Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 08:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe
-
Size
454KB
-
MD5
3544bd24433cf4d1011efdb9a30bff00
-
SHA1
a7d91411e8569e1b5de61628ec2964795fffa201
-
SHA256
55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42
-
SHA512
ecb56028daa1571f194aed33fe5d2ef76de81fad07a90ba9512454f83b26c1314412e2b5e3159e45f8f74421eede94a1ce01c3742b5995864e5be1ba524978ef
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2660-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-48-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2408-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-75-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2356-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-116-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1580-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-113-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2900-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/456-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-437-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/540-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-452-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1768-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-504-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2620-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-625-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2832-681-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-731-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2604-823-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1944-850-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2648-864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3008 rffft.exe 780 ltnhr.exe 2932 lntrp.exe 2408 djhvd.exe 2572 xlnjj.exe 2884 ndhpf.exe 2724 dtdftp.exe 2356 htvrl.exe 1660 ffppll.exe 2068 fpjbx.exe 1580 bbbhv.exe 2224 brhdpln.exe 3060 hdrbnr.exe 2700 xrxvjnv.exe 2016 bpnxl.exe 2900 rbnft.exe 1148 nvvrjpb.exe 1768 thtfj.exe 2244 rbtfr.exe 2096 nvvjtxx.exe 2684 vnrft.exe 848 jnlrhd.exe 2620 txxll.exe 1712 rdpvhhx.exe 1244 trrhf.exe 456 tjfxff.exe 1556 jrbvhj.exe 1724 fndfbx.exe 1988 vprphb.exe 2680 rnfvvd.exe 1004 hhxxtd.exe 2656 pjnrb.exe 1620 bhjbt.exe 2288 hfhdd.exe 2804 dvfvbln.exe 2980 vbfjpv.exe 1184 hlrvrx.exe 2820 fndftd.exe 2864 tdxxdrh.exe 2940 vrffb.exe 2876 jvtxhdn.exe 2924 hvxrt.exe 2768 vntprv.exe 2728 xxdxjh.exe 2356 rdtnf.exe 2100 vvrbtt.exe 2396 xxtfh.exe 1584 xbbjlv.exe 2500 hlrxvvr.exe 3040 dplrpxx.exe 2064 hlnljvp.exe 2952 jnrhr.exe 2764 bjrrllv.exe 540 tnfpt.exe 1448 rtpvrxv.exe 1996 xnpdllv.exe 1148 lpblptb.exe 1768 rlvxlf.exe 2480 pjjvdpr.exe 2088 dnjpd.exe 368 bpxtr.exe 2216 blrhb.exe 2652 tbplnfx.exe 2620 vjptrlt.exe -
