2888 2880 dppjp.exe 37 PID 2880 wrote to memory of 2888 2880 dppjp.exe 37 PID 2880 wrote to memory of 2888 2880 dppjp.exe 37 PID 2888 wrote to memory of 2876 2888 9vjpd.exe 38 PID 2888 wrote to memory of 2876 2888 9vjpd.exe 38 PID 2888 wrote to memory of 2876 2888 9vjpd.exe 38 PID 2888 wrote to memory of 2876 2888 9vjpd.exe 38 PID 2876 wrote to memory of 2632 2876 frrlrll.exe 39 PID 2876 wrote to memory of 2632 2876 frrlrll.exe 39 PID 2876 wrote to memory of 2632 2876 frrlrll.exe 39 PID 2876 wrote to memory of 2632 2876 frrlrll.exe 39 PID 2632 wrote to memory of 2160 2632 7bntnn.exe 40 PID 2632 wrote to memory of 2160 2632 7bntnn.exe 40 PID 2632 wrote to memory of 2160 2632 7bntnn.exe 40 PID 2632 wrote to memory of 2160 2632 7bntnn.exe 40 PID 2160 wrote to memory of 1716 2160 vpdpv.exe 41 PID 2160 wrote to memory of 1716 2160 vpdpv.exe 41 PID 2160 wrote to memory of 1716 2160 vpdpv.exe 41 PID 2160 wrote to memory of 1716 2160 vpdpv.exe 41 PID 1716 wrote to memory of 840 1716 5dppp.exe 42 PID 1716 wrote to memory of 840 1716 5dppp.exe 42 PID 1716 wrote to memory of 840 1716 5dppp.exe 42 PID 1716 wrote to memory of 840 1716 5dppp.exe 42 PID 840 wrote to memory of 1332 840 5xlrrrf.exe 43 PID 840 wrote to memory of 1332 840 5xlrrrf.exe 43 PID 840 wrote to memory of 1332 840 5xlrrrf.exe 43 PID 840 wrote to memory of 1332 840 5xlrrrf.exe 43 PID 1332 wrote to memory of 1640 1332 vpjvj.exe 44 PID 1332 wrote to memory of 1640 1332 vpjvj.exe 44 PID 1332 wrote to memory of 1640 1332 vpjvj.exe 44 PID 1332 wrote to memory of 1640 1332 vpjvj.exe 44 PID 1640 wrote to memory of 2872 1640 lrfrrrr.exe 45 PID 1640 wrote to memory of 2872 1640 lrfrrrr.exe 45 PID 1640 wrote to memory of 2872 1640 lrfrrrr.exe 45 PID 1640 wrote to memory of 2872 1640 lrfrrrr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe"C:\Users\Admin\AppData\Local\Temp\f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\djpjd.exec:\djpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\llflrxl.exec:\llflrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\hhbbth.exec:\hhbbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\dvvpj.exec:\dvvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\jjjvd.exec:\jjjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\bbttht.exec:\bbttht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\dppjp.exec:\dppjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\9vjpd.exec:\9vjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\frrlrll.exec:\frrlrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\7bntnn.exec:\7bntnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\vpdpv.exec:\vpdpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\5dppp.exec:\5dppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\5xlrrrf.exec:\5xlrrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\vpjvj.exec:\vpjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\lrfrrrr.exec:\lrfrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\tbnbhb.exec:\tbnbhb.exe17⤵
