Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 23:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe
-
Size
454KB
-
MD5
7b9ab2f2ba6bdddc4f45aefbbae03058
-
SHA1
aa640eda1100d192f273007698bef2a0bd7ec993
-
SHA256
5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657
-
SHA512
7acce99ce7fa63991c964463b790908c2cc8c49ff57141699ac2b8385bd278e83fc2a73437963625bed0d87f2ee1635c3cdacddbcb97f6dc0be9b73b34ef4f98
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe13:q7Tc2NYHUrAwfMp3CD13
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/1956-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-95-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2512-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/964-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/964-138-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2556-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-169-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1800-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/920-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-348-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2808-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-640-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2932-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-696-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2428-829-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1504-841-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1600-856-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1736-865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-885-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2828-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-1030-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-1044-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2136-1064-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2136-1063-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2192-1108-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2644-1127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2644-1147-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1616 pjpjd.exe 1796 nntbhn.exe 1264 q42288.exe 2988 04040.exe 2928 xrffllr.exe 2844 64640.exe 2976 68668.exe 2720 0462046.exe 1784 lfrxffl.exe 2744 ddpjj.exe 2512 86840.exe 1384 hthhtt.exe 2908 08628.exe 964 5bhhbt.exe 2868 20600.exe 1708 24662.exe 2556 604466.exe 1852 208800.exe 1800 9hbntt.exe 1520 xxrrxxf.exe 764 5bnnbh.exe 1872 4284062.exe 684 xxflrrx.exe 1516 6084006.exe 2200 vpjpd.exe 920 8688444.exe 772 e82006.exe 2244 468804.exe 1544 9ffrflr.exe 2072 m8006.exe 1748 26448.exe 884 60224.exe 1980 jjpvj.exe 1700 hhnhnh.exe 1712 vjdjp.exe 1420 g8662.exe 1984 ppjjv.exe 580 s2088.exe 2940 lxrlllx.exe 2832 486666.exe 2844 5tnttn.exe 2888 lfflrxr.exe 2808 264682.exe 2892 82680.exe 2688 9fxfrxl.exe 2712 8266844.exe 1648 hbnbht.exe 2752 0488444.exe 2512 u088666.exe 2900 02642.exe 2588 vpddp.exe 868 4862840.exe 3060 5ntbhh.exe 1292 4884460.exe 1160 tbbtth.exe 620 q20066.exe 1804 864628.exe 1852 tnhnbb.exe 2084 642840.exe 2280 820248.exe 1256 q48800.exe 908 3vjjp.exe 2552 1xrllrx.exe 1856 frffrrx.exe -
