Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/12/2024, 23:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe
-
Size
454KB
-
MD5
cc0c065724488972a1c8f1f2e000515b
-
SHA1
4bd38c74608cc853bbe577e0e1f0a55f7669cd6a
-
SHA256
820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857
-
SHA512
74bb2aa94c3d20617ae03a709362ccee1bb1f7a36359c599bbeb66ecbdc07eef806a1b43a080eae6302219e4bd747734e3b49bda17bbb51193ef5e525919e5b0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 33 IoCs
resource yara_rule behavioral1/memory/2544-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/616-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/960-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-1269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2688 q02802.exe 2544 0084662.exe 3048 o606886.exe 2696 bntbhn.exe 2872 hbbhtt.exe 2760 ttnbtb.exe 2856 2602068.exe 2788 60468.exe 2768 7fxlfxl.exe 2624 5lrflrx.exe 3060 22204.exe 1740 llxflrx.exe 2140 480246.exe 2568 3lxlxxl.exe 1928 a0408.exe 2372 k04202.exe 1484 xfxflrl.exe 1744 tbtnhh.exe 1684 1tnttb.exe 2368 60446.exe 2920 jjvdj.exe 2792 66262.exe 2032 bbthtb.exe 2200 420688.exe 2012 m8208.exe 1836 6044284.exe 616 1rfllfl.exe 2360 7ddpv.exe 792 fxlrxlx.exe 2948 480688.exe 2528 tnhhtn.exe 1440 fxrflrl.exe 2936 646666.exe 2556 nttthb.exe 2544 bnnnbb.exe 2492 nbhnnb.exe 2344 22266.exe 2860 lxlrlfr.exe 2728 pjjjj.exe 1276 o228286.exe 2836 vjpjp.exe 2828 4846242.exe 2716 vpdjd.exe 2656 pvpjd.exe 3060 ttntbh.exe 1964 2002280.exe 2896 rxlrrfl.exe 2364 btthtb.exe 1912 00060.exe 1932 888602.exe 1960 nnbbnn.exe 2548 vpdpd.exe 632 q24684.exe 1756 042288.exe 1788 xxxlrfl.exe 2724 s2668.exe 2480 rrlrffl.exe 772 9lfflrf.exe 1588 204400.exe 1808 48202.exe 1064 q02046.exe 264 k42800.exe 792 6020880.exe 2504 264028.exe -
resource yara_rule behavioral1/memory/2544-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-893-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-1017-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/932-1055-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-1068-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-1106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-1137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-1150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-1217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-1230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-1256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-1269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-1282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-1295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-1314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-1345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-1358-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w20022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2844422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o828068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o880402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2688 2976 820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe 30 PID 2976 wrote to memory of 2688 2976 820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe 30 PID 2976 wrote to memory of 2688 2976 820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe 30 PID 2976 wrote to memory of 2688 2976 820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe 30 PID 2688 wrote to memory