Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 01:07 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1ec02d60a0342e4dc1644fea4f97b446bba8ab484a7066b6be4879a8e08d872.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a1ec02d60a0342e4dc1644fea4f97b446bba8ab484a7066b6be4879a8e08d872.exe
-
Size
455KB
-
MD5
e2d639b94d4eca4b92ccfb33a613e3e2
-
SHA1
5b2aa2fb3a2224c72542c4ff6f977feed787df22
-
SHA256
a1ec02d60a0342e4dc1644fea4f97b446bba8ab484a7066b6be4879a8e08d872
-
SHA512
08898acbf7c49195dca37e68eabb1c72cb4b54d4e2c943035c39dbcea30f63911db4be67caefa661e7246b37507b0c889efa1b1d7851b356396fa9640884019c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTP:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2416-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-41-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1732-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-122-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/776-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-130-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1276-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-319-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1828-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-516-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2428-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-523-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2300-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/556-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-387-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2416-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-276-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2068-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-190-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/568-142-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2756-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-962-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-989-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-1091-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2976-1115-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1732 82462.exe 2440 3frrfrf.exe 2996 o602408.exe 1996 m6862.exe 2976 5nhhtt.exe 2716 hhtntt.exe 2744 c806280.exe 2756 pvjdj.exe 2724 jpppp.exe 2348 026420.exe 1256 66406.exe 1496 66064.exe 776 8262880.exe 568 flrfxll.exe 1276 dvpvj.exe 2916 7nbhnn.exe 2028 ffrrfxf.exe 1604 48402.exe 2288 1nnntb.exe 2172 9rlfllx.exe 2680 jjdpp.exe 2328 frlxrff.exe 2260 48620.exe 1880 htnntb.exe 2248 vpdjp.exe 2128 lxfrrll.exe 2068 dvdpd.exe 988 xrlrffl.exe 1520 g6248.exe 2416 602862.exe 1760 066408.exe 1972 lrlxxlx.exe 1988 282664.exe 1596 4806842.exe 2080 lxxflxl.exe 2856 004220.exe 3060 8446086.exe 2716 6028468.exe 2876 0428446.exe 2708 1ppvj.exe 2756 8208002.exe 2984 6422886.exe 1956 08002.exe 1968 nnhnhn.exe 1840 2280420.exe 708 44428.exe 784 02044.exe 324 vjvvv.exe 532 5ppdv.exe 1828 vvdjp.exe 1508 ppdpd.exe 1336 rlfrxrf.exe 1696 ffxlxfl.exe 1724 60420.exe 2392 5djdj.exe 1976 5xxffxl.exe 556 3vpdd.exe 692 e24644.exe 768 6400880.exe 968 dddjv.exe 1128 hbtbnn.exe 1984 60464.exe 2300 hbthtb.exe 1664 btbnhh.exe -
