Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 10:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe
-
Size
454KB
-
MD5
3e63920f65e02eeda6e3fb37d9ce7930
-
SHA1
047d1f29d261976cf92c50d29146f8f38d9e4ac0
-
SHA256
de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974
-
SHA512
a3bc8b732ce1021eb546a333e2cce966c6f7ba27b84f7cd03cd8743c869ff216b28add77ee1992cc317a416e7fb5337adce26a9d28dc2ac2b8fd8576696df35a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2604-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-39-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-91-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-96-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2508-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-322-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2172-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-356-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3028-378-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1036-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-422-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-437-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-436-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1856-456-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/1856-455-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/1856-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-465-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1860-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-467-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/928-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-522-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1540-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-561-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1736-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-639-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2720-655-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/1488-699-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2984-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1200-723-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2136-743-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2188-770-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/900-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-877-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-903-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-952-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-953-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2968-966-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2652 82628.exe 1436 jvdjp.exe 2860 lxfxxxx.exe 2504 vjjdp.exe 2948 1jvvj.exe 2800 02044.exe 2228 vjddj.exe 2844 llrrxxl.exe 2688 rflllrx.exe 2508 m6402.exe 572 nhbbbh.exe 1756 1tbhnn.exe 1036 5vdvp.exe 772 2028840.exe 2976 0244484.exe 536 dvjpp.exe 324 bbhbtt.exe 2168 a2624.exe 1324 i088446.exe 2356 6246008.exe 2412 rflfllx.exe 1688 5thhbh.exe 448 bthbtb.exe 2868 64046.exe 2540 pdpjj.exe 1792 066648.exe 2216 hbtttt.exe 3068 5lrrrrf.exe 2284 22444.exe 2108 1jpvv.exe 1648 c644600.exe 1400 ddjvd.exe 3020 64666.exe 2380 xlffllr.exe 2652 486608.exe 2172 9pdpp.exe 2632 608804.exe 2536 1ntttb.exe 2880 5lrrrfl.exe 2804 6406668.exe 3028 3rlrrxl.exe 2528 8206484.exe 2720 1vppv.exe 2844 rfflflr.exe 2112 242282.exe 844 rlflrxl.exe 1844 4266822.exe 1040 btnnbb.exe 1756 482244.exe 2980 xxflrrx.exe 1036 42064.exe 772 7thnnb.exe 2984 08488.exe 536 m0646.exe 308 bhhnhn.exe 1856 fxflxrr.exe 1860 5tnnnt.exe 2360 084444.exe 2164 9dpjj.exe 2160 08484.exe 1212 a8044.exe 2656 k08288.exe 928 6046202.exe 2664 442828.exe -