resource yara_rule behavioral1/memory/2660-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-30-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/780-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-68-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2356-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/456-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-879-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrtnpbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldhvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnlnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfjfv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtbfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpnlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbfjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fftbrnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffvnxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdhvtl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxnrfrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdrrdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nprntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdlntfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpjbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfndvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbntxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnnnbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npttlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbjjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtdttl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pphptx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttfljxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnfndnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdtxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfxjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btjfnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbvptb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfbrrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpblptb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hltbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbxfjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftrvbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rttpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvnrpft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxfdpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtvtr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 3008 2660 55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe 29 PID 2660 wrote to memory of 3008 2660 55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe 29 PID 2660 wrote to memory of 3008 2660 55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe 29 PID 2660 wrote to memory of 3008 2660 55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe 29 PID 3008 wrote to memory of 780 3008 rffft.exe 30 PID 3008 wrote to memory of 780 3008 rffft.exe 30 PID 3008 wrote to memory of 780 3008 rffft.exe 30 PID 3008 wrote to memory of 780 3008 rffft.exe 30 PID 780 wrote to memory of 2932 780 ltnhr.exe 31 PID 780 wrote to memory of 2932 780 ltnhr.exe 31 PID 780 wrote to memory of 2932 780 ltnhr.exe 31 PID 780 wrote to memory of 2932 780 ltnhr.exe 31 PID 2932 wrote to memory of 2408 2932 lntrp.exe 32 PID 2932 wrote to memory of 2408 2932 lntrp.exe 32 PID 2932 wrote to memory of 2408 2932 lntrp.exe 32 PID 2932 wrote to memory of 2408 2932 lntrp.exe 32 PID 2408 wrote to memory of 2572 2408 djhvd.exe 33 PID 2408 wrote to memory of 2572 2408 djhvd.exe 33 PID 2408 wrote to memory of 2572 2408 