Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 03:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe
-
Size
453KB
-
MD5
b70d25eed3d9ed33864f62e5090b2583
-
SHA1
a31aa27f72b9f48c7e80ea5dac32f99653c35063
-
SHA256
3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568
-
SHA512
65b962fa8f481d7867f1a7cc9e46f170b1a68b87c1ba7ab482360dc190041c8e997d8cd807b3e092ad8395dc1762226512737c7799691ffd60bec999b5b8cd69
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2520-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-96-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2552-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1620-131-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/3052-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-226-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1972-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/552-281-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1252-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-337-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2068-344-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2996-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-386-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-384-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2712-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-455-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3052-461-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2064-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-504-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2228-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-556-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2344-564-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2680-686-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3048-706-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2756-725-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-734-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2868-754-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3016-765-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 42264.exe 2164 tnhhtt.exe 2408 m8284.exe 2160 1jppp.exe 2884 i084668.exe 2960 a0840.exe 2784 c088064.exe 2692 xrllxxl.exe 2668 266200.exe 2552 080622.exe 1624 3thhtb.exe 1284 420026.exe 1620 pvjpd.exe 3052 42002.exe 2196 lfflflf.exe 3040 048846.exe 2356 3pdjp.exe 536 q24882.exe 2380 7xxfrrf.exe 1300 m6402.exe 2008 424466.exe 2964 vpdjj.exe 2528 bnhbbb.exe 1780 pdjvv.exe 552 7jpjj.exe 1688 rxfflff.exe 1972 q64448.exe 2292 64628.exe 1924 o022884.exe 2596 46444.exe 1252 hbthbb.exe 1968 9bbttn.exe 1568 lxfffff.exe 2432 s8484.exe 2468 4280262.exe 2472 thnntt.exe 2232 86844.exe 2068 68488.exe 2948 9hbbhb.exe 2812 20224.exe 2132 q80688.exe 2996 26284.exe 1848 nbhbnh.exe 2688 7vppv.exe 2712 nttbbb.exe 2740 dpjvv.exe 1996 k44848.exe 1296 llfrffr.exe 2504 6466284.exe 2516 2206644.exe 2844 7vddd.exe 3052 i806828.exe 1604 lxfrfrx.exe 2896 fxffxll.exe 1952 46822.exe 2064 646664.exe 2396 jvddp.exe 928 jdppd.exe 2312 hnttnh.exe 1932 202200.exe 1520 jvdjv.exe 1360 dpvpp.exe 2336 488088.exe 1524 5pvvd.exe -