resource yara_rule behavioral1/memory/1956-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-95-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2512-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/964-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-929-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-1030-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-1037-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-1128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-1202-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4266884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k42688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2640620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4242266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1616 1956 5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe 30 PID 1956 wrote to memory of 1616 1956 5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe 30 PID 1956 wrote to memory of 1616 1956 5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe 30 PID 1956 wrote to memory of 1616 1956 5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe 30 PID 1616 wrote to memory of 1796 1616 pjpjd.exe 31 PID 1616 wrote to memory of 1796 1616 pjpjd.exe 31 PID 1616 wrote to memory of 1796 1616 pjpjd.exe 31 PID 1616 wrote to memory of 1796 1616 pjpjd.exe 31 PID 1796 wrote to memory of 1264 1796 nntbhn.exe 32 PID 1796 wrote to memory of 1264 1796 nntbhn.exe 32 PID 1796 wrote to memory of 1264 1796 nntbhn.exe 32 PID 1796 wrote to memory of 1264 1796 nntbhn.exe 32 PID 1264 wrote to memory of 2988 1264 q42288.exe 33 PID 1264 wrote to memory of 2988 1264 q42288.exe 33 PID 1264 wrote to memory of 2988 1264 q42288.exe 33 PID 1264 wrote to memory of 2988 1264 q42288.exe 33 PID 2988 wrote to memory of 2928 2988 04040.exe 34 PID 2988 wrote to memory of 2928 2988 04040.exe 34 PID 2988 wrote to memory of 2928 2988 04040.exe 34 PID 2988 wrote to memory of 2928 2988 04040.exe 34 PID 2928 wrote to memory of 2844 2928 xrffllr.exe 35 PID 2928 wrote to memory of 2844 2928 xrffllr.exe 35 PID 2928 wrote to memory of 2844 2928 xrffllr.exe 35 PID 2928 wrote to memory of 2844 2928 xrffllr.exe 35 PID 2844 wrote to memory of 2976 2844 64640.exe 36 PID 2844 wrote to memory of 2976 2844 64640.exe 36 PID 2844 wrote to memory of 2976 2844 64640.exe 36 PID 2844 wrote to memory of 2976 2844 64640.exe 36 PID 2976 wrote to memory of 2720 2976 68668.exe 37 PID 2976 wrote to memory of 2720 2976 68668.exe 37 PID 2976 wrote to memory of 2720 2976 68668.exe 37 PID 2976 wrote to memory of 2720 2976 68668.exe 37 PID 2720 wrote to memory of 1784 2720 0462046.exe 38 PID 2720 wrote to memory of 1784 2720 0462046.exe 38 PID 2720 wrote to memory of 1784 2720 0462046.exe 38 PID 2720 wrote to memory of 1784 2720 0462046.exe 38 PID 1784 wrote to memory of 2744 1784 lfrxffl.exe 39 PID 1784 wrote to memory of 2744 1784 lfrxffl.exe 39 PID 1784 wrote to memory of 2744 1784 lfrxffl.exe 39 PID 1784 wrote to memory of 2744 1784 lfrxffl.exe 39 PID 2744 wrote to memory of 2512 2744 ddpjj.exe 40 PID 2744 wrote to memory of 2512 2744 ddpjj.exe 40 PID 2744 wrote to memory of 2512 2744 ddpjj.exe 40 PID 2744 wrote to memory of 2512 2744 ddpjj.exe 40 PID 2512 wrote to memory of 1384 2512 86840.exe 41 PID 2512 wrote to memory of 1384 2512 86840.exe 41 PID 2512 wrote to memory of 1384 2512 86840.exe 41 PID 2512 wrote to memory of 1384 2512 86840.exe 41 PID 1384 wrote to memory of 2908 1384 hthhtt.exe 42 PID 1384 wrote to memory of 2908 1384 hthhtt.exe 42 PID 1384 wrote to memory of 2908 1384 hthhtt.exe 42 PID 1384 wrote to memory of 2908 1384 hthhtt.exe 42 PID 2908 wrote to memory of 964 2908 08628.exe 43 PID 2908 wrote to memory of 964 2908 08628.exe 43 PID 2908 wrote to memory of 964 2908 08628.exe 43 PID 2908 wrote to memory of 964 2908 08628.exe 43 PID 964 wrote to memory of 2868 964 5bhhbt.exe 44 PID 964 wrote to memory of 2868 964 5bhhbt.exe 44 PID 964 wrote to memory of 2868 964 5bhhbt.exe 44 PID 964 wrote to memory of 2868 964 5bhhbt.exe 44 PID 2868 wrote to memory of 1708 2868 20600.exe 45 PID 2868 wrote to memory of 1708 2868 20600.exe 45 PID 2868 wrote to memory of 1708 2868 20600.exe 45 PID 2868 wrote to memory of 1708 2868 20600.