djhvd.exe 33 PID 2408 wrote to memory of 2572 2408 djhvd.exe 33 PID 2572 wrote to memory of 2884 2572 xlnjj.exe 34 PID 2572 wrote to memory of 2884 2572 xlnjj.exe 34 PID 2572 wrote to memory of 2884 2572 xlnjj.exe 34 PID 2572 wrote to memory of 2884 2572 xlnjj.exe 34 PID 2884 wrote to memory of 2724 2884 ndhpf.exe 35 PID 2884 wrote to memory of 2724 2884 ndhpf.exe 35 PID 2884 wrote to memory of 2724 2884 ndhpf.exe 35 PID 2884 wrote to memory of 2724 2884 ndhpf.exe 35 PID 2724 wrote to memory of 2356 2724 dtdftp.exe 36 PID 2724 wrote to memory of 2356 2724 dtdftp.exe 36 PID 2724 wrote to memory of 2356 2724 dtdftp.exe 36 PID 2724 wrote to memory of 2356 2724 dtdftp.exe 36 PID 2356 wrote to memory of 1660 2356 htvrl.exe 37 PID 2356 wrote to memory of 1660 2356 htvrl.exe 37 PID 2356 wrote to memory of 1660 2356 htvrl.exe 37 PID 2356 wrote to memory of 1660 2356 htvrl.exe 37 PID 1660 wrote to memory of 2068 1660 ffppll.exe 38 PID 1660 wrote to memory of 2068 1660 ffppll.exe 38 PID 1660 wrote to memory of 2068 1660 ffppll.exe 38 PID 1660 wrote to memory of 2068 1660 ffppll.exe 38 PID 2068 wrote to memory of 1580 2068 fpjbx.exe 39 PID 2068 wrote to memory of 1580 2068 fpjbx.exe 39 PID 2068 wrote to memory of 1580 2068 fpjbx.exe 39 PID 2068 wrote to memory of 1580 2068 fpjbx.exe 39 PID 1580 wrote to memory of 2224 1580 bbbhv.exe 40 PID 1580 wrote to memory of 2224 1580 bbbhv.exe 40 PID 1580 wrote to memory of 2224 1580 bbbhv.exe 40 PID 1580 wrote to memory of 2224 1580 bbbhv.exe 40 PID 2224 wrote to memory of 3060 2224 brhdpln.exe 41 PID 2224 wrote to memory of 3060 2224 brhdpln.exe 41 PID 2224 wrote to memory of 3060 2224 brhdpln.exe 41 PID 2224 wrote to memory of 3060 2224 brhdpln.exe 41 PID 3060 wrote to memory of 2700 3060 hdrbnr.exe 42 PID 3060 wrote to memory of 2700 3060 hdrbnr.exe 42 PID 3060 wrote to memory of 2700 3060 hdrbnr.exe 42 PID 3060 wrote to memory of 2700 3060 hdrbnr.exe 42 PID 2700 wrote to memory of 2016 2700 xrxvjnv.exe 43 PID 2700 wrote to memory of 2016 2700 xrxvjnv.exe 43 PID 2700 wrote to memory of 2016 2700 xrxvjnv.exe 43 PID 2700 wrote to memory of 2016 2700 xrxvjnv.exe 43 PID 2016 wrote to memory of 2900 2016 bpnxl.exe 44 PID 2016 wrote to memory of 2900 2016 bpnxl.exe 44 PID 2016 wrote to memory of 2900 2016 bpnxl.exe 44 PID 2016 wrote to memory of 2900 2016 bpnxl.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe"C:\Users\Admin\AppData\Local\Temp\55aca179630121446d7c6232471b1110570eaa9229798d8f160d739595fa7e42N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\rffft.exec:\rffft.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\ltnhr.exec:\ltnhr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\lntrp.exec:\lntrp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\djhvd.exec:\djhvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\xlnjj.exec:\xlnjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\ndhpf.exec:\ndhpf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\dtdftp.exec:\dtdftp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\htvrl.exec:\htvrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\ffppll.exec:\ffppll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\fpjbx.exec:\fpjbx.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\bbbhv.exec:\bbbhv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\brhdpln.exec:\brhdpln.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\hdrbnr.exec:\hdrbnr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\xrxvjnv.exec:\xrxvjnv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\bpnxl.exec:\bpnxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\rbnft.exec:\rbnft.exe17⤵
