Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 10:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe
-
Size
454KB
-
MD5
fb7132c15e90a437c001fa54fab55ba0
-
SHA1
71153c0b3691fd17e16965ff917db41128a09418
-
SHA256
5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68
-
SHA512
26aa3ba02c8f1140cfb30c52b2a76ef68a936d603e615c83c58ca7bcc7f91f23ff2ed292899c34ecf9b2beb7c512885ff08e137548c8058e7201180fe05bbd60
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/1064-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-76-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2708-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-87-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2612-85-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-105-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2136-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-121-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1516-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-120-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2008-139-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2628-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-174-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2296-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-213-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2064-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-229-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1560-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/944-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/308-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-288-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2000-299-0x0000000076F50000-0x000000007706F000-memory.dmp family_blackmoon behavioral1/memory/2000-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1180-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-416-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1304-424-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2224-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-476-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1144-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-490-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/684-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-562-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2100-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-1006-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/608-1020-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2120-1033-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-1053-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1676-1079-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2488-1080-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1940 420066.exe 2380 ttbhht.exe 2836 rlllrrf.exe 2392 2202462.exe 2820 vpjvd.exe 2792 bthhtt.exe 2708 xxrxlrf.exe 2612 vdvdp.exe 2592 k80404.exe 2136 xrlrffx.exe 2968 20806.exe 2940 i428480.exe 1516 fxxxlrx.exe 2008 vpjdd.exe 380 m0846.exe 2628 7jddd.exe 576 rfxxflr.exe 2296 u866880.exe 1312 3fflffr.exe 1812 bnbntt.exe 896 s0806.exe 2064 26842.exe 952 82224.exe 912 20404.exe 1560 26846.exe 1720 jjdvd.exe 944 thnnbb.exe 2412 jjppd.exe 308 c666808.exe 1712 4806880.exe 1768 tnbbhh.exe 2000 042800.exe 1240 26842.exe 1372 jjvvd.exe 2520 m8668.exe 2472 jvjjv.exe 2208 646240.exe 2896 646666.exe 2788 086622.exe 2464 0404006.exe 2964 vjvdj.exe 2756 420240.exe 1180 8688008.exe 2648 428444.exe 2640 bnbbth.exe 2168 vjvvv.exe 2128 rlflxfr.exe 2984 rlxrxxx.exe 1304 224400.exe 688 648686.exe 2008 nnhhtb.exe 2960 8644068.exe 2224 420066.exe 2628 9jvdj.exe 1480 0204068.exe 2072 jdppd.exe 2084 4828446.exe 1144 k82240.exe 1812 82202.exe 2772 q86622.exe 684 6422880.exe 1088 fxrxrlr.exe 316 ddvdv.exe 2484 tnbbhh.exe -