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe"C:\Users\Admin\AppData\Local\Temp\5687c5fee9fe8458cea70998f51675c005746244a6b2ac8c84a49fc44d1c4657.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\pjpjd.exec:\pjpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\nntbhn.exec:\nntbhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\q42288.exec:\q42288.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\04040.exec:\04040.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\xrffllr.exec:\xrffllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\64640.exec:\64640.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\68668.exec:\68668.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\0462046.exec:\0462046.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\lfrxffl.exec:\lfrxffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\ddpjj.exec:\ddpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\86840.exec:\86840.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\hthhtt.exec:\hthhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\08628.exec:\08628.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\5bhhbt.exec:\5bhhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\20600.exec:\20600.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\24662.exec:\24662.exe17⤵
- Executes dropped EXE
PID:1708 -
\??\c:\604466.exec:\604466.exe18⤵
- Executes dropped EXE
PID:2556 -
\??\c:\208800.exec:\208800.exe19⤵
- Executes dropped EXE
PID:1852 -
\??\c:\9hbntt.exec:\9hbntt.exe20⤵
- Executes dropped EXE
PID:1800 -
\??\c:\xxrrxxf.exec:\xxrrxxf.exe21⤵
- Executes dropped EXE
PID:1520 -
\??\c:\5bnnbh.exec:\5bnnbh.exe22⤵
- Executes dropped EXE
PID:764 -
\??\c:\4284062.exec:\4284062.exe23⤵
- Executes dropped EXE
PID:1872 -
\??\c:\xxflrrx.exec:\xxflrrx.exe24⤵
- Executes dropped EXE
PID:684 -
\??\c:\6084006.exec:\6084006.exe25⤵
- Executes dropped EXE
PID:1516 -
\??\c:\vpjpd.exec:\vpjpd.exe26⤵
- Executes dropped EXE
PID:2200 -
\??\c:\8688444.exec:\8688444.exe27⤵
- Executes dropped EXE
PID:920 -
\??\c:\e82006.exec:\e82006.exe28⤵
- Executes dropped EXE
PID:772 -
\??\c:\468804.exec:\468804.exe29⤵
- Executes dropped EXE
PID:2244 -
\??\c:\9ffrflr.exec:\9ffrflr.exe30⤵
- Executes dropped EXE
PID:1544 -
\??\c:\m8006.exec:\m8006.exe31⤵
- Executes dropped EXE
PID:2072 -
\??\c:\26448.exec:\26448.exe32⤵
- Executes dropped EXE
PID:1748 -
\??\c:\60224.exec:\60224.exe33⤵
- Executes dropped EXE
PID:884 -
\??\c:\jjpvj.exec:\jjpvj.exe34⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hhnhnh.exec:\hhnhnh.exe35⤵
- Executes dropped EXE
PID:1700 -
\??\c:\vjdjp.exec:\vjdjp.exe36⤵
- Executes dropped EXE
PID:1712 -
\??\c:\g8662.exec:\g8662.exe37⤵
- Executes dropped EXE
PID:1420 -
\??\c:\ppjjv.exec:\ppjjv.exe38⤵
- Executes dropped EXE
PID:1984 -
\??\c:\s2088.exec:\s2088.exe39⤵
- Executes dropped EXE
PID:580 -
\??\c:\lxrlllx.exec:\lxrlllx.exe40⤵
- Executes dropped EXE
PID:2940 -
\??\c:\486666.exec:\486666.exe41⤵
- Executes dropped EXE
PID:2832 -
\??\c:\5tnttn.exec:\5tnttn.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\lfflrxr.exec:\lfflrxr.exe43⤵
- Executes dropped EXE
PID:2888 -
\??\c:\264682.exec:\264682.exe44⤵
- Executes dropped EXE
PID:2808 -
\??\c:\82680.exec:\82680.exe45⤵
- Executes dropped EXE
PID:2892 -
\??\c:\9fxfrxl.exec:\9fxfrxl.exe46⤵
- Executes dropped EXE
PID:2688 -
\??\c:\8266844.exec:\8266844.exe47⤵
- Executes dropped EXE
PID:2712 -
\??\c:\hbnbht.exec:\hbnbht.exe48⤵
- Executes dropped EXE
PID:1648 -
\??\c:\0488444.exec:\0488444.exe49⤵
- Executes dropped EXE
PID:2752 -
\??\c:\u088666.exec:\u088666.exe50⤵
