Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 04:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3bcd7621510d392368c8e4d1137dda83e13d2eb39b735a8e70cc132ca6b4c7e.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d3bcd7621510d392368c8e4d1137dda83e13d2eb39b735a8e70cc132ca6b4c7e.exe
-
Size
453KB
-
MD5
31653f8e0aa45af32f56aa6eb7768bca
-
SHA1
a37ac8630d3b6a90c1cb9c64917fa50c0e3f1aa1
-
SHA256
d3bcd7621510d392368c8e4d1137dda83e13d2eb39b735a8e70cc132ca6b4c7e
-
SHA512
fc4d6cf445841d79447cddfc0e027604bb22dba846462fa930904a8093fecb509461e075a5e596ded2c813b00bef2cd092c6a5d6070f80b893a902e81e925c04
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2976-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-27-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1928-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-77-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2008-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-441-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-368-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2264-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1060-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-212-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1608-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-901-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1092-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-107-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2676-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-963-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-1127-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1660-1177-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2976 hhbhth.exe 1928 0884880.exe 2116 7frxffr.exe 2768 5bthhh.exe 2688 22026.exe 2828 8266668.exe 2692 fxllrxl.exe 2552 5fxxlrf.exe 2676 jdvdp.exe 1536 tbthnn.exe 892 w04244.exe 2840 428084.exe 1092 004684.exe 2008 rxxlrrl.exe 328 26680.exe 1968 bbtnht.exe 2064 rxrfxlf.exe 2864 djdpv.exe 1316 lllrfrf.exe 1608 86864.exe 896 o606406.exe 696 flfrfll.exe 1728 vpjpd.exe 1704 9rrxrxr.exe 2272 ddvpv.exe 1852 42064.exe 1060 3djpd.exe 804 8228664.exe 2836 htntnt.exe 1584 a8286.exe 2328 44248.exe 2912 00646.exe 2684 lrflxxf.exe 2116 0806840.exe 2748 hhhthn.exe 2264 486600.exe 2572 7dpjd.exe 2596 2022884.exe 2564 tntnnn.exe 2544 vvjvv.exe 2584 bntbbt.exe 1836 i802820.exe 2816 26460.exe 1764 hhtnnn.exe 320 tbthhn.exe 2024 a2668.exe 1824 a2408.exe 2008 dvjjv.exe 1496 nhthnn.exe 1440 xxlrrxl.exe 2200 c428264.exe 2844 0462068.exe 1300 fxrxxxl.exe 2168 5tnbhn.exe 1808 hhbnbb.exe 2036 flxxlxl.exe 896 00204.exe 696 pdpvv.exe 2124 fxxrxfr.exe 2908 3rflrrx.exe 2352 1thnbh.exe 1472 vdvdd.exe 2268 0468402.exe 1348 66028.exe -