resource yara_rule behavioral1/memory/2416-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-41-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1732-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-925-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-962-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-989-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-1008-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-1030-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-1091-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2148-1117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-1142-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u262064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 282664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxxfx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1732 2416 a1ec02d60a0342e4dc1644fea4f97b446bba8ab484a7066b6be4879a8e08d872.exe 30 PID 2416 wrote to memory of 1732 2416 a1ec02d60a0342e4dc1644fea4f97b446bba8ab484a7066b6be4879a8e08d872.exe 30 PID 2416 wrote to memory of 1732 2416 a1ec02d60a0342e4dc1644fea4f97b446bba8ab484a7066b6be4879a8e08d872.exe 30 PID 2416 wrote to memory of 1732 2416 a1ec02d60a0342e4dc1644fea4f97b446bba8ab484a7066b6be4879a8e08d872.exe 30 PID 1732 wrote to memory of 2440 1732 82462.exe 31 PID 1732 wrote to memory of 2440 1732 82462.exe 31 PID 1732 wrote to memory of 2440 1732 82462.exe 31 PID 1732 wrote to memory of 2440 1732 82462.exe 31 PID 2440 wrote to memory of 2996 2440 3frrfrf.exe 32 PID 2440 wrote to memory of 2996 2440 3frrfrf.exe 32 PID 2440 wrote to memory of 2996 2440 3frrfrf.exe 32 PID 2440 wrote to memory of 2996 2440 3frrfrf.exe 32 PID 2996 wrote to memory of 1996 2996 o602408.exe 33 PID 2996 wrote to memory of 1996 2996 o602408.exe 33 PID 2996 wrote to memory of 1996 2996 o602408.exe 33 PID 2996 wrote to memory of 1996 2996 o602408.exe 33 PID 1996 wrote to memory of 2976 1996 m6862.exe 34 PID 1996 wrote to memory of 2976 1996 m6862.exe 34 PID 1996 wrote to memory of 2976 1996 m6862.exe 34 PID 1996 wrote to memory of 2976 1996 m6862.exe 34 PID 2976 wrote to memory of 2716 2976 5nhhtt.exe 35 PID 2976 wrote to memory of 2716 2976 5nhhtt.exe 35 PID 2976 wrote to memory of 2716 2976 5nhhtt.exe 35 PID 2976 wrote to memory of 2716 2976 5nhhtt.exe 35 PID 2716 wrote to memory of 2744 2716 hhtntt.exe 36 PID 2716 wrote to memory of 2744 2716 hhtntt.exe 36 PID 2716 wrote to memory of 2744 2716 hhtntt.exe 36 PID 2716 wrote to memory of 2744 2716 hhtntt.exe 36 PID 2744 wrote to memory of 2756 2744 c806280.exe 70 PID 2744 wrote to memory of 2756 2744 c806280.exe 70 PID 2744 wrote to memory of 2756 2744 c806280.exe 70 PID 2744 wrote to memory of 2756 2744 c806280.exe 70 PID 2756 wrote to memory of 2724 2756 pvjdj.exe 38 PID 2756 wrote to memory of 2724 2756 pvjdj.exe 38 PID 2756 wrote to memory of 2724 2756 pvjdj.exe 38 PID 2756 wrote to memory of 2724 2756 pvjdj.exe 38 PID 2724 wrote to memory of 2348 2724 jpppp.exe 39 PID 2724 wrote to memory of 2348 2724 jpppp.exe 39 PID 2724 wrote to memory of 2348 2724 jpppp.exe 39 PID 2724 wrote to memory of 2348 2724 jpppp.exe 39 PID 2348 wrote to memory of 1256 2348 026420.exe 40 PID 2348 wrote to memory of 1256 2348 026420.exe 40 PID 2348 wrote to memory of 1256 2348 026420.exe 40 PID 2348 wrote to memory of 1256 2348 026420.exe 40 PID 1256 wrote to memory of 1496 1256 66406.exe 41 PID 1256 wrote to memory of 1496 1256 66406.exe 41 PID 1256 wrote to memory of 1496 1256 66406.exe 41 PID 1256 wrote to memory of 1496 1256 66406.exe 41 PID 1496 wrote to memory of 776 1496 66064.exe 117 PID 1496 wrote to memory of 776 1496 66064.exe 117 PID 1496 wrote to memory of 776 1496 66064.exe 117 PID 1496 wrote to memory of 776 1496 66064.exe 117 PID 776 wrote to memory of 568 776 8262880.exe 43 PID 776 wrote to memory of 568 776 8262880.exe 43 PID 776 wrote to memory of 568 776 8262880.exe 43 PID 776 wrote to memory of 568 776 8262880.exe 43 PID 568 wrote to memory of 1276 568 flrfxll.exe 44 PID 568 wrote to memory of 1276 568 flrfxll.exe 44 PID 568 wrote to memory of 1276 568 flrfxll.exe 44 PID 568 wrote to memory of 1276 568 flrfxll.exe 44 PID 1276 wrote to memory of 2916 1276 dvpvj.exe 45 PID 1276 wrote to memory of 2916 1276 dvpvj.exe 45 PID 1276 wrote to memory of 2916 1276 dvpvj.exe 45 PID 1276 wrote to memory of 2916 1276 dvpvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1ec02d60a0342e4dc1644fea4f97b446bba8ab484a7066b6be4879a8e08d872.exe"C:\Users\Admin\AppData\Local\Temp\a1ec02d60a0342e4dc1644fea4f97b446bba8ab484a7066b6be4879a8e08d872.