resource yara_rule behavioral1/memory/1940-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-85-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2592-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1180-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-416-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2224-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-476-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1144-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-490-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/684-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-643-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2100-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-955-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/608-993-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-1040-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-1053-0x00000000002B0000-0x00000000002DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e48428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8246846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i428480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1940 1064 5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe 30 PID 1064 wrote to memory of 1940 1064 5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe 30 PID 1064 wrote to memory of 1940 1064 5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe 30 PID 1064 wrote to memory of 1940 1064 5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe 30 PID 1940 wrote to memory of 2380 1940 420066.exe 31 PID 1940 wrote to memory of 2380 1940 420066.exe 31 PID 1940 wrote to memory of 2380 1940 420066.exe 31 PID 1940 wrote to memory of 2380 1940 420066.exe 31 PID 2380 wrote to memory of 2836 2380 ttbhht.exe 32 PID 2380 wrote to memory of 2836 2380 ttbhht.exe 32 PID 2380 wrote to memory of 2836 2380 ttbhht.exe 32 PID 2380 wrote to memory of 2836 2380 ttbhht.exe 32 PID 2836 wrote to memory of 2392 2836 rlllrrf.exe 33 PID 2836 wrote to memory of 2392 2836 rlllrrf.exe 33 PID 2836 wrote to memory of 2392 2836 rlllrrf.exe 33 PID 2836 wrote to memory of 2392 2836 rlllrrf.exe 33 PID 2392 wrote to memory of 2820 2392 2202462.exe 34 PID 2392 wrote to memory of 2820 2392 2202462.exe 34 PID 2392 wrote to memory of 2820 2392 2202462.exe 34 PID 2392 wrote to memory of 2820 2392 2202462.exe 34 PID 2820 wrote to memory of 2792 2820 vpjvd.exe 35 PID 2820 wrote to memory of 2792 2820 vpjvd.exe 35 PID 2820 wrote to memory of 2792 2820 vpjvd.exe 35 PID 2820 wrote to memory of 2792 2820 vpjvd.exe 35 PID 2792 wrote to memory of 2708 2792 bthhtt.exe 36 PID 2792 wrote to memory of 2708 2792 bthhtt.exe 36 PID 2792 wrote to memory of 2708 2792 bthhtt.exe 36 PID 2792 wrote to memory of 2708 2792 bthhtt.exe 36 PID 2708 wrote to memory of 2612 2708 xxrxlrf.exe 37 PID 2708 wrote to memory of 2612 2708 xxrxlrf.exe 37 PID 2708 wrote to memory of 2612 2708 xxrxlrf.exe 37 PID 2708 wrote to memory of 2612 2708 xxrxlrf.exe 37 PID 2612 wrote to memory of 2592 2612 vdvdp.exe 38 PID 2612 wrote to memory of 2592 2612 vdvdp.exe 38 PID 2612 wrote to memory of 2592 2612 vdvdp.exe 38 PID 2612 wrote to memory of 2592 2612 vdvdp.exe 38 PID 2592 wrote to memory of 2136 2592 k80404.exe 39 PID 2592 wrote to memory of 2136 2592 k80404.exe 39 PID 2592 wrote to memory of 2136 2592 k80404.exe 39 PID 2592 wrote to memory of 2136 2592 k80404.exe 39 PID 2136 wrote to memory of 2968 2136 xrlrffx.exe 40 PID 2136 wrote to memory of 2968 2136 xrlrffx.exe 40 PID 2136 wrote to memory of 2968 2136 xrlrffx.exe 40 PID 2136 wrote to memory of 2968 2136 xrlrffx.exe 40 PID 2968 wrote to memory of 2940 2968 20806.exe 41 PID 2968 wrote to memory of 2940 2968 20806.exe 41 PID 2968 wrote to memory of 2940 2968 20806.exe 41 PID 2968 wrote to memory of 2940 2968 20806.exe 41 PID 2940 wrote to memory of 1516 2940 i428480.exe 42 PID 2940 wrote to memory of 1516 2940 i428480.exe 42 PID 2940 wrote to memory of 1516 