Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 05:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe
-
Size
455KB
-
MD5
586844b1b9fedf8945bf698ece5ae46f
-
SHA1
de05dcf23bbfecff202fc078b529cac8ae6eca7a
-
SHA256
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17
-
SHA512
cde0c16ad83d110ae8cb3d9289471af6630a7014e99c6c744edad97e976792002cdb56a310777fded3f65c58aee8c8c6e97a6421dea14b05ea66449eb29e40c3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRw:q7Tc2NYHUrAwfMp3CDRw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/824-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-67-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2644-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-84-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2952-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-123-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2404-118-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/868-116-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/836-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-300-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-359-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2648-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-656-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/952-765-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2468-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-814-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1716-933-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2160 48806.exe 2700 vdvvd.exe 2844 flrlrrl.exe 2848 04286d.exe 2608 rlrflrf.exe 2628 bhhhhn.exe 2644 882466.exe 2404 thbhnn.exe 2952 ntbnnb.exe 1716 lxffxfr.exe 868 26222.exe 2760 48808.exe 836 lllfxff.exe 2088 lllxlxf.exe 2944 jpjdv.exe 1268 xxrfrlf.exe 1648 1xllllx.exe 1948 jpvjv.exe 2228 fxxrflf.exe 620 c268064.exe 952 o044624.exe 1900 44408.exe 1704 82060.exe 2460 pjvdd.exe 2512 60064.exe 1856 bttbnt.exe 3052 q60886.exe 624 lrxlxlf.exe 316 hhntnh.exe 2156 8224286.exe 2184 44824.exe 2208 vpppd.exe 2780 jvvjj.exe 796 04404.exe 2688 dpjvv.exe 2916 u824282.exe 2820 8880282.exe 2796 826864.exe 2636 4204280.exe 2132 vdpdv.exe 2648 i820028.exe 1628 260824.exe 2256 3lrxrlx.exe 2976 fffrlfl.exe 2896 xxlxlxl.exe 2904 9ddjd.exe 2752 vpdvd.exe 2760 dpppd.exe 1936 pjjdv.exe 2748 hhbbtn.exe 2764 82620.exe 1252 0024624.exe 1676 0664422.exe 2200 26686.exe 3032 rlflxlx.exe 1948 lllrlrl.exe 1256 82020.exe 1532 c220020.exe 2536 lxlxllx.exe 832 jddpd.exe 1712 xfflflf.exe 692 ttnthn.exe 632 6646802.exe 2004 i642806.exe -
resource yara_rule behavioral1/memory/824-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-22-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2700-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-84-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2952-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-300-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2796-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/468-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-599-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2312-656-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2392-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-838-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-902-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u880884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2604862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2646402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 220624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0828064.