- Executes dropped EXE
PID:2872 -
\??\c:\pjpdj.exec:\pjpdj.exe18⤵
- Executes dropped EXE
PID:2980 -
\??\c:\hhbhbn.exec:\hhbhbn.exe19⤵
- Executes dropped EXE
PID:3016 -
\??\c:\dvjpv.exec:\dvjpv.exe20⤵
- Executes dropped EXE
PID:1912 -
\??\c:\dvjpv.exec:\dvjpv.exe21⤵
- Executes dropped EXE
PID:2344 -
\??\c:\dvpdj.exec:\dvpdj.exe22⤵
- Executes dropped EXE
PID:2356 -
\??\c:\bbbnnn.exec:\bbbnnn.exe23⤵
- Executes dropped EXE
PID:996 -
\??\c:\vpdjv.exec:\vpdjv.exe24⤵
- Executes dropped EXE
PID:3068 -
\??\c:\3hbtbn.exec:\3hbtbn.exe25⤵
- Executes dropped EXE
PID:856 -
\??\c:\dvvvp.exec:\dvvvp.exe26⤵
- Executes dropped EXE
PID:2436 -
\??\c:\tnhnbh.exec:\tnhnbh.exe27⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vvpdd.exec:\vvpdd.exe28⤵
- Executes dropped EXE
PID:1376 -
\??\c:\rxxrlfr.exec:\rxxrlfr.exe29⤵
- Executes dropped EXE
PID:1900 -
\??\c:\hhtttb.exec:\hhtttb.exe30⤵
- Executes dropped EXE
PID:2076 -
\??\c:\fxrrxxf.exec:\fxrrxxf.exe31⤵
- Executes dropped EXE
PID:1636 -
\??\c:\3bbtth.exec:\3bbtth.exe32⤵
- Executes dropped EXE
PID:992 -
\??\c:\rrxlrlf.exec:\rrxlrlf.exe33⤵
- Executes dropped EXE
PID:2080 -
\??\c:\nnnnht.exec:\nnnnht.exe34⤵
- Executes dropped EXE
PID:2236 -
\??\c:\pjvdj.exec:\pjvdj.exe35⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rllrflf.exec:\rllrflf.exe36⤵
- Executes dropped EXE
PID:1884 -
\??\c:\9hbhbb.exec:\9hbhbb.exe37⤵
- Executes dropped EXE
PID:1760 -
\??\c:\dvvjv.exec:\dvvjv.exe38⤵
- Executes dropped EXE
PID:2712 -
\??\c:\xrrxfll.exec:\xrrxfll.exe39⤵
- Executes dropped EXE
PID:2560 -
\??\c:\xffxlrf.exec:\xffxlrf.exe40⤵
- Executes dropped EXE
PID:2100 -
\??\c:\nbthhh.exec:\nbthhh.exe41⤵
- Executes dropped EXE
PID:2580 -
\??\c:\9dvvd.exec:\9dvvd.exe42⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xxrrffl.exec:\xxrrffl.exe43⤵
- Executes dropped EXE
PID:3036 -
\??\c:\5hbbnn.exec:\5hbbnn.exe44⤵
- Executes dropped EXE
PID:2644 -
\??\c:\3btthn.exec:\3btthn.exe45⤵
- Executes dropped EXE
PID:2732 -
\??\c:\vdjpv.exec:\vdjpv.exe46⤵
- Executes dropped EXE
PID:2788 -
\??\c:\xrlrflr.exec:\xrlrflr.exe47⤵
- Executes dropped EXE
PID:2052 -
\??\c:\1hhnbn.exec:\1hhnbn.exe48⤵
- Executes dropped EXE
PID:2692 -
\??\c:\hhhnhn.exec:\hhhnhn.exe49⤵
- Executes dropped EXE
PID:2160 -
\??\c:\ddvjp.exec:\ddvjp.exe50⤵
- Executes dropped EXE
PID:848 -
\??\c:\1xrxflx.exec:\1xrxflx.exe51⤵
- Executes dropped EXE
PID:1180 -
\??\c:\tbttnn.exec:\tbttnn.exe52⤵
- Executes dropped EXE
PID:1200 -
\??\c:\7nhnbh.exec:\7nhnbh.exe53⤵
- Executes dropped EXE
PID:2352 -
\??\c:\dvpjv.exec:\dvpjv.exe54⤵
- Executes dropped EXE
PID:2848 -
\??\c:\lxrrflr.exec:\lxrrflr.exe55⤵
- Executes dropped EXE
PID:2952 -
\??\c:\tnnthn.exec:\tnnthn.exe56⤵
- Executes dropped EXE
PID:2312 -
\??\c:\jjvvv.exec:\jjvvv.exe57⤵
- Executes dropped EXE
PID:1860 -
\??\c:\9lxlxxf.exec:\9lxlxxf.exe58⤵
- Executes dropped EXE
PID:1936 -
\??\c:\7frrflr.exec:\7frrflr.exe59⤵
