Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 03:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe
-
Size
454KB
-
MD5
de5c08d30ffc3d71b3f752517686fd50
-
SHA1
2dda48bc45bde07e993fbcf51ec71405b74588fc
-
SHA256
c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7
-
SHA512
9e25ab1e3a03cf77d1fc72a29c23d3f0466358721467ec5b7064bf0f878ad540f77cd861147527795b7784e51378c337f3824e78f24b770b038eeaec5112a518
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2416-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1172-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/788-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1172-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-380-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1444-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-411-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2168-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-767-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-774-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2432-787-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2972-852-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2280-859-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2972-875-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2112-1228-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1732 m2662.exe 2368 4868686.exe 2892 9nbtnn.exe 2820 0800606.exe 2976 2022824.exe 2716 bthhhh.exe 2920 hhnhnt.exe 2924 tnthnt.exe 2712 c488008.exe 2832 xlxflxf.exe 2364 7rlrxfr.exe 1648 vvvjv.exe 2776 8644624.exe 796 84800.exe 1500 rlxlxxl.exe 1828 1rxxlrf.exe 2932 4866824.exe 2028 u484842.exe 2020 264066.exe 2200 6488046.exe 896 a6006.exe 2656 86806.exe 3012 9rlllrx.exe 2300 224622.exe 2688 rrrrffl.exe 564 424844.exe 2240 4244440.exe 1776 q80000.exe 1552 q84066.exe 1948 3vvdd.exe 2684 9lffrxr.exe 2632 3lfflfl.exe 1736 424888.exe 1964 nbnntt.exe 2420 824622.exe 2120 082242.exe 1996 dpvvj.exe 2944 ttbhtt.exe 2936 lfrxflx.exe 2744 2684028.exe 2764 002088.exe 2844 i028062.exe 2752 nhnnnn.exe 2880 a0828.exe 788 q02826.exe 1172 bthntn.exe 1444 20228.exe 1716 s2002.exe 2984 1vddv.exe 2772 nbtnnn.exe 1496 ppjdp.exe 1684 frxrxfl.exe 2032 fffllrx.exe 2004 020066.exe 2288 1lrxffl.exe 1632 lxfxxxl.exe 896 04280.exe 2396 424888.exe 2168 202888.exe 768 64222.exe 2300 pdpvd.exe 2692 424444.exe 1708 7hnnhh.exe 564 48224.exe -
resource yara_rule behavioral1/memory/2416-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-380-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1444-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-839-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-860-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-875-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1956-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-990-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-1047-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-1247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-1268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/344-1275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-1370-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k46682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k64466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8442604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1732 2416 c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe 30 PID 2416 wrote to memory of 1732 2416 c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe 30 PID 2416 wrote to memory of 1732 2416 c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe 30 PID 2416 wrote to memory of 1732 2416 c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe 30 PID 1732 wrote to memory of 2368 1732 m2662.exe 31 PID 1732 wrote to memory of 2368 1732 m2662.exe 31 PID 1732 wrote to memory of 2368 1732 m2662.exe 31 PID 1732 wrote to memory of 2368 1732 m2662.exe 31 PID 2368 wrote to memory of 2892 2368 4868686.exe 32 PID 2368 wrote to memory of 2892 2368 4868686.exe 32 PID 2368 wrote to memory of 2892 2368 4868686.exe 32 PID 2368 wrote to memory of 2892 2368 4868686.exe 32 PID 2892 wrote to memory of 2820 2892 9nbtnn.exe 33 PID 2892 wrote to memory of 2820 2892 9nbtnn.exe 33 PID 2892 wrote to memory of 2820 2892 9nbtnn.exe 33 PID 2892 wrote to memory of 2820 2892 9nbtnn.exe 33 PID 2820 wrote to memory of 2976 2820 0800606.exe 34 PID 2820 wrote to memory of 2976 2820 0800606.exe 34 PID 2820 wrote to memory of 2976 2820 0800606.exe 34 PID 2820 wrote to memory