of 2544 2688 q02802.exe 31 PID 2688 wrote to memory of 2544 2688 q02802.exe 31 PID 2688 wrote to memory of 2544 2688 q02802.exe 31 PID 2688 wrote to memory of 2544 2688 q02802.exe 31 PID 2544 wrote to memory of 3048 2544 0084662.exe 32 PID 2544 wrote to memory of 3048 2544 0084662.exe 32 PID 2544 wrote to memory of 3048 2544 0084662.exe 32 PID 2544 wrote to memory of 3048 2544 0084662.exe 32 PID 3048 wrote to memory of 2696 3048 o606886.exe 33 PID 3048 wrote to memory of 2696 3048 o606886.exe 33 PID 3048 wrote to memory of 2696 3048 o606886.exe 33 PID 3048 wrote to memory of 2696 3048 o606886.exe 33 PID 2696 wrote to memory of 2872 2696 bntbhn.exe 34 PID 2696 wrote to memory of 2872 2696 bntbhn.exe 34 PID 2696 wrote to memory of 2872 2696 bntbhn.exe 34 PID 2696 wrote to memory of 2872 2696 bntbhn.exe 34 PID 2872 wrote to memory of 2760 2872 hbbhtt.exe 35 PID 2872 wrote to memory of 2760 2872 hbbhtt.exe 35 PID 2872 wrote to memory of 2760 2872 hbbhtt.exe 35 PID 2872 wrote to memory of 2760 2872 hbbhtt.exe 35 PID 2760 wrote to memory of 2856 2760 ttnbtb.exe 36 PID 2760 wrote to memory of 2856 2760 ttnbtb.exe 36 PID 2760 wrote to memory of 2856 2760 ttnbtb.exe 36 PID 2760 wrote to memory of 2856 2760 ttnbtb.exe 36 PID 2856 wrote to memory of 2788 2856 2602068.exe 37 PID 2856 wrote to memory of 2788 2856 2602068.exe 37 PID 2856 wrote to memory of 2788 2856 2602068.exe 37 PID 2856 wrote to memory of 2788 2856 2602068.exe 37 PID 2788 wrote to memory of 2768 2788 60468.exe 38 PID 2788 wrote to memory of 2768 2788 60468.exe 38 PID 2788 wrote to memory of 2768 2788 60468.exe 38 PID 2788 wrote to memory of 2768 2788 60468.exe 38 PID 2768 wrote to memory of 2624 2768 7fxlfxl.exe 39 PID 2768 wrote to memory of 2624 2768 7fxlfxl.exe 39 PID 2768 wrote to memory of 2624 2768 7fxlfxl.exe 39 PID 2768 wrote to memory of 2624 2768 7fxlfxl.exe 39 PID 2624 wrote to memory of 3060 2624 5lrflrx.exe 40 PID 2624 wrote to memory of 3060 2624 5lrflrx.exe 40 PID 2624 wrote to memory of 3060 2624 5lrflrx.exe 40 PID 2624 wrote to memory of 3060 2624 5lrflrx.exe 40 PID 3060 wrote to memory of 1740 3060 22204.exe 41 PID 3060 wrote to memory of 1740 3060 22204.exe 41 PID 3060 wrote to memory of 1740 3060 22204.exe 41 PID 3060 wrote to memory of 1740 3060 22204.exe 41 PID 1740 wrote to memory of 2140 1740 llxflrx.exe 42 PID 1740 wrote to memory of 2140 1740 llxflrx.exe 42 PID 1740 wrote to memory of 2140 1740 llxflrx.exe 42 PID 1740 wrote to memory of 2140 1740 llxflrx.exe 42 PID 2140 wrote to memory of 2568 2140 480246.exe 43 PID 2140 wrote to memory of 2568 2140 480246.exe 43 PID 2140 wrote to memory of 2568 2140 480246.exe 43 PID 2140 wrote to memory of 2568 2140 480246.exe 43 PID 2568 wrote to memory of 1928 2568 3lxlxxl.exe 44 PID 2568 wrote to memory of 1928 2568 3lxlxxl.exe 44 PID 2568 wrote to memory of 1928 2568 3lxlxxl.exe 44 PID 2568 wrote to memory of 1928 2568 3lxlxxl.exe 44 PID 1928 wrote to memory of 2372 1928 a0408.exe 45 PID 1928 wrote to memory of 2372 1928 a0408.exe 45 PID 1928 wrote to memory of 2372 1928 a0408.exe 45 PID 1928 wrote to memory of 2372 1928 a0408.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe"C:\Users\Admin\AppData\Local\Temp\820bebf588d0fe8a91e325c5e3de13eecb050d1513337349e0b97d23267a0857.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\q02802.exec:\q02802.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\0084662.exec:\0084662.