resource yara_rule behavioral1/memory/2604-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-378-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/772-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-465-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2360-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-839-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-952-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-1021-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-1059-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rffxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6406668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c464440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e08840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2652 2604 de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe 30 PID 2604 wrote to memory of 2652 2604 de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe 30 PID 2604 wrote to memory of 2652 2604 de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe 30 PID 2604 wrote to memory of 2652 2604 de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe 30 PID 2652 wrote to memory of 1436 2652 82628.exe 31 PID 2652 wrote to memory of 1436 2652 82628.exe 31 PID 2652 wrote to memory of 1436 2652 82628.exe 31 PID 2652 wrote to memory of 1436 2652 82628.exe 31 PID 1436 wrote to memory of 2860 1436 jvdjp.exe 32 PID 1436 wrote to memory of 2860 1436 jvdjp.exe 32 PID 1436 wrote to memory of 2860 1436 jvdjp.exe 32 PID 1436 wrote to memory of 2860 1436 jvdjp.exe 32 PID 2860 wrote to memory of 2504 2860 lxfxxxx.exe 33 PID 2860 wrote to memory of 2504 2860 lxfxxxx.exe 33 PID 2860 wrote to memory of 2504 2860 lxfxxxx.exe 33 PID 2860 wrote to memory of 2504 2860 lxfxxxx.exe 33 PID 2504 wrote to memory of 2948 2504 vjjdp.exe 34 PID 2504 wrote to memory of 2948 2504 vjjdp.exe 34 PID 2504 wrote to memory of 2948 2504 vjjdp.exe 34 PID 2504 wrote to memory of 2948 2504 vjjdp.exe 34 PID 2948 wrote to memory of 2800 2948 1jvvj.exe 35 PID 2948 wrote to memory of 2800 2948 1jvvj.exe 35 PID 2948 wrote to memory of 2800 2948 1jvvj.exe 35 PID 2948 wrote to memory of 2800 2948 1jvvj.exe 35 PID 2800 wrote to memory of 2228 2800 02044.exe 36 PID 2800 wrote to memory of 2228 2800 02044.exe 36 PID 2800 wrote to memory of 2228 2800 02044.exe 36 PID 2800 wrote to memory of 2228 2800 02044.exe 36 PID 2228 wrote to memory of 2844 2228 vjddj.exe 73 PID 2228 wrote to memory of 2844 2228 vjddj.exe 73 PID 2228 wrote to memory of 2844 2228 vjddj.exe 73 PID 2228 wrote to memory of 2844 2228 vjddj.exe 73 PID 2844 wrote to memory of 2688 2844 llrrxxl.exe 38 PID 2844 wrote to memory of 2688 2844 llrrxxl.exe 38 PID 2844 wrote to memory of 2688 2844 llrrxxl.exe 38 PID 2844 wrote to memory of 2688 2844 llrrxxl.exe 38 PID 2688 wrote to memory of 2508 2688 rflllrx.exe 39 PID 2688 wrote to memory of 2508 2688 rflllrx.exe 39 PID 2688 wrote to memory of 2508 2688 rflllrx.exe 39 PID 2688 wrote to memory of 2508 2688 rflllrx.exe 39 PID 2508 wrote to memory of 572 2508 m6402.exe 40 PID 2508 wrote to memory of 572 2508 m6402.exe 40 PID 2508 wrote to memory of 572 2508 m6402.exe 40 PID 2508 wrote to memory of 572 2508 m6402.exe 40 PID 572 wrote to memory of 1756 572 nhbbbh.exe 78 PID 572 wrote to memory of 1756 572 nhbbbh.exe 78 PID 572 wrote to memory of 1756 572 nhbbbh.exe 78 PID 572 wrote to memory of 1756 572 nhbbbh.exe 78 PID 1756 wrote to memory of 1036 1756 1tbhnn.exe 80 PID 1756 wrote to memory of 1036 1756 1tbhnn.exe 80 PID 1756 wrote to memory of 1036 1756 1tbhnn.exe 80 PID 1756 wrote to memory of 1036 1756 1tbhnn.exe 80 PID 1036 wrote to memory of 772 1036 5vdvp.exe 81 PID 1036 wrote to memory of 772 1036 5vdvp.exe 81 PID 1036 wrote to memory of 772 1036 5vdvp.exe 81 PID 1036 wrote to memory of 772 1036 5vdvp.exe 81 PID 772 wrote to memory of 2976 772 2028840.exe 44 PID 772 wrote to memory of 2976 772 2028840.exe 44 PID 772 wrote to memory of 2976 772 2028840.exe 44 PID 772 wrote to memory of 2976 772 2028840.exe 44 PID 2976 wrote to memory of 536 2976 0244484.exe 83 PID 2976 wrote to memory of 536 2976 0244484.exe 83 PID 2976 wrote to memory of 536 2976 0244484.exe 83 PID 2976 wrote to memory of 536 2976 0244484.