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 2160 824 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 31 PID 824 wrote to memory of 2160 824 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 31 PID 824 wrote to memory of 2160 824 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 31 PID 824 wrote to memory of 2160 824 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 31 PID 2160 wrote to memory of 2700 2160 48806.exe 32 PID 2160 wrote to memory of 2700 2160 48806.exe 32 PID 2160 wrote to memory of 2700 2160 48806.exe 32 PID 2160 wrote to memory of 2700 2160 48806.exe 32 PID 2700 wrote to memory of 2844 2700 vdvvd.exe 33 PID 2700 wrote to memory of 2844 2700 vdvvd.exe 33 PID 2700 wrote to memory of 2844 2700 vdvvd.exe 33 PID 2700 wrote to memory of 2844 2700 vdvvd.exe 33 PID 2844 wrote to memory of 2848 2844 flrlrrl.exe 34 PID 2844 wrote to memory of 2848 2844 flrlrrl.exe 34 PID 2844 wrote to memory of 2848 2844 flrlrrl.exe 34 PID 2844 wrote to memory of 2848 2844 flrlrrl.exe 34 PID 2848 wrote to memory of 2608 2848 04286d.exe 35 PID 2848 wrote to memory of 2608 2848 04286d.exe 35 PID 2848 wrote to memory of 2608 2848 04286d.exe 35 PID 2848 wrote to memory of 2608 2848 04286d.exe 35 PID 2608 wrote to memory of 2628 2608 rlrflrf.exe 36 PID 2608 wrote to memory of 2628 2608 rlrflrf.exe 36 PID 2608 wrote to memory of 2628 2608 rlrflrf.exe 36 PID 2608 wrote to memory of 2628 2608 rlrflrf.exe 36 PID 2628 wrote to memory of 2644 2628 bhhhhn.exe 37 PID 2628 wrote to memory of 2644 2628 bhhhhn.exe 37 PID 2628 wrote to memory of 2644 2628 bhhhhn.exe 37 PID 2628 wrote to memory of 2644 2628 bhhhhn.exe 37 PID 2644 wrote to memory of 2404 2644 882466.exe 38 PID 2644 wrote to memory of 2404 2644 882466.exe 38 PID 2644 wrote to memory of 2404 2644 882466.exe 38 PID 2644 wrote to memory of 2404 2644 882466.exe 38 PID 2404 wrote to memory of 2952 2404 thbhnn.exe 39 PID 2404 wrote to memory of 2952 2404 thbhnn.exe 39 PID 2404 wrote to memory of 2952 2404 thbhnn.exe 39 PID 2404 wrote to memory of 2952 2404 thbhnn.exe 39 PID 2952 wrote to memory of 1716 2952 ntbnnb.exe 40 PID 2952 wrote to memory of 1716 2952 ntbnnb.exe 40 PID 2952 wrote to memory of 1716 2952 ntbnnb.exe 40 PID 2952 wrote to memory of 1716 2952 ntbnnb.exe 40 PID 1716 wrote to memory of 868 1716 lxffxfr.exe 41 PID 1716 wrote to memory of 868 1716 lxffxfr.exe 41 PID 1716 wrote to memory of 868 1716 lxffxfr.exe 41 PID 1716 wrote to memory of 868 1716 lxffxfr.exe 41 PID 868 wrote to memory of 2760 868 26222.exe 42 PID 868 wrote to memory of 2760 868 26222.exe 42 PID 868 wrote to memory of 2760 868 26222.exe 42 PID 868 wrote to memory of 2760 868 26222.exe 42 PID 2760 wrote to memory of 836 2760 48808.exe 43 PID 2760 wrote to memory of 836 2760 48808.exe 43 PID 2760 wrote to memory of 836 2760 48808.exe 43 PID 2760 wrote to memory of 836 2760 48808.exe 43 PID 836 wrote to memory of 2088 836 lllfxff.exe 44 PID 836 wrote to memory of 2088 836 lllfxff.exe 44 PID 836 wrote to memory of 2088 836 lllfxff.exe 44 PID 836 wrote to memory of 2088 836 lllfxff.exe 44 PID 2088 wrote to memory of 2944 2088 lllxlxf.exe 45 PID 2088 wrote to memory of 2944 2088 lllxlxf.exe 45 PID 2088 wrote to memory of 2944 2088 lllxlxf.exe 45 PID 2088 wrote to memory of 2944 2088 lllxlxf.exe 45 PID 2944 wrote to memory of 1268 2944 jpjdv.exe 46 PID 2944 wrote to memory of 1268 2944 jpjdv.exe 46 PID 2944 wrote to memory of 1268 2944 jpjdv.exe 46 PID 2944 wrote to memory of 1268 2944 jpjdv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe"C:\Users\Admin\AppData\Local\Temp\e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\48806.exec:\48806.