resource yara_rule behavioral1/memory/2976-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-368-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2264-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-913-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1092-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-1114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-1154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-1210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-1244-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 444462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e26862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k28888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2976 2324 d3bcd7621510d392368c8e4d1137dda83e13d2eb39b735a8e70cc132ca6b4c7e.exe 31 PID 2324 wrote to memory of 2976 2324 d3bcd7621510d392368c8e4d1137dda83e13d2eb39b735a8e70cc132ca6b4c7e.exe 31 PID 2324 wrote to memory of 2976 2324 d3bcd7621510d392368c8e4d1137dda83e13d2eb39b735a8e70cc132ca6b4c7e.exe 31 PID 2324 wrote to memory of 2976 2324 d3bcd7621510d392368c8e4d1137dda83e13d2eb39b735a8e70cc132ca6b4c7e.exe 31 PID 2976 wrote to memory of 1928 2976 hhbhth.exe 32 PID 2976 wrote to memory of 1928 2976 hhbhth.exe 32 PID 2976 wrote to memory of 1928 2976 hhbhth.exe 32 PID 2976 wrote to memory of 1928 2976 hhbhth.exe 32 PID 1928 wrote to memory of 2116 1928 0884880.exe 142 PID 1928 wrote to memory of 2116 1928 0884880.exe 142 PID 1928 wrote to memory of 2116 1928 0884880.exe 142 PID 1928 wrote to memory of 2116 1928 0884880.exe 142 PID 2116 wrote to memory of 2768 2116 7frxffr.exe 185 PID 2116 wrote to memory of 2768 2116 7frxffr.exe 185 PID 2116 wrote to memory of 2768 2116 7frxffr.exe 185 PID 2116 wrote to memory of 2768 2116 7frxffr.exe 185 PID 2768 wrote to memory of 2688 2768 5bthhh.exe 35 PID 2768 wrote to memory of 2688 2768 5bthhh.exe 35 PID 2768 wrote to memory of 2688 2768 5bthhh.exe 35 PID 2768 wrote to memory of 2688 2768 5bthhh.exe 35 PID 2688 wrote to memory of 2828 2688 22026.exe 36 PID 2688 wrote to memory of 2828 2688 22026.exe 36 PID 2688 wrote to memory of 2828 2688 22026.exe 36 PID 2688 wrote to memory of 2828 2688 22026.exe 36 PID 2828 wrote to memory of 2692 2828 8266668.exe 37 PID 2828 wrote to memory of 2692 2828 8266668.exe 37 PID 2828 wrote to memory of 2692 2828 8266668.exe 37 PID 2828 wrote to memory of 2692 2828 8266668.exe 37 PID 2692 wrote to memory of 2552 2692 fxllrxl.exe 38 PID 2692 wrote to memory of 2552 2692 fxllrxl.exe 38 PID 2692 wrote to memory of 2552 2692 fxllrxl.exe 38 PID 2692 wrote to memory of 2552 2692 fxllrxl.exe 38 PID 2552 wrote to memory of 2676 2552 5fxxlrf.exe 39 PID 2552 wrote to memory of 2676 2552 5fxxlrf.exe 39 PID 2552 wrote to memory of 2676 2552 5fxxlrf.exe 39 PID 2552 wrote to memory of 2676 2552 5fxxlrf.exe 39 PID 2676 wrote to memory of 1536 2676 jdvdp.exe 40 PID 2676 wrote to memory of 1536 2676 jdvdp.exe 40 PID 2676 wrote to memory of 1536 2676 jdvdp.exe 40 PID 