Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 15:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe
-
Size
454KB
-
MD5
8e20e60a640e12c24ebbd12f1af7dcef
-
SHA1
bdfa5ba3f44d81bde4ca89d270e538cbf63f9485
-
SHA256
d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e
-
SHA512
97290083b3e40a43d3a15517d62349f3b704bbd64aa35e0c7d3c21597ff2cf02d0c38ce0b072f4e21f55814f07bf7a97772952df65743e9ab20c4daf268ef20a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2416-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-736-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3048-830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-1003-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2320-1054-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1976-1230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-1271-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2060-1280-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3012-1322-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1676-1353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1732 frllrrf.exe 1088 hhhntb.exe 2892 42846.exe 2820 bbtthh.exe 2976 g4280.exe 2716 48624.exe 2920 7bnbhb.exe 2924 c240062.exe 2712 g2002.exe 2832 1vdvv.exe 2140 5vjjp.exe 1656 00842.exe 2888 00288.exe 1716 3thbtt.exe 1084 1pjvv.exe 1960 0862446.exe 1032 208466.exe 3044 20846.exe 1604 7frllrx.exe 2288 6662040.exe 2392 q26244.exe 2396 dpjvj.exe 1440 pjpvd.exe 836 lfxllrf.exe 3016 jddjp.exe 868 64880.exe 564 vjddd.exe 2224 0884468.exe 1728 8064620.exe 1552 m0886.exe 1672 nhbhth.exe 2684 bhnhbn.exe 2632 9thntt.exe 1596 pjvdj.exe 1264 hhbhtt.exe 2996 lrxffxf.exe 2596 4086426.exe 2952 bnnhnb.exe 2860 rxflrrf.exe 2584 jjpdp.exe 2136 tnhhnh.exe 2736 064820.exe 2876 7tbbbb.exe 2720 xrflxfr.exe 2752 fxlxxfl.exe 2848 9pddj.exe 1956 088022.exe 2760 k64062.exe 1508 u084228.exe 292 fllxrxl.exe 2768 ffxxxrf.exe 532 dvppd.exe 700 264466.exe 1032 xxxflrf.exe 636 602800.exe 1832 u200628.exe 332 0084668.exe 2288 u862648.exe 2392 vpdjv.exe 2464 262060.exe 1836 dvpvp.exe 1816 jdvvp.exe 2268 xrlrlrf.exe 2456 a0806.exe -
resource yara_rule behavioral1/memory/2416-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-758-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1892-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-1082-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-1149-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1664-1157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-1230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-1229-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1696-1258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-1266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-1290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-1353-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0860288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5htttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrxxf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1732 2416 d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe 30 PID 2416 wrote to memory of 1732 2416 d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe 30 PID 2416 wrote to memory of 1732 2416 d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe 30 PID 2416 wrote to memory of 1732 2416 d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe 30 PID 1732 wrote to memory of 1088 