2940 i428480.exe 42 PID 2940 wrote to memory of 1516 2940 i428480.exe 42 PID 1516 wrote to memory of 2008 1516 fxxxlrx.exe 43 PID 1516 wrote to memory of 2008 1516 fxxxlrx.exe 43 PID 1516 wrote to memory of 2008 1516 fxxxlrx.exe 43 PID 1516 wrote to memory of 2008 1516 fxxxlrx.exe 43 PID 2008 wrote to memory of 380 2008 vpjdd.exe 44 PID 2008 wrote to memory of 380 2008 vpjdd.exe 44 PID 2008 wrote to memory of 380 2008 vpjdd.exe 44 PID 2008 wrote to memory of 380 2008 vpjdd.exe 44 PID 380 wrote to memory of 2628 380 m0846.exe 45 PID 380 wrote to memory of 2628 380 m0846.exe 45 PID 380 wrote to memory of 2628 380 m0846.exe 45 PID 380 wrote to memory of 2628 380 m0846.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe"C:\Users\Admin\AppData\Local\Temp\5887a162a15eae30d5166bfdd5e14ccb21b5849a2d24996905eaebf7a4222a68N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\420066.exec:\420066.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\ttbhht.exec:\ttbhht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\rlllrrf.exec:\rlllrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\2202462.exec:\2202462.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\vpjvd.exec:\vpjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\bthhtt.exec:\bthhtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\vdvdp.exec:\vdvdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\k80404.exec:\k80404.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\xrlrffx.exec:\xrlrffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\20806.exec:\20806.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\i428480.exec:\i428480.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\fxxxlrx.exec:\fxxxlrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\vpjdd.exec:\vpjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\m0846.exec:\m0846.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\7jddd.exec:\7jddd.exe17⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rfxxflr.exec:\rfxxflr.exe18⤵
- Executes dropped EXE
PID:576 -
\??\c:\u866880.exec:\u866880.exe19⤵
- Executes dropped EXE
PID:2296 -
\??\c:\3fflffr.exec:\3fflffr.exe20⤵
- Executes dropped EXE
PID:1312 -
\??\c:\bnbntt.exec:\bnbntt.exe21⤵
- Executes dropped EXE
PID:1812 -
\??\c:\s0806.exec:\s0806.exe22⤵
- Executes dropped EXE
PID:896 -
\??\c:\26842.exec:\26842.exe23⤵
- Executes dropped EXE
PID:2064 -
\??\c:\82224.exec:\82224.exe24⤵
- Executes dropped EXE
PID:952 -
\??\c:\20404.exec:\20404.exe25⤵
- Executes dropped EXE
PID:912 -
\??\c:\26846.exec:\26846.exe26⤵
- Executes dropped EXE
PID:1560 -
\??\c:\jjdvd.exec:\jjdvd.exe27⤵
- Executes dropped EXE
PID:1720 -
\??\c:\thnnbb.exec:\thnnbb.exe28⤵
- Executes dropped EXE
PID:944 -
\??\c:\jjppd.exec:\jjppd.exe29⤵
- Executes dropped EXE
PID:2412 -
\??\c:\c666808.exec:\c666808.exe30⤵
- Executes dropped EXE
PID:308 -
\??\c:\4806880.exec:\4806880.exe31⤵
- Executes dropped EXE
PID:1712 -
\??\c:\tnbbhh.exec:\tnbbhh.exe32⤵
- Executes dropped EXE
PID:1768 -
\??\c:\042800.exec:\042800.exe33⤵
- Executes dropped EXE
PID:2000 -
\??\c:\hhhbnt.exec:\hhhbnt.exe34⤵PID:1608
-
\??\c:\26842.exec:\26842.exe35⤵
- Executes dropped EXE
PID:1240 -
\??\c:\jjvvd.exec:\jjvvd.exe36⤵
- Executes dropped EXE
PID:1372 -
\??\c:\m8668.exec:\m8668.exe37⤵
- Executes dropped EXE
PID:2520 -
\??\c:\jvjjv.exec:\jvjjv.exe38⤵
- Executes dropped EXE
PID:2472 -
\??\c:\646240.exec:\646240.exe39⤵
- Executes dropped EXE
PID:2208 -
\??\c:\646666.exec:\646666.exe40⤵
- Executes dropped EXE
PID:2896 -
\??\c:\086622.exec:\086622.exe41⤵
- Executes dropped EXE
PID:2788 -
\??\c:\0404006.exec:\0404006.exe42⤵
- Executes dropped EXE
PID:2464 -
\??\c:\vjvdj.exec:\vjvdj.exe43⤵
- Executes dropped EXE
PID:2964 -
\??\c:\420240.exec:\420240.exe44⤵
- Executes dropped EXE
PID:2756 -
\??\c:\8688008.exec:\8688008.exe45⤵
- Executes dropped EXE
PID:1180 -
\??\c:\428444.exec:\428444.exe46⤵
- Executes dropped EXE