2676 wrote to memory of 1536 2676 jdvdp.exe 40 PID 1536 wrote to memory of 892 1536 tbthnn.exe 41 PID 1536 wrote to memory of 892 1536 tbthnn.exe 41 PID 1536 wrote to memory of 892 1536 tbthnn.exe 41 PID 1536 wrote to memory of 892 1536 tbthnn.exe 41 PID 892 wrote to memory of 2840 892 w04244.exe 42 PID 892 wrote to memory of 2840 892 w04244.exe 42 PID 892 wrote to memory of 2840 892 w04244.exe 42 PID 892 wrote to memory of 2840 892 w04244.exe 42 PID 2840 wrote to memory of 1092 2840 428084.exe 43 PID 2840 wrote to memory of 1092 2840 428084.exe 43 PID 2840 wrote to memory of 1092 2840 428084.exe 43 PID 2840 wrote to memory of 1092 2840 428084.exe 43 PID 1092 wrote to memory of 2008 1092 004684.exe 44 PID 1092 wrote to memory of 2008 1092 004684.exe 44 PID 1092 wrote to memory of 2008 1092 004684.exe 44 PID 1092 wrote to memory of 2008 1092 004684.exe 44 PID 2008 wrote to memory of 328 2008 rxxlrrl.exe 204 PID 2008 wrote to memory of 328 2008 rxxlrrl.exe 204 PID 2008 wrote to memory of 328 2008 rxxlrrl.exe 204 PID 2008 wrote to memory of 328 2008 rxxlrrl.exe 204 PID 328 wrote to memory of 1968 328 26680.exe 46 PID 328 wrote to memory of 1968 328 26680.exe 46 PID 328 wrote to memory of 1968 328 26680.exe 46 PID 328 wrote to memory of 1968 328 26680.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3bcd7621510d392368c8e4d1137dda83e13d2eb39b735a8e70cc132ca6b4c7e.exe"C:\Users\Admin\AppData\Local\Temp\d3bcd7621510d392368c8e4d1137dda83e13d2eb39b735a8e70cc132ca6b4c7e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\hhbhth.exec:\hhbhth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\0884880.exec:\0884880.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\7frxffr.exec:\7frxffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\5bthhh.exec:\5bthhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\22026.exec:\22026.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\8266668.exec:\8266668.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\fxllrxl.exec:\fxllrxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\5fxxlrf.exec:\5fxxlrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\jdvdp.exec:\jdvdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\tbthnn.exec:\tbthnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\w04244.exec:\w04244.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\428084.exec:\428084.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\004684.exec:\004684.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\rxxlrrl.exec:\rxxlrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\26680.exec:\26680.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:328 -
\??\c:\bbtnht.exec:\bbtnht.exe17⤵
- Executes dropped EXE
PID:1968 -
\??\c:\rxrfxlf.exec:\rxrfxlf.exe18⤵
- Executes dropped EXE
PID:2064 -
\??\c:\djdpv.exec:\djdpv.exe19⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lllrfrf.exec:\lllrfrf.exe20⤵