1732 frllrrf.exe 31 PID 1732 wrote to memory of 1088 1732 frllrrf.exe 31 PID 1732 wrote to memory of 1088 1732 frllrrf.exe 31 PID 1732 wrote to memory of 1088 1732 frllrrf.exe 31 PID 1088 wrote to memory of 2892 1088 hhhntb.exe 32 PID 1088 wrote to memory of 2892 1088 hhhntb.exe 32 PID 1088 wrote to memory of 2892 1088 hhhntb.exe 32 PID 1088 wrote to memory of 2892 1088 hhhntb.exe 32 PID 2892 wrote to memory of 2820 2892 42846.exe 33 PID 2892 wrote to memory of 2820 2892 42846.exe 33 PID 2892 wrote to memory of 2820 2892 42846.exe 33 PID 2892 wrote to memory of 2820 2892 42846.exe 33 PID 2820 wrote to memory of 2976 2820 bbtthh.exe 34 PID 2820 wrote to memory of 2976 2820 bbtthh.exe 34 PID 2820 wrote to memory of 2976 2820 bbtthh.exe 34 PID 2820 wrote to memory of 2976 2820 bbtthh.exe 34 PID 2976 wrote to memory of 2716 2976 g4280.exe 35 PID 2976 wrote to memory of 2716 2976 g4280.exe 35 PID 2976 wrote to memory of 2716 2976 g4280.exe 35 PID 2976 wrote to memory of 2716 2976 g4280.exe 35 PID 2716 wrote to memory of 2920 2716 48624.exe 36 PID 2716 wrote to memory of 2920 2716 48624.exe 36 PID 2716 wrote to memory of 2920 2716 48624.exe 36 PID 2716 wrote to memory of 2920 2716 48624.exe 36 PID 2920 wrote to memory of 2924 2920 7bnbhb.exe 37 PID 2920 wrote to memory of 2924 2920 7bnbhb.exe 37 PID 2920 wrote to memory of 2924 2920 7bnbhb.exe 37 PID 2920 wrote to memory of 2924 2920 7bnbhb.exe 37 PID 2924 wrote to memory of 2712 2924 c240062.exe 38 PID 2924 wrote to memory of 2712 2924 c240062.exe 38 PID 2924 wrote to memory of 2712 2924 c240062.exe 38 PID 2924 wrote to memory of 2712 2924 c240062.exe 38 PID 2712 wrote to memory of 2832 2712 g2002.exe 39 PID 2712 wrote to memory of 2832 2712 g2002.exe 39 PID 2712 wrote to memory of 2832 2712 g2002.exe 39 PID 2712 wrote to memory of 2832 2712 g2002.exe 39 PID 2832 wrote to memory of 2140 2832 1vdvv.exe 40 PID 2832 wrote to memory of 2140 2832 1vdvv.exe 40 PID 2832 wrote to memory of 2140 2832 1vdvv.exe 40 PID 2832 wrote to memory of 2140 2832 1vdvv.exe 40 PID 2140 wrote to memory of 1656 2140 5vjjp.exe 41 PID 2140 wrote to memory of 1656 2140 5vjjp.exe 41 PID 2140 wrote to memory of 1656 2140 5vjjp.exe 41 PID 2140 wrote to memory of 1656 2140 5vjjp.exe 41 PID 1656 wrote to memory of 2888 1656 00842.exe 42 PID 1656 wrote to memory of 2888 1656 00842.exe 42 PID 1656 wrote to memory of 2888 1656 00842.exe 42 PID 1656 wrote to memory of 2888 1656 00842.exe 42 PID 2888 wrote to memory of 1716 2888 00288.exe 43 PID 2888 wrote to memory of 1716 2888 00288.exe 43 PID 2888 wrote to memory of 1716 2888 00288.exe 43 PID 2888 wrote to memory of 1716 2888 00288.exe 43 PID 1716 wrote to memory of 1084 1716 3thbtt.exe 44 PID 1716 wrote to memory of 1084 1716 3thbtt.exe 44 PID 1716 wrote to memory of 1084 1716 3thbtt.exe 44 PID 1716 wrote to memory of 1084 1716 3thbtt.exe 44 PID 1084 wrote to memory of 1960 1084 1pjvv.exe 45 PID 1084 wrote to memory of 1960 1084 1pjvv.exe 45 PID 1084 wrote to memory of 1960 1084 1pjvv.exe 45 PID 1084 wrote to memory of 1960 1084 1pjvv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe"C:\Users\Admin\AppData\Local\Temp\d98c43cbd709152f41b1875199f921814b22f77f13e2cfbfa7012a319bcd424e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\frllrrf.exec:\frllrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\hhhntb.exec:\hhhntb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\42846.exec:\42846.