- Executes dropped EXE
PID:2900 -
\??\c:\nvvrjpb.exec:\nvvrjpb.exe18⤵
- Executes dropped EXE
PID:1148 -
\??\c:\thtfj.exec:\thtfj.exe19⤵
- Executes dropped EXE
PID:1768 -
\??\c:\rbtfr.exec:\rbtfr.exe20⤵
- Executes dropped EXE
PID:2244 -
\??\c:\nvvjtxx.exec:\nvvjtxx.exe21⤵
- Executes dropped EXE
PID:2096 -
\??\c:\vnrft.exec:\vnrft.exe22⤵
- Executes dropped EXE
PID:2684 -
\??\c:\jnlrhd.exec:\jnlrhd.exe23⤵
- Executes dropped EXE
PID:848 -
\??\c:\txxll.exec:\txxll.exe24⤵
- Executes dropped EXE
PID:2620 -
\??\c:\rdpvhhx.exec:\rdpvhhx.exe25⤵
- Executes dropped EXE
PID:1712 -
\??\c:\trrhf.exec:\trrhf.exe26⤵
- Executes dropped EXE
PID:1244 -
\??\c:\tjfxff.exec:\tjfxff.exe27⤵
- Executes dropped EXE
PID:456 -
\??\c:\jrbvhj.exec:\jrbvhj.exe28⤵
- Executes dropped EXE
PID:1556 -
\??\c:\fndfbx.exec:\fndfbx.exe29⤵
- Executes dropped EXE
PID:1724 -
\??\c:\vprphb.exec:\vprphb.exe30⤵
- Executes dropped EXE
PID:1988 -
\??\c:\rnfvvd.exec:\rnfvvd.exe31⤵
- Executes dropped EXE
PID:2680 -
\??\c:\hhxxtd.exec:\hhxxtd.exe32⤵
- Executes dropped EXE
PID:1004 -
\??\c:\pjnrb.exec:\pjnrb.exe33⤵
- Executes dropped EXE
PID:2656 -
\??\c:\bhjbt.exec:\bhjbt.exe34⤵
- Executes dropped EXE
PID:1620 -
\??\c:\hfhdd.exec:\hfhdd.exe35⤵
- Executes dropped EXE
PID:2288 -
\??\c:\dvfvbln.exec:\dvfvbln.exe36⤵
- Executes dropped EXE
PID:2804 -
\??\c:\vbfjpv.exec:\vbfjpv.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
\??\c:\hlrvrx.exec:\hlrvrx.exe38⤵
- Executes dropped EXE
PID:1184 -
\??\c:\fndftd.exec:\fndftd.exe39⤵
- Executes dropped EXE
PID:2820 -
\??\c:\tdxxdrh.exec:\tdxxdrh.exe40⤵
- Executes dropped EXE
PID:2864 -
\??\c:\vrffb.exec:\vrffb.exe41⤵
- Executes dropped EXE
PID:2940 -
\??\c:\jvtxhdn.exec:\jvtxhdn.exe42⤵
- Executes dropped EXE
PID:2876 -
\??\c:\hvxrt.exec:\hvxrt.exe43⤵
- Executes dropped EXE
PID:2924 -
\??\c:\vntprv.exec:\vntprv.exe44⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xxdxjh.exec:\xxdxjh.exe45⤵
- Executes dropped EXE
PID:2728 -
\??\c:\rdtnf.exec:\rdtnf.exe46⤵
- Executes dropped EXE
PID:2356 -
\??\c:\vvrbtt.exec:\vvrbtt.exe47⤵
- Executes dropped EXE
PID:2100 -
\??\c:\xxtfh.exec:\xxtfh.exe48⤵
- Executes dropped EXE
PID:2396 -
\??\c:\xbbjlv.exec:\xbbjlv.exe49⤵
- Executes dropped EXE
PID:1584 -
\??\c:\hlrxvvr.exec:\hlrxvvr.exe50⤵
- Executes dropped EXE
PID:2500 -
\??\c:\dplrpxx.exec:\dplrpxx.exe51⤵
- Executes dropped EXE
PID:3040 -
\??\c:\hlnljvp.exec:\hlnljvp.exe52⤵
- Executes dropped EXE
PID:2064 -
\??\c:\jnrhr.exec:\jnrhr.exe53⤵
- Executes dropped EXE
PID:2952 -
\??\c:\bjrrllv.exec:\bjrrllv.exe54⤵
- Executes dropped EXE
PID:2764 -
\??\c:\tnfpt.exec:\tnfpt.exe55⤵
- Executes dropped EXE
PID:540 -
\??\c:\rtpvrxv.exec:\rtpvrxv.exe56⤵
- Executes dropped EXE
PID:1448 -
\??\c:\xnpdllv.exec:\xnpdllv.exe57⤵
- Executes dropped EXE
PID:1996 -