- Executes dropped EXE
PID:2184 -
\??\c:\nhnthh.exec:\nhnthh.exe60⤵
- Executes dropped EXE
PID:2140 -
\??\c:\jjdjv.exec:\jjdjv.exe61⤵
- Executes dropped EXE
PID:1532 -
\??\c:\rlxxflf.exec:\rlxxflf.exe62⤵
- Executes dropped EXE
PID:2248 -
\??\c:\hbhntt.exec:\hbhntt.exe63⤵
- Executes dropped EXE
PID:1516 -
\??\c:\jdvdj.exec:\jdvdj.exe64⤵
- Executes dropped EXE
PID:304 -
\??\c:\jjjvv.exec:\jjjvv.exe65⤵
- Executes dropped EXE
PID:1712 -
\??\c:\1rflxxx.exec:\1rflxxx.exe66⤵PID:2436
-
\??\c:\hnnbnb.exec:\hnnbnb.exe67⤵PID:1660
-
\??\c:\jpddv.exec:\jpddv.exe68⤵PID:1536
-
\??\c:\vvvvd.exec:\vvvvd.exe69⤵PID:2756
-
\??\c:\rlfxrxl.exec:\rlfxrxl.exe70⤵PID:2376
-
\??\c:\btnbnn.exec:\btnbnn.exe71⤵PID:352
-
\??\c:\nntbhh.exec:\nntbhh.exe72⤵PID:2456
-
\??\c:\7dppj.exec:\7dppj.exe73⤵PID:2588
-
\??\c:\xlrlffr.exec:\xlrlffr.exe74⤵PID:888
-
\??\c:\9hbbhh.exec:\9hbbhh.exe75⤵PID:1960
-
\??\c:\1vpvd.exec:\1vpvd.exe76⤵PID:2444
-
\??\c:\ppdpd.exec:\ppdpd.exe77⤵PID:2388
-
\??\c:\7lfrxfx.exec:\7lfrxfx.exe78⤵PID:2284
-
\??\c:\nhbbhn.exec:\nhbbhn.exe79⤵PID:1588
-
\??\c:\dpddp.exec:\dpddp.exe80⤵PID:2120
-
\??\c:\jdppv.exec:\jdppv.exe81⤵PID:1748
-
\??\c:\lfrrxfx.exec:\lfrrxfx.exe82⤵PID:2164
-
\??\c:\bbtbhn.exec:\bbtbhn.exe83⤵PID:2768
-
\??\c:\7vjjj.exec:\7vjjj.exe84⤵PID:892
-
\??\c:\jdvdp.exec:\jdvdp.exe85⤵PID:2896
-
\??\c:\xxffrrf.exec:\xxffrrf.exe86⤵PID:2776
-
\??\c:\bbtbnn.exec:\bbtbnn.exe87⤵PID:2976
-
\??\c:\7jdpd.exec:\7jdpd.exe88⤵PID:2984
-
\??\c:\jdpvv.exec:\jdpvv.exe89⤵PID:2636
-
\??\c:\fxrfrxl.exec:\fxrfrxl.exe90⤵PID:2324
-
\??\c:\9btbth.exec:\9btbth.exe91⤵PID:2404
-
\??\c:\jdvpv.exec:\jdvpv.exe92⤵PID:2332
-
\??\c:\1frrlrr.exec:\1frrlrr.exe93⤵PID:1464
-
\??\c:\7nbhbt.exec:\7nbhbt.exe94⤵PID:2852
-
\??\c:\1ntbhn.exec:\1ntbhn.exe95⤵PID:2472
-
\??\c:\1vvjv.exec:\1vvjv.exe96⤵PID:1996
-
\??\c:\lllrxfr.exec:\lllrxfr.exe97⤵PID:2828
-
\??\c:\lfflrxf.exec:\lfflrxf.exe98⤵PID:2824
-
\??\c:\bthtbn.exec:\bthtbn.exe99⤵PID:2980
-
\??\c:\dddpv.exec:\dddpv.exe100⤵PID:2212
-
\??\c:\rxrxlrl.exec:\rxrxlrl.exe101⤵PID:2372
-
\??\c:\rrlrlrf.exec:\rrlrlrf.exe102⤵PID:1888
-
\??\c:\nnhthn.exec:\nnhthn.exe103⤵PID:340
-
\??\c:\ppppd.exec:\ppppd.exe104⤵PID:2140
-
\??\c:\1fxxxxr.exec:\1fxxxxr.exe105⤵PID:448
-
\??\c:\xxfrflf.exec:\xxfrflf.exe106⤵PID:292
-
\??\c:\nhbhtb.exec:\nhbhtb.exe107⤵PID:1300
-
\??\c:\5vdjv.exec:\5vdjv.exe108⤵PID:856
-
\??\c:\ffrfrrl.exec:\ffrfrrl.exe109⤵PID:316
-
\??\c:\1lxxlrl.exec:\1lxxlrl.exe110⤵PID:276
-
\??\c:\3bbhbh.exec:\3bbhbh.exe111⤵PID:616
-
\??\c:\xxflxrx.exec:\xxflxrx.exe112⤵PID:952
-
\??\c:\nnbbht.exec:\nnbbht.exe113⤵PID:1784
-
\??\c:\dppdj.exec:\dppdj.exe114⤵PID:1524
-
\??\c:\1jdvd.exec:\1jdvd.exe115⤵PID:1704
-
\??\c:\lffrxfl.exec:\lffrxfl.exe116⤵PID:1360
-
\??\c:\btnthn.exec:\btnthn.exe117⤵PID:564
-
\??\c:\jdjjv.exec:\jdjjv.exe118⤵PID:668
-
\??\c:\lfxfrrl.exec:\lfxfrrl.exe119⤵PID:2412
-
\??\c:\9nhhbb.exec:\9nhhbb.exe120⤵PID:2196
-
\??\c:\bhbbhh.exec:\bhbbhh.exe121⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-