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\bbtthh.exec:\bbtthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\g4280.exec:\g4280.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\48624.exec:\48624.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\7bnbhb.exec:\7bnbhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\c240062.exec:\c240062.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\g2002.exec:\g2002.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\1vdvv.exec:\1vdvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\5vjjp.exec:\5vjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\00842.exec:\00842.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\00288.exec:\00288.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\3thbtt.exec:\3thbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\1pjvv.exec:\1pjvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\0862446.exec:\0862446.exe17⤵
- Executes dropped EXE
PID:1960 -
\??\c:\208466.exec:\208466.exe18⤵
- Executes dropped EXE
PID:1032 -
\??\c:\20846.exec:\20846.exe19⤵
- Executes dropped EXE
PID:3044 -
\??\c:\7frllrx.exec:\7frllrx.exe20⤵
- Executes dropped EXE
PID:1604 -
\??\c:\6662040.exec:\6662040.exe21⤵
- Executes dropped EXE
PID:2288 -
\??\c:\q26244.exec:\q26244.exe22⤵
- Executes dropped EXE
PID:2392 -
\??\c:\dpjvj.exec:\dpjvj.exe23⤵
- Executes dropped EXE
PID:2396 -
\??\c:\pjpvd.exec:\pjpvd.exe24⤵
- Executes dropped EXE
PID:1440 -
\??\c:\lfxllrf.exec:\lfxllrf.exe25⤵
- Executes dropped EXE
PID:836 -
\??\c:\jddjp.exec:\jddjp.exe26⤵
- Executes dropped EXE
PID:3016 -
\??\c:\64880.exec:\64880.exe27⤵
- Executes dropped EXE
PID:868 -
\??\c:\vjddd.exec:\vjddd.exe28⤵
- Executes dropped EXE
PID:564 -
\??\c:\0884468.exec:\0884468.exe29⤵
- Executes dropped EXE
PID:2224 -
\??\c:\8064620.exec:\8064620.exe30⤵
- Executes dropped EXE
PID:1728 -
\??\c:\m0886.exec:\m0886.exe31⤵
- Executes dropped EXE
PID:1552 -
\??\c:\nhbhth.exec:\nhbhth.exe32⤵
- Executes dropped EXE
PID:1672 -
\??\c:\bhnhbn.exec:\bhnhbn.exe33⤵
- Executes dropped EXE
PID:2684 -
\??\c:\9thntt.exec:\9thntt.exe34⤵
- Executes dropped EXE
PID:2632 -
\??\c:\pjvdj.exec:\pjvdj.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\hhbhtt.exec:\hhbhtt.exe36⤵
- Executes dropped EXE
PID:1264 -
\??\c:\lrxffxf.exec:\lrxffxf.exe37⤵
- Executes dropped EXE
PID:2996 -
\??\c:\4086426.exec:\4086426.exe38⤵
- Executes dropped EXE
PID:2596 -
\??\c:\bnnhnb.exec:\bnnhnb.exe39⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rxflrrf.exec:\rxflrrf.exe40⤵
- Executes dropped EXE
PID:2860 -
\??\c:\jjpdp.exec:\jjpdp.exe41⤵
- Executes dropped EXE
PID:2584 -
\??\c:\tnhhnh.exec:\tnhhnh.exe42⤵
- Executes dropped EXE
PID:2136 -
\??\c:\064820.exec:\064820.exe43⤵
- Executes dropped EXE
PID:2736 -
\??\c:\7tbbbb.exec:\7tbbbb.exe44⤵
- Executes dropped EXE
PID:2876 -
\??\c:\xrflxfr.exec:\xrflxfr.exe45⤵
- Executes dropped EXE
PID:2720 -
\??\c:\fxlxxfl.exec:\fxlxxfl.exe46⤵
- Executes dropped EXE
PID:2752 -
\??\c:\9pddj.exec:\9pddj.exe47⤵
- Executes dropped EXE
PID:2848 -
\??\c:\088022.exec:\088022.exe48⤵
- Executes dropped EXE
PID:1956 -
\??\c:\k64062.exec:\k64062.exe49⤵
- Executes dropped EXE
PID:2760 -
\??\c:\u084228.exec:\u084228.exe50⤵
- Executes dropped EXE
PID:1508 -
\??\c:\fllxrxl.exec:\fllxrxl.exe51⤵
- Executes dropped EXE
PID:292 -
\??\c:\ffxxxrf.exec:\ffxxxrf.exe52⤵
- Executes dropped EXE
PID:2768 -