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\o606886.exec:\o606886.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\bntbhn.exec:\bntbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\hbbhtt.exec:\hbbhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\ttnbtb.exec:\ttnbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\2602068.exec:\2602068.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\60468.exec:\60468.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\7fxlfxl.exec:\7fxlfxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\5lrflrx.exec:\5lrflrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\22204.exec:\22204.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\llxflrx.exec:\llxflrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\480246.exec:\480246.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\3lxlxxl.exec:\3lxlxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\a0408.exec:\a0408.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\k04202.exec:\k04202.exe17⤵
- Executes dropped EXE
PID:2372 -
\??\c:\xfxflrl.exec:\xfxflrl.exe18⤵
- Executes dropped EXE
PID:1484 -
\??\c:\tbtnhh.exec:\tbtnhh.exe19⤵
- Executes dropped EXE
PID:1744 -
\??\c:\1tnttb.exec:\1tnttb.exe20⤵
- Executes dropped EXE
PID:1684 -
\??\c:\60446.exec:\60446.exe21⤵
- Executes dropped EXE
PID:2368 -
\??\c:\jjvdj.exec:\jjvdj.exe22⤵
- Executes dropped EXE
PID:2920 -
\??\c:\66262.exec:\66262.exe23⤵
- Executes dropped EXE
PID:2792 -
\??\c:\bbthtb.exec:\bbthtb.exe24⤵
- Executes dropped EXE
PID:2032 -
\??\c:\420688.exec:\420688.exe25⤵
- Executes dropped EXE
PID:2200 -
\??\c:\m8208.exec:\m8208.exe26⤵
- Executes dropped EXE
PID:2012 -
\??\c:\6044284.exec:\6044284.exe27⤵
- Executes dropped EXE
PID:1836 -
\??\c:\1rfllfl.exec:\1rfllfl.exe28⤵
- Executes dropped EXE
PID:616 -
\??\c:\7ddpv.exec:\7ddpv.exe29⤵
- Executes dropped EXE
PID:2360 -
\??\c:\fxlrxlx.exec:\fxlrxlx.exe30⤵
- Executes dropped EXE
PID:792 -
\??\c:\480688.exec:\480688.exe31⤵
- Executes dropped EXE
PID:2948 -
\??\c:\tnhhtn.exec:\tnhhtn.exe32⤵
- Executes dropped EXE
PID:2528 -
\??\c:\fxrflrl.exec:\fxrflrl.exe33⤵
- Executes dropped EXE
PID:1440 -
\??\c:\646666.exec:\646666.exe34⤵
- Executes dropped EXE
PID:2936 -
\??\c:\nttthb.exec:\nttthb.exe35⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bnnnbb.exec:\bnnnbb.exe36⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nbhnnb.exec:\nbhnnb.exe37⤵
- Executes dropped EXE
PID:2492 -
\??\c:\22266.exec:\22266.exe38⤵
- Executes dropped EXE
PID:2344 -
\??\c:\lxlrlfr.exec:\lxlrlfr.exe39⤵
- Executes dropped EXE
PID:2860 -
\??\c:\pjjjj.exec:\pjjjj.exe40⤵
- Executes dropped EXE
PID:2728 -
\??\c:\o228286.exec:\o228286.exe41⤵
- Executes dropped EXE
PID:1276 -
\??\c:\vjpjp.exec:\vjpjp.exe42⤵
- Executes dropped EXE
PID:2836 -
\??\c:\4846242.exec:\4846242.exe43⤵
- Executes dropped EXE
PID:2828 -
\??\c:\vpdjd.exec:\vpdjd.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\pvpjd.exec:\pvpjd.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\ttntbh.exec:\ttntbh.exe46⤵
- Executes dropped EXE
PID:3060 -
\??\c:\2002280.exec:\2002280.exe47⤵
- Executes dropped EXE
PID:1964 -
\??\c:\rxlrrfl.exec:\rxlrrfl.exe48⤵
- Executes dropped EXE
PID:2896 -
\??\c:\btthtb.exec:\btthtb.exe49⤵
- Executes dropped EXE
PID:2364 -
\??\c:\00060.exec:\00060.exe50⤵
- Executes dropped EXE
PID:1912 -
\??\c:\888602.exec:\888602.exe51⤵
- Executes dropped EXE
PID:1932 -
\??\c:\nnbbnn.exec:\nnbbnn.exe52⤵
- Executes dropped EXE
PID:1960 -