- Executes dropped EXE
PID:2512 -
\??\c:\02642.exec:\02642.exe51⤵
- Executes dropped EXE
PID:2900 -
\??\c:\vpddp.exec:\vpddp.exe52⤵
- Executes dropped EXE
PID:2588 -
\??\c:\4862840.exec:\4862840.exe53⤵
- Executes dropped EXE
PID:868 -
\??\c:\5ntbhh.exec:\5ntbhh.exe54⤵
- Executes dropped EXE
PID:3060 -
\??\c:\4884460.exec:\4884460.exe55⤵
- Executes dropped EXE
PID:1292 -
\??\c:\tbbtth.exec:\tbbtth.exe56⤵
- Executes dropped EXE
PID:1160 -
\??\c:\q20066.exec:\q20066.exe57⤵
- Executes dropped EXE
PID:620 -
\??\c:\864628.exec:\864628.exe58⤵
- Executes dropped EXE
PID:1804 -
\??\c:\tnhnbb.exec:\tnhnbb.exe59⤵
- Executes dropped EXE
PID:1852 -
\??\c:\642840.exec:\642840.exe60⤵
- Executes dropped EXE
PID:2084 -
\??\c:\820248.exec:\820248.exe61⤵
- Executes dropped EXE
PID:2280 -
\??\c:\q48800.exec:\q48800.exe62⤵
- Executes dropped EXE
PID:1256 -
\??\c:\3vjjp.exec:\3vjjp.exe63⤵
- Executes dropped EXE
PID:908 -
\??\c:\1xrllrx.exec:\1xrllrx.exe64⤵
- Executes dropped EXE
PID:2552 -
\??\c:\frffrrx.exec:\frffrrx.exe65⤵
- Executes dropped EXE
PID:1856 -
\??\c:\5lxrrrx.exec:\5lxrrrx.exe66⤵PID:960
-
\??\c:\lfrxlrf.exec:\lfrxlrf.exe67⤵PID:1992
-
\??\c:\dpjjp.exec:\dpjjp.exe68⤵PID:496
-
\??\c:\bthhnt.exec:\bthhnt.exe69⤵PID:896
-
\??\c:\260688.exec:\260688.exe70⤵PID:1548
-
\??\c:\642840.exec:\642840.exe71⤵PID:2140
-
\??\c:\u022884.exec:\u022884.exe72⤵PID:1692
-
\??\c:\2828464.exec:\2828464.exe73⤵PID:1732
-
\??\c:\0862402.exec:\0862402.exe74⤵PID:2336
-
\??\c:\04880.exec:\04880.exe75⤵PID:892
-
\??\c:\1hbtbb.exec:\1hbtbb.exe76⤵PID:1324
-
\??\c:\5nbbhn.exec:\5nbbhn.exe77⤵PID:1568
-
\??\c:\dpvvv.exec:\dpvvv.exe78⤵PID:2624
-
\??\c:\9xlxfxl.exec:\9xlxfxl.exe79⤵PID:2368
-
\??\c:\6028446.exec:\6028446.exe80⤵PID:2104
-
\??\c:\jvjjj.exec:\jvjjj.exe81⤵PID:2000
-
\??\c:\lfxrxxf.exec:\lfxrxxf.exe82⤵PID:1660
-
\??\c:\dvjjp.exec:\dvjjp.exe83⤵PID:1476
-
\??\c:\3xxxrfl.exec:\3xxxrfl.exe84⤵PID:2820
-
\??\c:\826688.exec:\826688.exe85⤵PID:2848
-
\??\c:\08662.exec:\08662.exe86⤵PID:2260
-
\??\c:\02668.exec:\02668.exe87⤵PID:2932
-
\??\c:\vpddj.exec:\vpddj.exe88⤵PID:2976
-
\??\c:\04880.exec:\04880.exe89⤵PID:2740
-
\??\c:\q08400.exec:\q08400.exe90⤵PID:2692
-
\??\c:\fxrrfrf.exec:\fxrrfrf.exe91⤵PID:2712
-
\??\c:\26068.exec:\26068.exe92⤵PID:2744
-
\??\c:\vpjpd.exec:\vpjpd.exe93⤵PID:2752
-
\??\c:\646682.exec:\646682.exe94⤵PID:612
-
\??\c:\jdvjp.exec:\jdvjp.exe95⤵PID:1720
-
\??\c:\426240.exec:\426240.exe96⤵PID:1376
-
\??\c:\6600624.exec:\6600624.exe97⤵PID:868
-
\??\c:\3pjpv.exec:\3pjpv.exe98⤵PID:3004
-
\??\c:\424000.exec:\424000.exe99⤵PID:696
-
\??\c:\260244.exec:\260244.exe100⤵PID:1508
-
\??\c:\2600686.exec:\2600686.exe101⤵PID:1224
-
\??\c:\640022.exec:\640022.exe102⤵
- System Location Discovery: System Language Discovery
PID:2572 -
\??\c:\3djdd.exec:\3djdd.exe103⤵PID:2376
-
\??\c:\266628.exec:\266628.exe104⤵PID:1104
-
\??\c:\llflxlr.exec:\llflxlr.exe105⤵PID:1192
-
\??\c:\w46624.exec:\w46624.exe106⤵PID:2996
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe107⤵PID:764
-
\??\c:\4200668.exec:\4200668.exe108⤵PID:1340
-
\??\c:\dvpvj.exec:\dvpvj.exe109⤵PID:1524
-
\??\c:\42628.exec:\42628.exe110⤵PID:848
-
\??\c:\pjvvj.exec:\pjvvj.exe111⤵PID:2016
-
\??\c:\5tbhth.exec:\5tbhth.exe112⤵PID:1536
-
\??\c:\080206.exec:\080206.exe113⤵PID:920
-
\??\c:\e08868.exec:\e08868.exe114⤵PID:1636
-
\??\c:\bbtbhn.exec:\bbtbhn.exe115⤵PID:2640
-
\??\c:\g8228.exec:\g8228.exe116⤵PID:2428
-
\??\c:\nhbbbh.exec:\nhbbbh.exe117⤵PID:1632
-
\??\c:\5frrxxl.exec:\5frrxxl.exe118⤵PID:1504
-
\??\c:\48684.exec:\48684.exe119⤵PID:2212
-
\??\c:\hhhnbt.exec:\hhhnbt.exe120⤵PID:1600
-
\??\c:\4206846.exec:\4206846.exe121⤵PID:1736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-