PID:2648 -
\??\c:\bnbbth.exec:\bnbbth.exe47⤵
- Executes dropped EXE
PID:2640 -
\??\c:\vjvvv.exec:\vjvvv.exe48⤵
- Executes dropped EXE
PID:2168 -
\??\c:\rlflxfr.exec:\rlflxfr.exe49⤵
- Executes dropped EXE
PID:2128 -
\??\c:\rlxrxxx.exec:\rlxrxxx.exe50⤵
- Executes dropped EXE
PID:2984 -
\??\c:\224400.exec:\224400.exe51⤵
- Executes dropped EXE
PID:1304 -
\??\c:\648686.exec:\648686.exe52⤵
- Executes dropped EXE
PID:688 -
\??\c:\nnhhtb.exec:\nnhhtb.exe53⤵
- Executes dropped EXE
PID:2008 -
\??\c:\8644068.exec:\8644068.exe54⤵
- Executes dropped EXE
PID:2960 -
\??\c:\420066.exec:\420066.exe55⤵
- Executes dropped EXE
PID:2224 -
\??\c:\9jvdj.exec:\9jvdj.exe56⤵
- Executes dropped EXE
PID:2628 -
\??\c:\0204068.exec:\0204068.exe57⤵
- Executes dropped EXE
PID:1480 -
\??\c:\jdppd.exec:\jdppd.exe58⤵
- Executes dropped EXE
PID:2072 -
\??\c:\4828446.exec:\4828446.exe59⤵
- Executes dropped EXE
PID:2084 -
\??\c:\k82240.exec:\k82240.exe60⤵
- Executes dropped EXE
PID:1144 -
\??\c:\82202.exec:\82202.exe61⤵
- Executes dropped EXE
PID:1812 -
\??\c:\q86622.exec:\q86622.exe62⤵
- Executes dropped EXE
PID:2772 -
\??\c:\6422880.exec:\6422880.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:684 -
\??\c:\fxrxrlr.exec:\fxrxrlr.exe64⤵
- Executes dropped EXE
PID:1088 -
\??\c:\ddvdv.exec:\ddvdv.exe65⤵
- Executes dropped EXE
PID:316 -
\??\c:\tnbbhh.exec:\tnbbhh.exe66⤵
- Executes dropped EXE
PID:2484 -
\??\c:\0484668.exec:\0484668.exe67⤵PID:1544
-
\??\c:\82406.exec:\82406.exe68⤵PID:928
-
\??\c:\dpdpv.exec:\dpdpv.exe69⤵PID:776
-
\??\c:\bbbbbb.exec:\bbbbbb.exe70⤵PID:2036
-
\??\c:\vjdjp.exec:\vjdjp.exe71⤵PID:2288
-
\??\c:\ppvvd.exec:\ppvvd.exe72⤵PID:2336
-
\??\c:\020062.exec:\020062.exe73⤵PID:372
-
\??\c:\7dpdd.exec:\7dpdd.exe74⤵PID:2492
-
\??\c:\e26644.exec:\e26644.exe75⤵PID:1500
-
\??\c:\llxxxxx.exec:\llxxxxx.exe76⤵PID:2368
-
\??\c:\rlllrrr.exec:\rlllrrr.exe77⤵PID:1692
-
\??\c:\7nhhbb.exec:\7nhhbb.exe78⤵PID:1804
-
\??\c:\xrxffll.exec:\xrxffll.exe79⤵PID:2684
-
\??\c:\9bbbtt.exec:\9bbbtt.exe80⤵PID:1780
-
\??\c:\64228.exec:\64228.exe81⤵PID:2732
-
\??\c:\804666.exec:\804666.exe82⤵PID:2392
-
\??\c:\llxrffr.exec:\llxrffr.exe83⤵PID:2748
-
\??\c:\242228.exec:\242228.exe84⤵PID:2828
-
\??\c:\hbbbhn.exec:\hbbbhn.exe85⤵PID:2108
-
\??\c:\c024062.exec:\c024062.exe86⤵PID:2708
-
\??\c:\486284.exec:\486284.exe87⤵PID:2588
-
\??\c:\u028440.exec:\u028440.exe88⤵PID:2608
-
\??\c:\206244.exec:\206244.exe89⤵PID:2668
-
\??\c:\lfxxllx.exec:\lfxxllx.exe90⤵PID:2440
-
\??\c:\042244.exec:\042244.exe91⤵PID:2204
-
\??\c:\o484062.exec:\o484062.exe92⤵PID:2100
-
\??\c:\u868662.exec:\u868662.exe93⤵PID:2940
-
\??\c:\208844.exec:\208844.exe94⤵PID:2840
-
\??\c:\frlllll.exec:\frlllll.exe95⤵PID:1516
-
\??\c:\djvpp.exec:\djvpp.exe96⤵PID:2948
-
\??\c:\hbnbbb.exec:\hbnbbb.exe97⤵PID:1628
-
\??\c:\862266.exec:\862266.exe98⤵PID:1824
-
\??\c:\48042.exec:\48042.exe99⤵PID:2120
-
\??\c:\0248222.exec:\0248222.exe100⤵PID:2420
-
\??\c:\5flfllx.exec:\5flfllx.exe101⤵PID:2220
-
\??\c:\1xlflfr.exec:\1xlflfr.exe102⤵PID:1796
-
\??\c:\7btttt.exec:\7btttt.exe103⤵PID:2096
-
\??\c:\xlrrrfl.exec:\xlrrrfl.exe104⤵PID:3044
-
\??\c:\vjvvp.exec:\vjvvp.exe105⤵PID:628
-
\??\c:\208406.exec:\208406.exe106⤵PID:2264
-
\??\c:\9lffffr.exec:\9lffffr.exe107⤵PID:1728
-
\??\c:\u422846.exec:\u422846.exe108⤵PID:1668
-
\??\c:\s2842.exec:\s2842.exe109⤵PID:1352
-
\??\c:\080004.exec:\080004.exe110⤵PID:1976
-
\??\c:\468222.exec:\468222.exe111⤵PID:1380
-
\??\c:\8682844.exec:\8682844.exe112⤵PID:1732
-
\??\c:\jdpjp.exec:\jdpjp.exe113⤵PID:1636
-
\??\c:\4204600.exec:\4204600.exe114⤵PID:2364
-
\??\c:\60468.exec:\60468.exe115⤵PID:692
-
\??\c:\u206006.exec:\u206006.exe116⤵PID:3032
-
\??\c:\o840664.exec:\o840664.exe117⤵PID:880
-
\??\c:\3jpjj.exec:\3jpjj.exe118⤵PID:1504
-
\??\c:\q26240.exec:\q26240.exe119⤵PID:2676
-
\??\c:\ppddd.exec:\ppddd.exe120⤵PID:1600
-
\??\c:\w64066.exec:\w64066.exe121⤵PID:1708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-