- Executes dropped EXE
PID:1316 -
\??\c:\86864.exec:\86864.exe21⤵
- Executes dropped EXE
PID:1608 -
\??\c:\o606406.exec:\o606406.exe22⤵
- Executes dropped EXE
PID:896 -
\??\c:\flfrfll.exec:\flfrfll.exe23⤵
- Executes dropped EXE
PID:696 -
\??\c:\vpjpd.exec:\vpjpd.exe24⤵
- Executes dropped EXE
PID:1728 -
\??\c:\9rrxrxr.exec:\9rrxrxr.exe25⤵
- Executes dropped EXE
PID:1704 -
\??\c:\ddvpv.exec:\ddvpv.exe26⤵
- Executes dropped EXE
PID:2272 -
\??\c:\42064.exec:\42064.exe27⤵
- Executes dropped EXE
PID:1852 -
\??\c:\3djpd.exec:\3djpd.exe28⤵
- Executes dropped EXE
PID:1060 -
\??\c:\8228664.exec:\8228664.exe29⤵
- Executes dropped EXE
PID:804 -
\??\c:\htntnt.exec:\htntnt.exe30⤵
- Executes dropped EXE
PID:2836 -
\??\c:\a8286.exec:\a8286.exe31⤵
- Executes dropped EXE
PID:1584 -
\??\c:\44248.exec:\44248.exe32⤵
- Executes dropped EXE
PID:2328 -
\??\c:\00646.exec:\00646.exe33⤵
- Executes dropped EXE
PID:2912 -
\??\c:\lrflxxf.exec:\lrflxxf.exe34⤵
- Executes dropped EXE
PID:2684 -
\??\c:\0806840.exec:\0806840.exe35⤵
- Executes dropped EXE
PID:2116 -
\??\c:\hhhthn.exec:\hhhthn.exe36⤵
- Executes dropped EXE
PID:2748 -
\??\c:\486600.exec:\486600.exe37⤵
- Executes dropped EXE
PID:2264 -
\??\c:\7dpjd.exec:\7dpjd.exe38⤵
- Executes dropped EXE
PID:2572 -
\??\c:\2022884.exec:\2022884.exe39⤵
- Executes dropped EXE
PID:2596 -
\??\c:\tntnnn.exec:\tntnnn.exe40⤵
- Executes dropped EXE
PID:2564 -
\??\c:\vvjvv.exec:\vvjvv.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544 -
\??\c:\bntbbt.exec:\bntbbt.exe42⤵
- Executes dropped EXE
PID:2584 -
\??\c:\i802820.exec:\i802820.exe43⤵
- Executes dropped EXE
PID:1836 -
\??\c:\26460.exec:\26460.exe44⤵
- Executes dropped EXE
PID:2816 -
\??\c:\hhtnnn.exec:\hhtnnn.exe45⤵
- Executes dropped EXE
PID:1764 -
\??\c:\tbthhn.exec:\tbthhn.exe46⤵
- Executes dropped EXE
PID:320 -
\??\c:\a2668.exec:\a2668.exe47⤵
- Executes dropped EXE
PID:2024 -
\??\c:\a2408.exec:\a2408.exe48⤵
- Executes dropped EXE
PID:1824 -
\??\c:\dvjjv.exec:\dvjjv.exe49⤵
- Executes dropped EXE
PID:2008 -
\??\c:\nhthnn.exec:\nhthnn.exe50⤵
- Executes dropped EXE
PID:1496 -
\??\c:\xxlrrxl.exec:\xxlrrxl.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1440 -
\??\c:\c428264.exec:\c428264.exe52⤵
- Executes dropped EXE
PID:2200 -
\??\c:\0462068.exec:\0462068.exe53⤵
- Executes dropped EXE
PID:2844 -
\??\c:\fxrxxxl.exec:\fxrxxxl.exe54⤵
- Executes dropped EXE
PID:1300 -
\??\c:\5tnbhn.exec:\5tnbhn.exe55⤵
- Executes dropped EXE
PID:2168 -
\??\c:\hhbnbb.exec:\hhbnbb.exe56⤵
- Executes dropped EXE
PID:1808 -
\??\c:\flxxlxl.exec:\flxxlxl.exe57⤵
- Executes dropped EXE
PID:2036 -
\??\c:\00204.exec:\00204.exe58⤵
- Executes dropped EXE
PID:896 -
\??\c:\pdpvv.exec:\pdpvv.exe59⤵
- Executes dropped EXE
PID:696 -
\??\c:\fxxrxfr.exec:\fxxrxfr.exe60⤵
- Executes dropped EXE
PID:2124 -
\??\c:\3rflrrx.exec:\3rflrrx.exe61⤵