\??\c:\lpblptb.exec:\lpblptb.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148 -
\??\c:\rlvxlf.exec:\rlvxlf.exe59⤵
- Executes dropped EXE
PID:1768 -
\??\c:\pjjvdpr.exec:\pjjvdpr.exe60⤵
- Executes dropped EXE
PID:2480 -
\??\c:\dnjpd.exec:\dnjpd.exe61⤵
- Executes dropped EXE
PID:2088 -
\??\c:\bpxtr.exec:\bpxtr.exe62⤵
- Executes dropped EXE
PID:368 -
\??\c:\blrhb.exec:\blrhb.exe63⤵
- Executes dropped EXE
PID:2216 -
\??\c:\tbplnfx.exec:\tbplnfx.exe64⤵
- Executes dropped EXE
PID:2652 -
\??\c:\vjptrlt.exec:\vjptrlt.exe65⤵
- Executes dropped EXE
PID:2620 -
\??\c:\xrjtp.exec:\xrjtp.exe66⤵PID:972
-
\??\c:\rxpjrn.exec:\rxpjrn.exe67⤵PID:1832
-
\??\c:\vrbxd.exec:\vrbxd.exe68⤵PID:1944
-
\??\c:\vxjtprd.exec:\vxjtprd.exe69⤵PID:2556
-
\??\c:\dxhbj.exec:\dxhbj.exe70⤵PID:1556
-
\??\c:\jnldh.exec:\jnldh.exe71⤵PID:1772
-
\??\c:\jtpbnd.exec:\jtpbnd.exe72⤵PID:572
-
\??\c:\jhnnlr.exec:\jhnnlr.exe73⤵PID:2292
-
\??\c:\tjxvn.exec:\tjxvn.exe74⤵PID:2964
-
\??\c:\bdhbp.exec:\bdhbp.exe75⤵PID:1004
-
\??\c:\dlbpf.exec:\dlbpf.exe76⤵PID:2656
-
\??\c:\xdbndd.exec:\xdbndd.exe77⤵PID:3008
-
\??\c:\thfpvl.exec:\thfpvl.exe78⤵PID:1516
-
\??\c:\jbvnb.exec:\jbvnb.exe79⤵PID:2184
-
\??\c:\tdvvthr.exec:\tdvvthr.exe80⤵PID:1604
-
\??\c:\rhhbjp.exec:\rhhbjp.exe81⤵PID:2932
-
\??\c:\htldjv.exec:\htldjv.exe82⤵PID:3000
-
\??\c:\vdnbjjf.exec:\vdnbjjf.exe83⤵PID:2936
-
\??\c:\bfvjhlj.exec:\bfvjhlj.exe84⤵PID:2864
-
\??\c:\rrftr.exec:\rrftr.exe85⤵PID:2976
-
\??\c:\nrbtfl.exec:\nrbtfl.exe86⤵PID:2876
-
\??\c:\lbnhndr.exec:\lbnhndr.exe87⤵PID:2832
-
\??\c:\ptpfb.exec:\ptpfb.exe88⤵PID:2788
-
\??\c:\txrndn.exec:\txrndn.exe89⤵PID:1064
-
\??\c:\lvndft.exec:\lvndft.exe90⤵PID:2028
-
\??\c:\fjdfdt.exec:\fjdfdt.exe91⤵PID:2808
-
\??\c:\hltbd.exec:\hltbd.exe92⤵
- System Location Discovery: System Language Discovery
PID:2396 -
\??\c:\drhvrb.exec:\drhvrb.exe93⤵PID:1584
-
\??\c:\hvjrbf.exec:\hvjrbf.exe94⤵PID:1916
-
\??\c:\rbtttt.exec:\rbtttt.exe95⤵PID:2180
-
\??\c:\btlvvv.exec:\btlvvv.exe96⤵PID:2064
-
\??\c:\xnjlhdx.exec:\xnjlhdx.exe97⤵PID:1984
-
\??\c:\ptbjfn.exec:\ptbjfn.exe98⤵PID:1260
-
\??\c:\dpnnl.exec:\dpnnl.exe99⤵PID:1616
-
\??\c:\lhtjd.exec:\lhtjd.exe100⤵PID:1704
-
\??\c:\tdrvl.exec:\tdrvl.exe101⤵PID:2188
-
\??\c:\pnfndnj.exec:\pnfndnj.exe102⤵
- System Location Discovery: System Language Discovery
PID:2240 -
\??\c:\hnfhjrv.exec:\hnfhjrv.exe103⤵PID:2504
-
\??\c:\plljjvh.exec:\plljjvh.exe104⤵PID:1652
-
\??\c:\jpvhpp.exec:\jpvhpp.exe105⤵PID:2056
-
\??\c:\vvnrpft.exec:\vvnrpft.exe106⤵
- System Location Discovery: System Language Discovery
PID:1220 -
\??\c:\llhdt.exec:\llhdt.exe107⤵PID:2220
-
\??\c:\xlndttx.exec:\xlndttx.exe108⤵PID:1848
-
\??\c:\pxbvtln.exec:\pxbvtln.exe109⤵PID:2604
-
\??\c:\vnvll.exec:\vnvll.exe110⤵PID:1932
-
\??\c:\hfjdf.exec:\hfjdf.exe111⤵PID:696
-
\??\c:\rlntvpt.exec:\rlntvpt.exe112⤵PID:1456
-
\??\c:\xphjrpr.exec:\xphjrpr.exe113⤵PID:1944
-
\??\c:\flnhln.exec:\flnhln.exe114⤵PID:1624
-
\??\c:\ltbtvlf.exec:\ltbtvlf.exe115⤵PID:2008
-
\??\c:\lnvpl.exec:\lnvpl.exe116⤵PID:2000
-
\??\c:\dnvjtff.exec:\dnvjtff.exe117⤵PID:1528
-
\??\c:\lnpnrpn.exec:\lnpnrpn.exe118⤵PID:2648
-
\??\c:\rjllnx.exec:\rjllnx.exe119⤵PID:2964
-
\??\c:\tdrht.exec:\tdrht.exe120⤵PID:2660
-
\??\c:\jbddxn.exec:\jbddxn.exe121⤵PID:2816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-