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\82462.exec:\82462.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\3frrfrf.exec:\3frrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\o602408.exec:\o602408.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\m6862.exec:\m6862.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\5nhhtt.exec:\5nhhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\hhtntt.exec:\hhtntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\c806280.exec:\c806280.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\pvjdj.exec:\pvjdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\jpppp.exec:\jpppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\026420.exec:\026420.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\66406.exec:\66406.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\66064.exec:\66064.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\8262880.exec:\8262880.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\flrfxll.exec:\flrfxll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\dvpvj.exec:\dvpvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\7nbhnn.exec:\7nbhnn.exe17⤵
- Executes dropped EXE
PID:2916 -
\??\c:\ffrrfxf.exec:\ffrrfxf.exe18⤵
- Executes dropped EXE
PID:2028 -
\??\c:\48402.exec:\48402.exe19⤵
- Executes dropped EXE
PID:1604 -
\??\c:\1nnntb.exec:\1nnntb.exe20⤵
- Executes dropped EXE
PID:2288 -
\??\c:\9rlfllx.exec:\9rlfllx.exe21⤵
- Executes dropped EXE
PID:2172 -
\??\c:\jjdpp.exec:\jjdpp.exe22⤵
- Executes dropped EXE
PID:2680 -
\??\c:\frlxrff.exec:\frlxrff.exe23⤵
- Executes dropped EXE
PID:2328 -
\??\c:\48620.exec:\48620.exe24⤵
- Executes dropped EXE
PID:2260 -
\??\c:\htnntb.exec:\htnntb.exe25⤵
- Executes dropped EXE
PID:1880 -
\??\c:\vpdjp.exec:\vpdjp.exe26⤵
- Executes dropped EXE
PID:2248 -
\??\c:\lxfrrll.exec:\lxfrrll.exe27⤵
- Executes dropped EXE
PID:2128 -
\??\c:\dvdpd.exec:\dvdpd.exe28⤵
- Executes dropped EXE
PID:2068 -
\??\c:\xrlrffl.exec:\xrlrffl.exe29⤵
- Executes dropped EXE
PID:988 -
\??\c:\g6248.exec:\g6248.exe30⤵
- Executes dropped EXE
PID:1520 -
\??\c:\602862.exec:\602862.exe31⤵
- Executes dropped EXE
PID:2416 -
\??\c:\066408.exec:\066408.exe32⤵
- Executes dropped EXE
PID:1760 -
\??\c:\lrlxxlx.exec:\lrlxxlx.exe33⤵
- Executes dropped EXE
PID:1972 -
\??\c:\282664.exec:\282664.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
\??\c:\4806842.exec:\4806842.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\lxxflxl.exec:\lxxflxl.exe36⤵
- Executes dropped EXE
PID:2080 -
\??\c:\004220.exec:\004220.exe37⤵
- Executes dropped EXE
PID:2856 -
\??\c:\8446086.exec:\8446086.exe38⤵
- Executes dropped EXE
PID:3060 -
\??\c:\6028468.exec:\6028468.exe39⤵
- Executes dropped EXE
PID:2716 -
\??\c:\0428446.exec:\0428446.exe40⤵
- Executes dropped EXE
PID:2876 -
\??\c:\1ppvj.exec:\1ppvj.exe41⤵
- Executes dropped EXE
PID:2708 -
\??\c:\8208002.exec:\8208002.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\6422886.exec:\6422886.exe43⤵
- Executes dropped EXE
PID:2984 -
\??\c:\08002.exec:\08002.exe44⤵
- Executes dropped EXE
PID:1956 -
\??\c:\nnhnhn.exec:\nnhnhn.exe45⤵
- Executes dropped EXE
PID:1968 -
\??\c:\2280420.exec:\2280420.exe46⤵
- Executes dropped EXE
PID:1840 -
\??\c:\44428.exec:\44428.exe47⤵
- Executes dropped EXE
PID:708 -
\??\c:\02044.exec:\02044.exe48⤵
- Executes dropped EXE
PID:784 -
\??\c:\vjvvv.exec:\vjvvv.exe49⤵