- Executes dropped EXE
PID:2908 -
\??\c:\1thnbh.exec:\1thnbh.exe62⤵
- Executes dropped EXE
PID:2352 -
\??\c:\vdvdd.exec:\vdvdd.exe63⤵
- Executes dropped EXE
PID:1472 -
\??\c:\0468402.exec:\0468402.exe64⤵
- Executes dropped EXE
PID:2268 -
\??\c:\66028.exec:\66028.exe65⤵
- Executes dropped EXE
PID:1348 -
\??\c:\0866266.exec:\0866266.exe66⤵PID:2632
-
\??\c:\6084002.exec:\6084002.exe67⤵PID:2348
-
\??\c:\fxrxllx.exec:\fxrxllx.exe68⤵
- System Location Discovery: System Language Discovery
PID:2980 -
\??\c:\202682.exec:\202682.exe69⤵PID:2696
-
\??\c:\lxlxfxx.exec:\lxlxfxx.exe70⤵PID:2796
-
\??\c:\nbhnnn.exec:\nbhnnn.exe71⤵PID:2680
-
\??\c:\u860262.exec:\u860262.exe72⤵PID:2068
-
\??\c:\9djjp.exec:\9djjp.exe73⤵PID:2688
-
\??\c:\886462.exec:\886462.exe74⤵PID:2724
-
\??\c:\g4888.exec:\g4888.exe75⤵PID:2792
-
\??\c:\hhnnth.exec:\hhnnth.exe76⤵PID:2560
-
\??\c:\26844.exec:\26844.exe77⤵PID:2668
-
\??\c:\xlfllrx.exec:\xlfllrx.exe78⤵PID:2544
-
\??\c:\3vdjj.exec:\3vdjj.exe79⤵PID:1356
-
\??\c:\xxxlffr.exec:\xxxlffr.exe80⤵PID:536
-
\??\c:\5pddd.exec:\5pddd.exe81⤵PID:756
-
\??\c:\8640288.exec:\8640288.exe82⤵PID:1536
-
\??\c:\s6842.exec:\s6842.exe83⤵PID:2204
-
\??\c:\pjjvp.exec:\pjjvp.exe84⤵PID:1712
-
\??\c:\dpjjp.exec:\dpjjp.exe85⤵PID:112
-
\??\c:\9lfflrx.exec:\9lfflrx.exe86⤵PID:1340
-
\??\c:\flxxlxl.exec:\flxxlxl.exe87⤵PID:1900
-
\??\c:\60028.exec:\60028.exe88⤵PID:2800
-
\??\c:\60808.exec:\60808.exe89⤵PID:1912
-
\??\c:\64606.exec:\64606.exe90⤵PID:1896
-
\??\c:\2208400.exec:\2208400.exe91⤵PID:2044
-
\??\c:\46446.exec:\46446.exe92⤵PID:2400
-
\??\c:\42068.exec:\42068.exe93⤵PID:3012
-
\??\c:\dpvdp.exec:\dpvdp.exe94⤵PID:2200
-
\??\c:\28284.exec:\28284.exe95⤵PID:2820
-
\??\c:\040628.exec:\040628.exe96⤵PID:2432
-
\??\c:\ffxxrrx.exec:\ffxxrrx.exe97⤵PID:832
-
\??\c:\htnthh.exec:\htnthh.exe98⤵PID:1464
-
\??\c:\9llxxxr.exec:\9llxxxr.exe99⤵PID:2180
-
\??\c:\7xrxrfx.exec:\7xrxrfx.exe100⤵PID:896
-
\??\c:\ddppj.exec:\ddppj.exe101⤵PID:1544
-
\??\c:\8224848.exec:\8224848.exe102⤵PID:1728
-
\??\c:\00404.exec:\00404.exe103⤵PID:1720
-
\??\c:\0446422.exec:\0446422.exe104⤵PID:2212
-
\??\c:\e64444.exec:\e64444.exe105⤵PID:2452
-
\??\c:\84444.exec:\84444.exe106⤵PID:340
-
\??\c:\080206.exec:\080206.exe107⤵PID:2860
-
\??\c:\60406.exec:\60406.exe108⤵PID:2992
-
\??\c:\xrxrrrx.exec:\xrxrrrx.exe109⤵PID:1452
-
\??\c:\4240284.exec:\4240284.exe110⤵PID:1648
-
\??\c:\pjdpv.exec:\pjdpv.exe111⤵PID:2760
-
\??\c:\pjvdp.exec:\pjvdp.exe112⤵PID:3020
-
\??\c:\btnntb.exec:\btnntb.exe113⤵PID:2116
-
\??\c:\jjvdv.exec:\jjvdv.exe114⤵PID:2920
-
\??\c:\jdvdp.exec:\jdvdp.exe115⤵PID:2888
-
\??\c:\04280.exec:\04280.exe116⤵PID:2688
-
\??\c:\s8064.exec:\s8064.exe117⤵PID:2664
-
\??\c:\tnhbhn.exec:\tnhbhn.exe118⤵PID:3040
-
\??\c:\s6402.exec:\s6402.exe119⤵PID:1364
-
\??\c:\604024.exec:\604024.exe120⤵PID:992
-
\??\c:\7dpvj.exec:\7dpvj.exe121⤵PID:2472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-