resource yara_rule behavioral1/memory/2520-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-693-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3048-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-819-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o240228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q80688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8028444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w04644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6022284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 246660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2184 2520 3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe 30 PID 2520 wrote to memory of 2184 2520 3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe 30 PID 2520 wrote to memory of 2184 2520 3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe 30 PID 2520 wrote to memory of 2184 2520 3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe 30 PID 2184 wrote to memory of 2164 2184 42264.exe 31 PID 2184 wrote to memory of 2164 2184 42264.exe 31 PID 2184 wrote to memory of 2164 2184 42264.exe 31 PID 2184 wrote to memory of 2164 2184 42264.exe 31 PID 2164 wrote to memory of 2408 2164 tnhhtt.exe 32 PID 2164 wrote to memory of 2408 2164 tnhhtt.exe 32 PID 2164 wrote to memory of 2408 2164 tnhhtt.exe 32 PID 2164 wrote to memory of 2408 2164 tnhhtt.exe 32 PID 2408 wrote to memory of 2160 2408 m8284.exe 33 PID 2408 wrote to memory of 2160 2408 m8284.exe 33 PID 2408 wrote to memory of 2160 2408 m8284.exe 33 PID 2408 wrote to memory of 2160 2408 m8284.exe 33 PID 2160 wrote to memory of 2884 2160 1jppp.exe 34 PID 2160 wrote to memory of 2884 2160 1jppp.exe 34 PID 2160 wrote to memory of 2884 2160 1jppp.exe 34 PID 2160 wrote to memory of 2884 2160 1jppp.exe 34 PID 2884 wrote to memory of 2960 2884 i084668.exe 35 PID 2884 wrote to memory of 2960 2884 i084668.exe 35 PID 2884 wrote to memory of 2960 2884 i084668.exe 35 PID 2884 wrote to memory of 2960 2884 i084668.exe 35 PID 2960 wrote to memory of 2784 2960 a0840.exe 36 PID 2960 wrote to memory of 2784 2960 a0840.exe 36 PID 2960 wrote to memory of 2784 2960 a0840.exe 36 PID 2960 wrote to memory of 2784 2960 a0840.exe 36 PID 2784 wrote to memory of 2692 2784 c088064.exe 37 PID 2784 wrote to memory of 2692 2784 c088064.exe 37 PID 2784 wrote to memory of 2692 2784 c088064.exe 37 PID 2784 wrote to memory of 2692 2784 c088064.exe 37 PID 2692 wrote to memory of 2668 2692 xrllxxl.exe 38 PID 2692 wrote to memory of 2668 2692 xrllxxl.exe 38 PID 2692 wrote to memory of 2668 2692 xrllxxl.exe 38 PID 2692 wrote to memory of 2668 2692 xrllxxl.exe 38 PID 2668 wrote to memory of 2552 2668 266200.exe 39 PID 2668 wrote to memory of 2552 2668 266200.exe 39 PID 2668 wrote to memory of 2552 2668 266200.exe 39 PID 2668 wrote to memory of 2552 2668 266200.exe 39 PID 2552 wrote to memory of 1624 2552 080622.exe 40 PID 2552 wrote to memory of 1624 2552 080622.exe 40 PID 2552 wrote to memory of 1624 2552 080622.exe 40 PID 2552 wrote to memory of 1624 2552 080622.exe 40 PID 1624 wrote to memory of 1284 1624 3thhtb.exe 41 PID 1624 wrote to memory of 1284 1624 3thhtb.exe 41 PID 1624 wrote to memory of 1284 1624 3thhtb.exe 41 PID 1624 wrote to memory of 1284 1624 3thhtb.exe 41 PID 1284 wrote to memory of 1620 1284 420026.exe 42 PID 1284 wrote to memory of 1620 1284 420026.exe 42 PID 1284 wrote to memory of 1620 1284 420026.exe 42 PID 1284 wrote to memory of 1620 1284 420026.exe 42 PID 1620 wrote to memory of 3052 1620 pvjpd.exe 43 PID 1620 wrote to memory of 3052 1620 pvjpd.exe 43 PID 1620 wrote to memory of 3052 1620 pvjpd.exe 43 PID 1620 wrote to memory of 3052 1620 pvjpd.exe 43 PID 3052 wrote to memory of 2196 3052 42002.exe 44 PID 3052 wrote to memory of 2196 3052 42002.exe 44 PID 3052 wrote to memory of 2196 3052 42002.exe 44 PID 3052 wrote to memory of 2196 3052 42002.exe 44 PID 2196 wrote to memory of 3040 2196 lfflflf.exe 45 PID 2196 wrote to memory of 3040 2196 lfflflf.exe 45 PID 2196 wrote to memory of 3040 2196 lfflflf.exe 45 PID 2196 wrote to memory of 3040 2196 lfflflf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe"C:\Users\Admin\AppData\Local\Temp\3d353bb177b2d5b32a1ce93222eb127f691f7d9afb133093c98422b04f4dd568.