- Executes dropped EXE
PID:324 -
\??\c:\5ppdv.exec:\5ppdv.exe50⤵
- Executes dropped EXE
PID:532 -
\??\c:\vvdjp.exec:\vvdjp.exe51⤵
- Executes dropped EXE
PID:1828 -
\??\c:\ppdpd.exec:\ppdpd.exe52⤵
- Executes dropped EXE
PID:1508 -
\??\c:\rlfrxrf.exec:\rlfrxrf.exe53⤵
- Executes dropped EXE
PID:1336 -
\??\c:\ffxlxfl.exec:\ffxlxfl.exe54⤵
- Executes dropped EXE
PID:1696 -
\??\c:\60420.exec:\60420.exe55⤵
- Executes dropped EXE
PID:1724 -
\??\c:\5djdj.exec:\5djdj.exe56⤵
- Executes dropped EXE
PID:2392 -
\??\c:\5xxffxl.exec:\5xxffxl.exe57⤵
- Executes dropped EXE
PID:1976 -
\??\c:\3vpdd.exec:\3vpdd.exe58⤵
- Executes dropped EXE
PID:556 -
\??\c:\e24644.exec:\e24644.exe59⤵
- Executes dropped EXE
PID:692 -
\??\c:\6400880.exec:\6400880.exe60⤵
- Executes dropped EXE
PID:768 -
\??\c:\dddjv.exec:\dddjv.exe61⤵
- Executes dropped EXE
PID:968 -
\??\c:\hbtbnn.exec:\hbtbnn.exe62⤵
- Executes dropped EXE
PID:1128 -
\??\c:\60464.exec:\60464.exe63⤵
- Executes dropped EXE
PID:1984 -
\??\c:\hbthtb.exec:\hbthtb.exe64⤵
- Executes dropped EXE
PID:2300 -
\??\c:\btbnhh.exec:\btbnhh.exe65⤵
- Executes dropped EXE
PID:1664 -
\??\c:\002468.exec:\002468.exe66⤵PID:2176
-
\??\c:\vpjvd.exec:\vpjvd.exe67⤵PID:2380
-
\??\c:\082800.exec:\082800.exe68⤵PID:2404
-
\??\c:\flllrll.exec:\flllrll.exe69⤵PID:2208
-
\??\c:\vjpjj.exec:\vjpjj.exe70⤵PID:1088
-
\??\c:\886800.exec:\886800.exe71⤵PID:2216
-
\??\c:\dpvpv.exec:\dpvpv.exe72⤵
- System Location Discovery: System Language Discovery
PID:2952 -
\??\c:\xfxlrrx.exec:\xfxlrrx.exe73⤵PID:1988
-
\??\c:\9xllxfr.exec:\9xllxfr.exe74⤵PID:3000
-
\??\c:\2684668.exec:\2684668.exe75⤵PID:444
-
\??\c:\ffxlffx.exec:\ffxlffx.exe76⤵PID:2968
-
\??\c:\fxlxllf.exec:\fxlxllf.exe77⤵PID:1980
-
\??\c:\s2286.exec:\s2286.exe78⤵PID:2196
-
\??\c:\bbbhnn.exec:\bbbhnn.exe79⤵PID:2692
-
\??\c:\1bhtbb.exec:\1bhtbb.exe80⤵PID:2716
-
\??\c:\7djjp.exec:\7djjp.exe81⤵PID:2908
-
\??\c:\vdvdv.exec:\vdvdv.exe82⤵PID:2872
-
\??\c:\6462406.exec:\6462406.exe83⤵PID:2848
-
\??\c:\jjvvd.exec:\jjvvd.exe84⤵PID:2520
-
\??\c:\868800.exec:\868800.exe85⤵PID:2984
-
\??\c:\u080686.exec:\u080686.exe86⤵PID:1444
-
\??\c:\k68400.exec:\k68400.exe87⤵PID:2596
-
\??\c:\264028.exec:\264028.exe88⤵PID:1492
-
\??\c:\vvvpv.exec:\vvvpv.exe89⤵PID:776
-
\??\c:\rlffxll.exec:\rlffxll.exe90⤵PID:2344
-
\??\c:\pvvdp.exec:\pvvdp.exe91⤵PID:1512
-
\??\c:\q26284.exec:\q26284.exe92⤵PID:1744
-
\??\c:\82406.exec:\82406.exe93⤵PID:1084
-
\??\c:\7jvvd.exec:\7jvvd.exe94⤵PID:2044
-
\??\c:\k08028.exec:\k08028.exe95⤵PID:292
-
\??\c:\264024.exec:\264024.exe96⤵PID:2460
-
\??\c:\fxllfxl.exec:\fxllfxl.exe97⤵PID:600
-
\??\c:\nnhnbh.exec:\nnhnbh.exe98⤵PID:2428
-
\??\c:\1thnbh.exec:\1thnbh.exe99⤵PID:2172
-
\??\c:\9jjjv.exec:\9jjjv.exe100⤵PID:2804
-
\??\c:\208806.exec:\208806.exe101⤵PID:408
-
\??\c:\btnnbt.exec:\btnnbt.exe102⤵PID:2464
-
\??\c:\228840.exec:\228840.exe103⤵PID:3040
-
\??\c:\vpddj.exec:\vpddj.exe104⤵PID:2200
-
\??\c:\m2662.exec:\m2662.exe105⤵PID:2240
-
\??\c:\4240664.exec:\4240664.exe106⤵PID:2100
-
\??\c:\xlllfff.exec:\xlllfff.exe107⤵PID:2452
-
\??\c:\4806840.exec:\4806840.exe108⤵PID:1672
-
\??\c:\rfrlrrf.exec:\rfrlrrf.exe109⤵PID:2280
-
\??\c:\424060.exec:\424060.exe110⤵PID:2380
-
\??\c:\6288266.exec:\6288266.exe111⤵PID:2536
-
\??\c:\llrxflr.exec:\llrxflr.exe112⤵PID:2208
-
\??\c:\22628.exec:\22628.exe113⤵PID:1088
-
\??\c:\04802.exec:\04802.exe114⤵PID:2216
-
\??\c:\tthnnt.exec:\tthnnt.exe115⤵PID:2952
-
\??\c:\5nhhtb.exec:\5nhhtb.exe116⤵PID:1988
-
\??\c:\5rxfllx.exec:\5rxfllx.exe117⤵PID:3000
-
\??\c:\q06808.exec:\q06808.exe118⤵PID:2584
-
\??\c:\rxffrxf.exec:\rxffrxf.exe119⤵PID:2852
-
\??\c:\bthntb.exec:\bthntb.exe120⤵PID:1980
-
\??\c:\w64066.exec:\w64066.exe121⤵PID:2264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-