\??\c:\dvppd.exec:\dvppd.exe53⤵
- Executes dropped EXE
PID:532 -
\??\c:\264466.exec:\264466.exe54⤵
- Executes dropped EXE
PID:700 -
\??\c:\xxxflrf.exec:\xxxflrf.exe55⤵
- Executes dropped EXE
PID:1032 -
\??\c:\602800.exec:\602800.exe56⤵
- Executes dropped EXE
PID:636 -
\??\c:\u200628.exec:\u200628.exe57⤵
- Executes dropped EXE
PID:1832 -
\??\c:\0084668.exec:\0084668.exe58⤵
- Executes dropped EXE
PID:332 -
\??\c:\u862648.exec:\u862648.exe59⤵
- Executes dropped EXE
PID:2288 -
\??\c:\vpdjv.exec:\vpdjv.exe60⤵
- Executes dropped EXE
PID:2392 -
\??\c:\262060.exec:\262060.exe61⤵
- Executes dropped EXE
PID:2464 -
\??\c:\dvpvp.exec:\dvpvp.exe62⤵
- Executes dropped EXE
PID:1836 -
\??\c:\jdvvp.exec:\jdvvp.exe63⤵
- Executes dropped EXE
PID:1816 -
\??\c:\xrlrlrf.exec:\xrlrlrf.exe64⤵
- Executes dropped EXE
PID:2268 -
\??\c:\a0806.exec:\a0806.exe65⤵
- Executes dropped EXE
PID:2456 -
\??\c:\826840.exec:\826840.exe66⤵PID:896
-
\??\c:\826086.exec:\826086.exe67⤵PID:2448
-
\??\c:\bnbnbb.exec:\bnbnbb.exe68⤵PID:2228
-
\??\c:\042800.exec:\042800.exe69⤵PID:2192
-
\??\c:\82680.exec:\82680.exe70⤵PID:2236
-
\??\c:\3rffxfl.exec:\3rffxfl.exe71⤵PID:2208
-
\??\c:\jdvvj.exec:\jdvvj.exe72⤵PID:1948
-
\??\c:\1vddj.exec:\1vddj.exe73⤵PID:888
-
\??\c:\q08022.exec:\q08022.exe74⤵PID:1720
-
\??\c:\xrfflll.exec:\xrfflll.exe75⤵PID:2576
-
\??\c:\1vjpv.exec:\1vjpv.exe76⤵PID:1628
-
\??\c:\48220.exec:\48220.exe77⤵PID:2996
-
\??\c:\btnnbb.exec:\btnnbb.exe78⤵PID:2800
-
\??\c:\xrlrrrr.exec:\xrlrrrr.exe79⤵PID:2960
-
\??\c:\7vvdd.exec:\7vvdd.exe80⤵PID:1992
-
\??\c:\820000.exec:\820000.exe81⤵PID:2868
-
\??\c:\u600246.exec:\u600246.exe82⤵PID:2148
-
\??\c:\86408.exec:\86408.exe83⤵PID:1996
-
\??\c:\1fxrlll.exec:\1fxrlll.exe84⤵PID:2840
-
\??\c:\420688.exec:\420688.exe85⤵PID:344
-
\??\c:\lffxfxl.exec:\lffxfxl.exe86⤵PID:1988
-
\??\c:\860022.exec:\860022.exe87⤵PID:2704
-
\??\c:\bbtbnn.exec:\bbtbnn.exe88⤵PID:2348
-
\??\c:\268400.exec:\268400.exe89⤵PID:2872
-
\??\c:\g0242.exec:\g0242.exe90⤵PID:1648
-
\??\c:\1jvjj.exec:\1jvjj.exe91⤵PID:1496
-
\??\c:\tnhntt.exec:\tnhntt.exe92⤵PID:3024
-
\??\c:\xrllxxl.exec:\xrllxxl.exe93⤵PID:2480
-
\??\c:\48246.exec:\48246.exe94⤵PID:708
-
\??\c:\4448408.exec:\4448408.exe95⤵PID:2608
-
\??\c:\64668.exec:\64668.exe96⤵PID:1952
-
\??\c:\0484024.exec:\0484024.exe97⤵PID:1492
-
\??\c:\u084224.exec:\u084224.exe98⤵PID:1140
-
\??\c:\i266824.exec:\i266824.exe99⤵PID:2472
-
\??\c:\w64466.exec:\w64466.exe100⤵PID:636
-
\??\c:\6606268.exec:\6606268.exe101⤵PID:1604
-
\??\c:\9jdvj.exec:\9jdvj.exe102⤵PID:2932
-
\??\c:\9llfllr.exec:\9llfllr.exe103⤵PID:2288
-
\??\c:\hbnnbb.exec:\hbnnbb.exe104⤵PID:2060
-
\??\c:\u268006.exec:\u268006.exe105⤵PID:1568
-
\??\c:\48280.exec:\48280.exe106⤵PID:1260
-
\??\c:\nhbhbh.exec:\nhbhbh.exe107⤵PID:2572
-
\??\c:\3xrxflr.exec:\3xrxflr.exe108⤵PID:2692
-
\??\c:\a0222.exec:\a0222.exe109⤵PID:1312
-
\??\c:\48280.exec:\48280.exe110⤵PID:564
-
\??\c:\i662408.exec:\i662408.exe111⤵PID:1448
-
\??\c:\00888.exec:\00888.exe112⤵PID:2156
-
\??\c:\86448.exec:\86448.exe113⤵PID:1892
-
\??\c:\xfxxllr.exec:\xfxxllr.exe114⤵PID:2176
-
\??\c:\pppdp.exec:\pppdp.exe115⤵PID:2684
-
\??\c:\lxlrxrl.exec:\lxlrxrl.exe116⤵PID:1948
-
\??\c:\42402.exec:\42402.exe117⤵PID:1284
-
\??\c:\pdpvj.exec:\pdpvj.exe118⤵PID:3048
-
\??\c:\04228.exec:\04228.exe119⤵PID:1760
-
\??\c:\i440220.exec:\i440220.exe120⤵PID:2368
-
\??\c:\bthnbb.exec:\bthnbb.exe121⤵PID:2068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-