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\vdvvd.exec:\vdvvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\flrlrrl.exec:\flrlrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\04286d.exec:\04286d.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\rlrflrf.exec:\rlrflrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\bhhhhn.exec:\bhhhhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\882466.exec:\882466.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\thbhnn.exec:\thbhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\ntbnnb.exec:\ntbnnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\lxffxfr.exec:\lxffxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\26222.exec:\26222.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\48808.exec:\48808.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\lllfxff.exec:\lllfxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\lllxlxf.exec:\lllxlxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\jpjdv.exec:\jpjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\xxrfrlf.exec:\xxrfrlf.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268 -
\??\c:\1xllllx.exec:\1xllllx.exe18⤵
- Executes dropped EXE
PID:1648 -
\??\c:\jpvjv.exec:\jpvjv.exe19⤵
- Executes dropped EXE
PID:1948 -
\??\c:\fxxrflf.exec:\fxxrflf.exe20⤵
- Executes dropped EXE
PID:2228 -
\??\c:\c268064.exec:\c268064.exe21⤵
- Executes dropped EXE
PID:620 -
\??\c:\o044624.exec:\o044624.exe22⤵
- Executes dropped EXE
PID:952 -
\??\c:\44408.exec:\44408.exe23⤵
- Executes dropped EXE
PID:1900 -
\??\c:\82060.exec:\82060.exe24⤵
- Executes dropped EXE
PID:1704 -
\??\c:\pjvdd.exec:\pjvdd.exe25⤵
- Executes dropped EXE
PID:2460 -
\??\c:\60064.exec:\60064.exe26⤵
- Executes dropped EXE
PID:2512 -
\??\c:\bttbnt.exec:\bttbnt.exe27⤵
- Executes dropped EXE
PID:1856 -
\??\c:\q60886.exec:\q60886.exe28⤵
- Executes dropped EXE
PID:3052 -
\??\c:\lrxlxlf.exec:\lrxlxlf.exe29⤵
- Executes dropped EXE
PID:624 -
\??\c:\hhntnh.exec:\hhntnh.exe30⤵
- Executes dropped EXE
PID:316 -
\??\c:\8224286.exec:\8224286.exe31⤵
- Executes dropped EXE
PID:2156 -
\??\c:\44824.exec:\44824.exe32⤵
- Executes dropped EXE
PID:2184 -
\??\c:\vpppd.exec:\vpppd.exe33⤵
- Executes dropped EXE
PID:2208 -
\??\c:\jvvjj.exec:\jvvjj.exe34⤵
- Executes dropped EXE
PID:2780 -
\??\c:\04404.exec:\04404.exe35⤵
- Executes dropped EXE
PID:796 -
\??\c:\dpjvv.exec:\dpjvv.exe36⤵
- Executes dropped EXE
PID:2688 -
\??\c:\u824282.exec:\u824282.exe37⤵
- Executes dropped EXE
PID:2916 -
\??\c:\8880282.exec:\8880282.exe38⤵
- Executes dropped EXE
PID:2820 -
\??\c:\826864.exec:\826864.exe39⤵
- Executes dropped EXE
PID:2796 -
\??\c:\4204280.exec:\4204280.exe40⤵
- Executes dropped EXE
PID:2636 -
\??\c:\vdpdv.exec:\vdpdv.exe41⤵
- Executes dropped EXE
PID:2132 -
\??\c:\i820028.exec:\i820028.exe42⤵
- Executes dropped EXE
PID:2648 -
\??\c:\260824.exec:\260824.exe43⤵
- Executes dropped EXE
PID:1628 -
\??\c:\3lrxrlx.exec:\3lrxrlx.exe44⤵
- Executes dropped EXE
PID:2256 -
\??\c:\fffrlfl.exec:\fffrlfl.exe45⤵
- Executes dropped EXE
PID:2976 -
\??\c:\xxlxlxl.exec:\xxlxlxl.exe46⤵
- Executes dropped EXE
PID:2896 -
\??\c:\9ddjd.exec:\9ddjd.exe47⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vpdvd.exec:\vpdvd.exe48⤵
- Executes dropped EXE
PID:2752 -
\??\c:\dpppd.exec:\dpppd.exe49⤵
- Executes dropped EXE
PID:2760 -
\??\c:\pjjdv.exec:\pjjdv.exe50⤵
- Executes dropped EXE
PID:1936 -
\??\c:\hhbbtn.exec:\hhbbtn.exe51⤵
- Executes dropped EXE
PID:2748 -