\??\c:\vpdpd.exec:\vpdpd.exe53⤵
- Executes dropped EXE
PID:2548 -
\??\c:\q24684.exec:\q24684.exe54⤵
- Executes dropped EXE
PID:632 -
\??\c:\042288.exec:\042288.exe55⤵
- Executes dropped EXE
PID:1756 -
\??\c:\xxxlrfl.exec:\xxxlrfl.exe56⤵
- Executes dropped EXE
PID:1788 -
\??\c:\s2668.exec:\s2668.exe57⤵
- Executes dropped EXE
PID:2724 -
\??\c:\rrlrffl.exec:\rrlrffl.exe58⤵
- Executes dropped EXE
PID:2480 -
\??\c:\9lfflrf.exec:\9lfflrf.exe59⤵
- Executes dropped EXE
PID:772 -
\??\c:\204400.exec:\204400.exe60⤵
- Executes dropped EXE
PID:1588 -
\??\c:\48202.exec:\48202.exe61⤵
- Executes dropped EXE
PID:1808 -
\??\c:\q02046.exec:\q02046.exe62⤵
- Executes dropped EXE
PID:1064 -
\??\c:\k42800.exec:\k42800.exe63⤵
- Executes dropped EXE
PID:264 -
\??\c:\6020880.exec:\6020880.exe64⤵
- Executes dropped EXE
PID:792 -
\??\c:\264028.exec:\264028.exe65⤵
- Executes dropped EXE
PID:2504 -
\??\c:\rllxlrx.exec:\rllxlrx.exe66⤵PID:1224
-
\??\c:\00868.exec:\00868.exe67⤵PID:1976
-
\??\c:\86668.exec:\86668.exe68⤵PID:1512
-
\??\c:\tnhntt.exec:\tnhntt.exe69⤵PID:1440
-
\??\c:\vdvdp.exec:\vdvdp.exe70⤵PID:768
-
\??\c:\3hnhbn.exec:\3hnhbn.exe71⤵PID:1332
-
\??\c:\tnhnhh.exec:\tnhnhh.exe72⤵PID:2224
-
\??\c:\1dvjp.exec:\1dvjp.exe73⤵PID:2688
-
\??\c:\e82440.exec:\e82440.exe74⤵PID:3008
-
\??\c:\1hbntb.exec:\1hbntb.exe75⤵PID:2344
-
\??\c:\s2008.exec:\s2008.exe76⤵PID:2292
-
\??\c:\o880402.exec:\o880402.exe77⤵
- System Location Discovery: System Language Discovery
PID:2728 -
\??\c:\26008.exec:\26008.exe78⤵PID:2088
-
\??\c:\9rxxlrx.exec:\9rxxlrx.exe79⤵PID:2164
-
\??\c:\nbttbb.exec:\nbttbb.exe80⤵PID:2268
-
\??\c:\266828.exec:\266828.exe81⤵PID:2832
-
\??\c:\rflllrx.exec:\rflllrx.exe82⤵PID:2716
-
\??\c:\9jddp.exec:\9jddp.exe83⤵PID:2772
-
\??\c:\9pvdj.exec:\9pvdj.exe84⤵PID:960
-
\??\c:\vvvvj.exec:\vvvvj.exe85⤵PID:3024
-
\??\c:\0862480.exec:\0862480.exe86⤵PID:848
-
\??\c:\66408.exec:\66408.exe87⤵PID:1740
-
\??\c:\jdvvp.exec:\jdvvp.exe88⤵PID:2852
-
\??\c:\4862008.exec:\4862008.exe89⤵PID:1724
-
\??\c:\e26880.exec:\e26880.exe90⤵PID:2628
-
\??\c:\bbhnhb.exec:\bbhnhb.exe91⤵PID:2356
-
\??\c:\5pjjp.exec:\5pjjp.exe92⤵PID:2520
-
\??\c:\lllxlrr.exec:\lllxlrr.exe93⤵PID:1460
-
\??\c:\44808.exec:\44808.exe94⤵PID:2052
-
\??\c:\q02228.exec:\q02228.exe95⤵PID:1108
-
\??\c:\nbbbhh.exec:\nbbbhh.exe96⤵PID:1508
-
\??\c:\frxrxlf.exec:\frxrxlf.exe97⤵PID:1920
-
\??\c:\9rfrlrl.exec:\9rfrlrl.exe98⤵PID:1756
-
\??\c:\w64646.exec:\w64646.exe99⤵PID:2576
-
\??\c:\lfrxrrl.exec:\lfrxrrl.exe100⤵PID:1992
-
\??\c:\00026.exec:\00026.exe101⤵PID:2916
-
\??\c:\0428068.exec:\0428068.exe102⤵PID:2812
-
\??\c:\pjpdv.exec:\pjpdv.exe103⤵PID:1348
-
\??\c:\jpjpd.exec:\jpjpd.exe104⤵PID:904
-
\??\c:\886866.exec:\886866.exe105⤵PID:1492
-
\??\c:\7vdpp.exec:\7vdpp.exe106⤵PID:1516
-
\??\c:\82686.exec:\82686.exe107⤵PID:1800
-
\??\c:\lrrxlrf.exec:\lrrxlrf.exe108⤵PID:876
-
\??\c:\3jpvd.exec:\3jpvd.exe109⤵PID:1924
-
\??\c:\264680.exec:\264680.exe110⤵PID:1976
-
\??\c:\rfxrrfx.exec:\rfxrrfx.exe111⤵PID:2212
-
\??\c:\pppdv.exec:\pppdv.exe112⤵PID:1440
-
\??\c:\ttthnh.exec:\ttthnh.exe113⤵PID:1628
-
\??\c:\0042068.exec:\0042068.exe114⤵PID:2556
-
\??\c:\4424664.exec:\4424664.exe115⤵PID:1944
-
\??\c:\vpppv.exec:\vpppv.exe116⤵PID:1632
-
\??\c:\7vvjp.exec:\7vvjp.exe117⤵PID:2932
-
\??\c:\vdjdv.exec:\vdjdv.exe118⤵PID:2084
-
\??\c:\4884280.exec:\4884280.exe119⤵PID:2196
-
\??\c:\88842.exec:\88842.exe120⤵PID:2880
-
\??\c:\0484628.exec:\0484628.exe121⤵PID:2876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-