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe"C:\Users\Admin\AppData\Local\Temp\de03feb35792995a359665bb594b068813339c66f63774503efd64d8affae974N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\82628.exec:\82628.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\jvdjp.exec:\jvdjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\lxfxxxx.exec:\lxfxxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\vjjdp.exec:\vjjdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\1jvvj.exec:\1jvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\02044.exec:\02044.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\vjddj.exec:\vjddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\llrrxxl.exec:\llrrxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\rflllrx.exec:\rflllrx.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\m6402.exec:\m6402.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\nhbbbh.exec:\nhbbbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\1tbhnn.exec:\1tbhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\5vdvp.exec:\5vdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\2028840.exec:\2028840.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\0244484.exec:\0244484.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\dvjpp.exec:\dvjpp.exe17⤵
- Executes dropped EXE
PID:536 -
\??\c:\bbhbtt.exec:\bbhbtt.exe18⤵
- Executes dropped EXE
PID:324 -
\??\c:\a2624.exec:\a2624.exe19⤵
- Executes dropped EXE
PID:2168 -
\??\c:\i088446.exec:\i088446.exe20⤵
- Executes dropped EXE
PID:1324 -
\??\c:\6246008.exec:\6246008.exe21⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rflfllx.exec:\rflfllx.exe22⤵
- Executes dropped EXE
PID:2412 -
\??\c:\5thhbh.exec:\5thhbh.exe23⤵
- Executes dropped EXE
PID:1688 -
\??\c:\bthbtb.exec:\bthbtb.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\64046.exec:\64046.exe25⤵
- Executes dropped EXE
PID:2868 -
\??\c:\pdpjj.exec:\pdpjj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
\??\c:\066648.exec:\066648.exe27⤵
- Executes dropped EXE
PID:1792 -
\??\c:\hbtttt.exec:\hbtttt.exe28⤵
- Executes dropped EXE
PID:2216 -
\??\c:\5lrrrrf.exec:\5lrrrrf.exe29⤵
- Executes dropped EXE
PID:3068 -
\??\c:\22444.exec:\22444.exe30⤵
- Executes dropped EXE
PID:2284 -
\??\c:\1jpvv.exec:\1jpvv.exe31⤵
- Executes dropped EXE
PID:2108 -
\??\c:\c644600.exec:\c644600.exe32⤵
- Executes dropped EXE
PID:1648 -
\??\c:\ddjvd.exec:\ddjvd.exe33⤵
- Executes dropped EXE
PID:1400 -
\??\c:\64666.exec:\64666.exe34⤵
- Executes dropped EXE
PID:3020 -
\??\c:\xlffllr.exec:\xlffllr.exe35⤵
- Executes dropped EXE
PID:2380 -
\??\c:\486608.exec:\486608.exe36⤵
- Executes dropped EXE
PID:2652 -
\??\c:\9pdpp.exec:\9pdpp.exe37⤵
- Executes dropped EXE
PID:2172 -
\??\c:\608804.exec:\608804.exe38⤵
- Executes dropped EXE
PID:2632 -
\??\c:\1ntttb.exec:\1ntttb.exe39⤵
- Executes dropped EXE
PID:2536 -
\??\c:\5lrrrfl.exec:\5lrrrfl.exe40⤵
- Executes dropped EXE
PID:2880 -
\??\c:\6406668.exec:\6406668.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
\??\c:\3rlrrxl.exec:\3rlrrxl.exe42⤵
- Executes dropped EXE
PID:3028 -
\??\c:\8206484.exec:\8206484.exe43⤵
- Executes dropped EXE
PID:2528 -
\??\c:\1vppv.exec:\1vppv.exe44⤵
- Executes dropped EXE
PID:2720 -
\??\c:\rfflflr.exec:\rfflflr.exe45⤵
- Executes dropped EXE
PID:2844 -
\??\c:\242282.exec:\242282.exe46⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rlflrxl.exec:\rlflrxl.exe47⤵
- Executes dropped EXE
PID:844 -
\??\c:\4266822.exec:\4266822.exe48⤵
- Executes dropped EXE
PID:1844 -
\??\c:\btnnbb.exec:\btnnbb.exe49⤵
- Executes dropped EXE
PID:1040 -