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\42264.exec:\42264.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\tnhhtt.exec:\tnhhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\m8284.exec:\m8284.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\1jppp.exec:\1jppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\i084668.exec:\i084668.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\a0840.exec:\a0840.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\c088064.exec:\c088064.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\xrllxxl.exec:\xrllxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\266200.exec:\266200.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\080622.exec:\080622.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\3thhtb.exec:\3thhtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\420026.exec:\420026.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\pvjpd.exec:\pvjpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\42002.exec:\42002.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\lfflflf.exec:\lfflflf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\048846.exec:\048846.exe17⤵
- Executes dropped EXE
PID:3040 -
\??\c:\3pdjp.exec:\3pdjp.exe18⤵
- Executes dropped EXE
PID:2356 -
\??\c:\q24882.exec:\q24882.exe19⤵
- Executes dropped EXE
PID:536 -
\??\c:\7xxfrrf.exec:\7xxfrrf.exe20⤵
- Executes dropped EXE
PID:2380 -
\??\c:\m6402.exec:\m6402.exe21⤵
- Executes dropped EXE
PID:1300 -
\??\c:\424466.exec:\424466.exe22⤵
- Executes dropped EXE
PID:2008 -
\??\c:\vpdjj.exec:\vpdjj.exe23⤵
- Executes dropped EXE
PID:2964 -
\??\c:\bnhbbb.exec:\bnhbbb.exe24⤵
- Executes dropped EXE
PID:2528 -
\??\c:\pdjvv.exec:\pdjvv.exe25⤵
- Executes dropped EXE
PID:1780 -
\??\c:\7jpjj.exec:\7jpjj.exe26⤵
- Executes dropped EXE
PID:552 -
\??\c:\rxfflff.exec:\rxfflff.exe27⤵
- Executes dropped EXE
PID:1688 -
\??\c:\q64448.exec:\q64448.exe28⤵
- Executes dropped EXE
PID:1972 -
\??\c:\64628.exec:\64628.exe29⤵
- Executes dropped EXE
PID:2292 -
\??\c:\o022884.exec:\o022884.exe30⤵
- Executes dropped EXE
PID:1924 -
\??\c:\46444.exec:\46444.exe31⤵
- Executes dropped EXE
PID:2596 -
\??\c:\hbthbb.exec:\hbthbb.exe32⤵
- Executes dropped EXE
PID:1252 -
\??\c:\9bbttn.exec:\9bbttn.exe33⤵
- Executes dropped EXE
PID:1968 -
\??\c:\lxfffff.exec:\lxfffff.exe34⤵
- Executes dropped EXE
PID:1568 -
\??\c:\s8484.exec:\s8484.exe35⤵
- Executes dropped EXE
PID:2432 -
\??\c:\4280262.exec:\4280262.exe36⤵
- Executes dropped EXE
PID:2468 -
\??\c:\thnntt.exec:\thnntt.exe37⤵
- Executes dropped EXE
PID:2472 -
\??\c:\86844.exec:\86844.exe38⤵
- Executes dropped EXE
PID:2232 -
\??\c:\68488.exec:\68488.exe39⤵
- Executes dropped EXE
PID:2068 -
\??\c:\9hbbhb.exec:\9hbbhb.exe40⤵
- Executes dropped EXE
PID:2948 -
\??\c:\20224.exec:\20224.exe41⤵
- Executes dropped EXE
PID:2812 -
\??\c:\q80688.exec:\q80688.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
\??\c:\26284.exec:\26284.exe43⤵
- Executes dropped EXE
PID:2996 -
\??\c:\nbhbnh.exec:\nbhbnh.exe44⤵
- Executes dropped EXE
PID:1848 -
\??\c:\7vppv.exec:\7vppv.exe45⤵
- Executes dropped EXE
PID:2688 -
\??\c:\nttbbb.exec:\nttbbb.exe46⤵
- Executes dropped EXE
PID:2712 -
\??\c:\dpjvv.exec:\dpjvv.exe47⤵
- Executes dropped EXE
PID:2740 -
\??\c:\k44848.exec:\k44848.exe48⤵
- Executes dropped EXE
PID:1996 -
\??\c:\llfrffr.exec:\llfrffr.exe49⤵
- Executes dropped EXE
PID:1296 -