\??\c:\82620.exec:\82620.exe52⤵
- Executes dropped EXE
PID:2764 -
\??\c:\0024624.exec:\0024624.exe53⤵
- Executes dropped EXE
PID:1252 -
\??\c:\0664422.exec:\0664422.exe54⤵
- Executes dropped EXE
PID:1676 -
\??\c:\26686.exec:\26686.exe55⤵
- Executes dropped EXE
PID:2200 -
\??\c:\rlflxlx.exec:\rlflxlx.exe56⤵
- Executes dropped EXE
PID:3032 -
\??\c:\lllrlrl.exec:\lllrlrl.exe57⤵
- Executes dropped EXE
PID:1948 -
\??\c:\82020.exec:\82020.exe58⤵
- Executes dropped EXE
PID:1256 -
\??\c:\c220020.exec:\c220020.exe59⤵
- Executes dropped EXE
PID:1532 -
\??\c:\lxlxllx.exec:\lxlxllx.exe60⤵
- Executes dropped EXE
PID:2536 -
\??\c:\jddpd.exec:\jddpd.exe61⤵
- Executes dropped EXE
PID:832 -
\??\c:\xfflflf.exec:\xfflflf.exe62⤵
- Executes dropped EXE
PID:1712 -
\??\c:\ttnthn.exec:\ttnthn.exe63⤵
- Executes dropped EXE
PID:692 -
\??\c:\6646802.exec:\6646802.exe64⤵
- Executes dropped EXE
PID:632 -
\??\c:\i642806.exec:\i642806.exe65⤵
- Executes dropped EXE
PID:2004 -
\??\c:\pjpvj.exec:\pjpvj.exe66⤵PID:468
-
\??\c:\08686.exec:\08686.exe67⤵PID:1856
-
\??\c:\vvvdj.exec:\vvvdj.exe68⤵PID:696
-
\??\c:\5lffffr.exec:\5lffffr.exe69⤵
- System Location Discovery: System Language Discovery
PID:2288 -
\??\c:\jjvpj.exec:\jjvpj.exe70⤵PID:876
-
\??\c:\lllfrfx.exec:\lllfrfx.exe71⤵PID:748
-
\??\c:\i468664.exec:\i468664.exe72⤵PID:1516
-
\??\c:\864028.exec:\864028.exe73⤵PID:1492
-
\??\c:\jjjvv.exec:\jjjvv.exe74⤵PID:1852
-
\??\c:\82024.exec:\82024.exe75⤵PID:2676
-
\??\c:\608462.exec:\608462.exe76⤵PID:2800
-
\??\c:\9vvpp.exec:\9vvpp.exe77⤵PID:3020
-
\??\c:\4486442.exec:\4486442.exe78⤵PID:3008
-
\??\c:\48620.exec:\48620.exe79⤵PID:2612
-
\??\c:\48246.exec:\48246.exe80⤵PID:2820
-
\??\c:\4886686.exec:\4886686.exe81⤵PID:2588
-
\??\c:\a4884.exec:\a4884.exe82⤵PID:2692
-
\??\c:\0488642.exec:\0488642.exe83⤵PID:2132
-
\??\c:\e82028.exec:\e82028.exe84⤵PID:2424
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe85⤵PID:2552
-
\??\c:\608462.exec:\608462.exe86⤵PID:2312
-
\??\c:\g8246.exec:\g8246.exe87⤵PID:2972
-
\??\c:\rxflrxx.exec:\rxflrxx.exe88⤵PID:2140
-
\??\c:\60048.exec:\60048.exe89⤵PID:1424
-
\??\c:\k04208.exec:\k04208.exe90⤵PID:1864
-
\??\c:\7jdpv.exec:\7jdpv.exe91⤵PID:348
-
\??\c:\nnbhbb.exec:\nnbhbb.exe92⤵PID:2996
-
\??\c:\k86240.exec:\k86240.exe93⤵PID:2668
-
\??\c:\26686.exec:\26686.exe94⤵PID:2392
-
\??\c:\rrrfrxl.exec:\rrrfrxl.exe95⤵PID:1556
-
\??\c:\tnhnbn.exec:\tnhnbn.exe96⤵PID:1268
-
\??\c:\u486408.exec:\u486408.exe97⤵PID:1676
-
\??\c:\1lfrxrx.exec:\1lfrxrx.exe98⤵PID:996
-
\??\c:\hthnth.exec:\hthnth.exe99⤵PID:3036
-
\??\c:\42620.exec:\42620.exe100⤵PID:1948
-
\??\c:\00808.exec:\00808.exe101⤵PID:1276
-
\??\c:\nhtnht.exec:\nhtnht.exe102⤵PID:1532
-
\??\c:\448042.exec:\448042.exe103⤵PID:952
-
\??\c:\vdpvp.exec:\vdpvp.exe104⤵PID:1900
-
\??\c:\46468.exec:\46468.exe105⤵PID:2348
-
\??\c:\06204.exec:\06204.exe106⤵PID:2236
-
\??\c:\frxllfl.exec:\frxllfl.exe107⤵PID:2468
-
\??\c:\rlxfxlr.exec:\rlxfxlr.exe108⤵PID:584
-
\??\c:\0080886.exec:\0080886.exe109⤵PID:2136
-
\??\c:\026240.exec:\026240.exe110⤵PID:2292
-
\??\c:\6062446.exec:\6062446.exe111⤵PID:1640
-
\??\c:\fflxxff.exec:\fflxxff.exe112⤵PID:624
-
\??\c:\vvpdv.exec:\vvpdv.exe113⤵PID:2860
-
\??\c:\bhtnhh.exec:\bhtnhh.exe114⤵PID:316
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe115⤵PID:2456
-
\??\c:\ffxlrxl.exec:\ffxlrxl.exe116⤵PID:1520
-
\??\c:\1rlrfrf.exec:\1rlrfrf.exe117⤵PID:2576
-
\??\c:\rlflxfr.exec:\rlflxfr.exe118⤵PID:2700
-
\??\c:\5lrflxl.exec:\5lrflxl.exe119⤵PID:2800
-
\??\c:\608624.exec:\608624.exe120⤵PID:2768
-
\??\c:\m0684.exec:\m0684.exe121⤵PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-