\??\c:\482244.exec:\482244.exe50⤵
- Executes dropped EXE
PID:1756 -
\??\c:\xxflrrx.exec:\xxflrrx.exe51⤵
- Executes dropped EXE
PID:2980 -
\??\c:\42064.exec:\42064.exe52⤵
- Executes dropped EXE
PID:1036 -
\??\c:\7thnnb.exec:\7thnnb.exe53⤵
- Executes dropped EXE
PID:772 -
\??\c:\08488.exec:\08488.exe54⤵
- Executes dropped EXE
PID:2984 -
\??\c:\m0646.exec:\m0646.exe55⤵
- Executes dropped EXE
PID:536 -
\??\c:\bhhnhn.exec:\bhhnhn.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:308 -
\??\c:\fxflxrr.exec:\fxflxrr.exe57⤵
- Executes dropped EXE
PID:1856 -
\??\c:\5tnnnt.exec:\5tnnnt.exe58⤵
- Executes dropped EXE
PID:1860 -
\??\c:\084444.exec:\084444.exe59⤵
- Executes dropped EXE
PID:2360 -
\??\c:\9dpjj.exec:\9dpjj.exe60⤵
- Executes dropped EXE
PID:2164 -
\??\c:\08484.exec:\08484.exe61⤵
- Executes dropped EXE
PID:2160 -
\??\c:\a8044.exec:\a8044.exe62⤵
- Executes dropped EXE
PID:1212 -
\??\c:\k08288.exec:\k08288.exe63⤵
- Executes dropped EXE
PID:2656 -
\??\c:\6046202.exec:\6046202.exe64⤵
- Executes dropped EXE
PID:928 -
\??\c:\442828.exec:\442828.exe65⤵
- Executes dropped EXE
PID:2664 -
\??\c:\02488.exec:\02488.exe66⤵PID:1552
-
\??\c:\2628448.exec:\2628448.exe67⤵PID:1296
-
\??\c:\7hbnhb.exec:\7hbnhb.exe68⤵PID:3036
-
\??\c:\nnhnht.exec:\nnhnht.exe69⤵
- System Location Discovery: System Language Discovery
PID:1748 -
\??\c:\862244.exec:\862244.exe70⤵PID:1540
-
\??\c:\jjvjv.exec:\jjvjv.exe71⤵PID:1224
-
\??\c:\242226.exec:\242226.exe72⤵PID:1636
-
\??\c:\1rffxrx.exec:\1rffxrx.exe73⤵
- System Location Discovery: System Language Discovery
PID:1168 -
\??\c:\5pvvv.exec:\5pvvv.exe74⤵PID:2040
-
\??\c:\vjvvd.exec:\vjvvd.exe75⤵PID:1736
-
\??\c:\g8624.exec:\g8624.exe76⤵PID:2380
-
\??\c:\0804640.exec:\0804640.exe77⤵PID:2076
-
\??\c:\3jddj.exec:\3jddj.exe78⤵PID:2784
-
\??\c:\080662.exec:\080662.exe79⤵PID:2200
-
\??\c:\9frfllx.exec:\9frfllx.exe80⤵PID:1604
-
\??\c:\lxllrrf.exec:\lxllrrf.exe81⤵PID:1608
-
\??\c:\8640888.exec:\8640888.exe82⤵PID:2248
-
\??\c:\u462400.exec:\u462400.exe83⤵PID:2608
-
\??\c:\862288.exec:\862288.exe84⤵PID:2964
-
\??\c:\824888.exec:\824888.exe85⤵PID:2528
-
\??\c:\0806824.exec:\0806824.exe86⤵PID:2720
-
\??\c:\5hnnnn.exec:\5hnnnn.exe87⤵PID:2692
-
\??\c:\o684084.exec:\o684084.exe88⤵PID:664
-
\??\c:\dvpvd.exec:\dvpvd.exe89⤵PID:576
-
\??\c:\2646228.exec:\2646228.exe90⤵PID:2592
-
\??\c:\9fxflrf.exec:\9fxflrf.exe91⤵PID:2764
-
\??\c:\c464440.exec:\c464440.exe92⤵
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\644888.exec:\644888.exe93⤵PID:1488
-
\??\c:\642848.exec:\642848.exe94⤵PID:1744
-
\??\c:\82864.exec:\82864.exe95⤵
- System Location Discovery: System Language Discovery
PID:2776 -
\??\c:\jjpvp.exec:\jjpvp.exe96⤵PID:2984
-
\??\c:\1xrllfl.exec:\1xrllfl.exe97⤵PID:1200
-
\??\c:\6080440.exec:\6080440.exe98⤵PID:908
-
\??\c:\808288.exec:\808288.exe99⤵PID:2144
-
\??\c:\nbtbbb.exec:\nbtbbb.exe100⤵PID:2136
-
\??\c:\242226.exec:\242226.exe101⤵PID:2104
-
\??\c:\i606880.exec:\i606880.exe102⤵PID:1884
-
\??\c:\frrxrlr.exec:\frrxrlr.exe103⤵PID:2648
-
\??\c:\i466662.exec:\i466662.exe104⤵PID:2188
-
\??\c:\m6044.exec:\m6044.exe105⤵PID:1984
-
\??\c:\rlfflrx.exec:\rlfflrx.exe106⤵PID:1012
-
\??\c:\86806.exec:\86806.exe107⤵PID:3048
-
\??\c:\nnbthb.exec:\nnbthb.exe108⤵PID:900
-
\??\c:\1fxxxxf.exec:\1fxxxxf.exe109⤵PID:1552
-
\??\c:\hbhhtt.exec:\hbhhtt.exe110⤵PID:1936
-
\??\c:\thhbhh.exec:\thhbhh.exe111⤵PID:3024
-
\??\c:\g0842.exec:\g0842.exe112⤵PID:2572
-
\??\c:\04624.exec:\04624.exe113⤵PID:1964
-
\??\c:\lflfffr.exec:\lflfffr.exe114⤵PID:1508
-
\??\c:\5pjpv.exec:\5pjpv.exe115⤵PID:1648
-
\??\c:\jdjpv.exec:\jdjpv.exe116⤵PID:2616
-
\??\c:\tnhbhh.exec:\tnhbhh.exe117⤵PID:1740
-
\??\c:\lfxxlfr.exec:\lfxxlfr.exe118⤵PID:1716
-
\??\c:\1pvvv.exec:\1pvvv.exe119⤵PID:1712
-
\??\c:\bnhhth.exec:\bnhhth.exe120⤵PID:3004
-
\??\c:\0028280.exec:\0028280.exe121⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-