\??\c:\6466284.exec:\6466284.exe50⤵
- Executes dropped EXE
PID:2504 -
\??\c:\2206644.exec:\2206644.exe51⤵
- Executes dropped EXE
PID:2516 -
\??\c:\7vddd.exec:\7vddd.exe52⤵
- Executes dropped EXE
PID:2844 -
\??\c:\i806828.exec:\i806828.exe53⤵
- Executes dropped EXE
PID:3052 -
\??\c:\lxfrfrx.exec:\lxfrfrx.exe54⤵
- Executes dropped EXE
PID:1604 -
\??\c:\fxffxll.exec:\fxffxll.exe55⤵
- Executes dropped EXE
PID:2896 -
\??\c:\46822.exec:\46822.exe56⤵
- Executes dropped EXE
PID:1952 -
\??\c:\646664.exec:\646664.exe57⤵
- Executes dropped EXE
PID:2064 -
\??\c:\jvddp.exec:\jvddp.exe58⤵
- Executes dropped EXE
PID:2396 -
\??\c:\jdppd.exec:\jdppd.exe59⤵
- Executes dropped EXE
PID:928 -
\??\c:\hnttnh.exec:\hnttnh.exe60⤵
- Executes dropped EXE
PID:2312 -
\??\c:\202200.exec:\202200.exe61⤵
- Executes dropped EXE
PID:1932 -
\??\c:\jvdjv.exec:\jvdjv.exe62⤵
- Executes dropped EXE
PID:1520 -
\??\c:\dpvpp.exec:\dpvpp.exe63⤵
- Executes dropped EXE
PID:1360 -
\??\c:\488088.exec:\488088.exe64⤵
- Executes dropped EXE
PID:2336 -
\??\c:\5pvvd.exec:\5pvvd.exe65⤵
- Executes dropped EXE
PID:1524 -
\??\c:\7rffrrx.exec:\7rffrrx.exe66⤵PID:2228
-
\??\c:\608800.exec:\608800.exe67⤵PID:1048
-
\??\c:\bhbhbn.exec:\bhbhbn.exe68⤵PID:1688
-
\??\c:\tntbbh.exec:\tntbbh.exe69⤵PID:1976
-
\??\c:\s8624.exec:\s8624.exe70⤵PID:1984
-
\??\c:\vvjpv.exec:\vvjpv.exe71⤵PID:2344
-
\??\c:\jjdjv.exec:\jjdjv.exe72⤵PID:2088
-
\??\c:\llfflxf.exec:\llfflxf.exe73⤵PID:884
-
\??\c:\rllrllf.exec:\rllrllf.exe74⤵PID:324
-
\??\c:\264800.exec:\264800.exe75⤵PID:1936
-
\??\c:\08624.exec:\08624.exe76⤵PID:1576
-
\??\c:\jdpvj.exec:\jdpvj.exe77⤵PID:2432
-
\??\c:\00846.exec:\00846.exe78⤵PID:2260
-
\??\c:\xrlrxfr.exec:\xrlrxfr.exe79⤵PID:2236
-
\??\c:\xlxrrxf.exec:\xlxrrxf.exe80⤵PID:2448
-
\??\c:\42840.exec:\42840.exe81⤵PID:2944
-
\??\c:\264062.exec:\264062.exe82⤵PID:2860
-
\??\c:\2044062.exec:\2044062.exe83⤵PID:2676
-
\??\c:\u422440.exec:\u422440.exe84⤵PID:2960
-
\??\c:\fxrlrfr.exec:\fxrlrfr.exe85⤵PID:2900
-
\??\c:\ffrfrrf.exec:\ffrfrrf.exe86⤵PID:2784
-
\??\c:\fxrxffx.exec:\fxrxffx.exe87⤵PID:2680
-
\??\c:\7xlrflx.exec:\7xlrflx.exe88⤵PID:2968
-
\??\c:\k26468.exec:\k26468.exe89⤵PID:2732
-
\??\c:\vjddv.exec:\vjddv.exe90⤵PID:3044
-
\??\c:\5vdjj.exec:\5vdjj.exe91⤵PID:1144
-
\??\c:\m8286.exec:\m8286.exe92⤵PID:672
-
\??\c:\82680.exec:\82680.exe93⤵PID:3048
-
\??\c:\rrlxxfl.exec:\rrlxxfl.exe94⤵PID:2204
-
\??\c:\04284.exec:\04284.exe95⤵PID:2224
-
\??\c:\8644002.exec:\8644002.exe96⤵PID:2756
-
\??\c:\0442068.exec:\0442068.exe97⤵PID:2868
-
\??\c:\nnntbh.exec:\nnntbh.exe98⤵PID:3016
-
\??\c:\jjdjp.exec:\jjdjp.exe99⤵PID:1256
-
\??\c:\o824224.exec:\o824224.exe100⤵PID:2372
-
\??\c:\4200224.exec:\4200224.exe101⤵PID:1096
-
\??\c:\jvvdj.exec:\jvvdj.exe102⤵PID:1032
-
\??\c:\rlfflrf.exec:\rlfflrf.exe103⤵PID:448
-
\??\c:\42628.exec:\42628.exe104⤵PID:2368
-
\??\c:\6080628.exec:\6080628.exe105⤵PID:2608
-
\??\c:\bnthnn.exec:\bnthnn.exe106⤵PID:640
-
\??\c:\4806880.exec:\4806880.exe107⤵PID:2564
-
\??\c:\e60688.exec:\e60688.exe108⤵PID:2528
-
\??\c:\jdvdv.exec:\jdvdv.exe109⤵PID:1724
-
\??\c:\vvvvd.exec:\vvvvd.exe110⤵PID:2228
-
\??\c:\26846.exec:\26846.exe111⤵PID:900
-
\??\c:\2602402.exec:\2602402.exe112⤵PID:1276
-
\??\c:\64402.exec:\64402.exe113⤵PID:1976
-
\??\c:\7jdpp.exec:\7jdpp.exe114⤵PID:1192
-
\??\c:\5xlllxl.exec:\5xlllxl.exe115⤵PID:2344
-
\??\c:\jdpvd.exec:\jdpvd.exe116⤵PID:2016
-
\??\c:\66460.exec:\66460.exe117⤵PID:868
-
\??\c:\04680.exec:\04680.exe118⤵PID:1968
-
\??\c:\g4662.exec:\g4662.exe119⤵PID:1580
-
\??\c:\vvvpd.exec:\vvvpd.exe120⤵PID:1572
-
\??\c:\hbthnt.exec:\hbthnt.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-