of 2976 2820 0800606.exe 34 PID 2976 wrote to memory of 2716 2976 2022824.exe 35 PID 2976 wrote to memory of 2716 2976 2022824.exe 35 PID 2976 wrote to memory of 2716 2976 2022824.exe 35 PID 2976 wrote to memory of 2716 2976 2022824.exe 35 PID 2716 wrote to memory of 2920 2716 bthhhh.exe 36 PID 2716 wrote to memory of 2920 2716 bthhhh.exe 36 PID 2716 wrote to memory of 2920 2716 bthhhh.exe 36 PID 2716 wrote to memory of 2920 2716 bthhhh.exe 36 PID 2920 wrote to memory of 2924 2920 hhnhnt.exe 37 PID 2920 wrote to memory of 2924 2920 hhnhnt.exe 37 PID 2920 wrote to memory of 2924 2920 hhnhnt.exe 37 PID 2920 wrote to memory of 2924 2920 hhnhnt.exe 37 PID 2924 wrote to memory of 2712 2924 tnthnt.exe 38 PID 2924 wrote to memory of 2712 2924 tnthnt.exe 38 PID 2924 wrote to memory of 2712 2924 tnthnt.exe 38 PID 2924 wrote to memory of 2712 2924 tnthnt.exe 38 PID 2712 wrote to memory of 2832 2712 c488008.exe 39 PID 2712 wrote to memory of 2832 2712 c488008.exe 39 PID 2712 wrote to memory of 2832 2712 c488008.exe 39 PID 2712 wrote to memory of 2832 2712 c488008.exe 39 PID 2832 wrote to memory of 2364 2832 xlxflxf.exe 40 PID 2832 wrote to memory of 2364 2832 xlxflxf.exe 40 PID 2832 wrote to memory of 2364 2832 xlxflxf.exe 40 PID 2832 wrote to memory of 2364 2832 xlxflxf.exe 40 PID 2364 wrote to memory of 1648 2364 7rlrxfr.exe 41 PID 2364 wrote to memory of 1648 2364 7rlrxfr.exe 41 PID 2364 wrote to memory of 1648 2364 7rlrxfr.exe 41 PID 2364 wrote to memory of 1648 2364 7rlrxfr.exe 41 PID 1648 wrote to memory of 2776 1648 vvvjv.exe 42 PID 1648 wrote to memory of 2776 1648 vvvjv.exe 42 PID 1648 wrote to memory of 2776 1648 vvvjv.exe 42 PID 1648 wrote to memory of 2776 1648 vvvjv.exe 42 PID 2776 wrote to memory of 796 2776 8644624.exe 43 PID 2776 wrote to memory of 796 2776 8644624.exe 43 PID 2776 wrote to memory of 796 2776 8644624.exe 43 PID 2776 wrote to memory of 796 2776 8644624.exe 43 PID 796 wrote to memory of 1500 796 84800.exe 44 PID 796 wrote to memory of 1500 796 84800.exe 44 PID 796 wrote to memory of 1500 796 84800.exe 44 PID 796 wrote to memory of 1500 796 84800.exe 44 PID 1500 wrote to memory of 1828 1500 rlxlxxl.exe 45 PID 1500 wrote to memory of 1828 1500 rlxlxxl.exe 45 PID 1500 wrote to memory of 1828 1500 rlxlxxl.exe 45 PID 1500 wrote to memory of 1828 1500 rlxlxxl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe"C:\Users\Admin\AppData\Local\Temp\c393a403acaa1bb42b6a4c2f41340953603124bb97a863d1a59907400413efb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\m2662.exec:\m2662.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\4868686.exec:\4868686.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\9nbtnn.exec:\9nbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\0800606.exec:\0800606.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\2022824.exec:\2022824.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\bthhhh.exec:\bthhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\hhnhnt.exec:\hhnhnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\tnthnt.exec:\tnthnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\c488008.exec:\c488008.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\xlxflxf.exec:\xlxflxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\7rlrxfr.exec:\7rlrxfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\vvvjv.exec:\vvvjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\8644624.exec:\8644624.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\84800.exec:\84800.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\rlxlxxl.exec:\rlxlxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\1rxxlrf.exec:\1rxxlrf.exe17⤵
- Executes dropped EXE
PID:1828 -
\??\c:\4866824.exec:\4866824.exe18⤵
- Executes dropped EXE
PID:2932 -
\??\c:\u484842.exec:\u484842.exe19⤵
- Executes dropped EXE
PID:2028 -
\??\c:\264066.exec:\264066.exe20⤵
- Executes dropped EXE
PID:2020 -
\??\c:\6488046.exec:\6488046.exe21⤵
- Executes dropped EXE
PID:2200 -
\??\c:\a6006.exec:\a6006.exe22⤵
- Executes dropped EXE
PID:896 -
\??\c:\86806.exec:\86806.exe23⤵
- Executes dropped EXE
PID:2656 -
\??\c:\9rlllrx.exec:\9rlllrx.exe24⤵
- Executes dropped EXE
PID:3012 -
\??\c:\224622.exec:\224622.exe25⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rrrrffl.exec:\rrrrffl.exe26⤵
- Executes dropped EXE
PID:2688 -
\??\c:\424844.exec:\424844.exe27⤵
- Executes dropped EXE
PID:564 -
\??\c:\4244440.exec:\4244440.exe28⤵
- Executes dropped EXE
PID:2240 -
\??\c:\q80000.exec:\q80000.exe29⤵
- Executes dropped EXE
PID:1776 -
\??\c:\q84066.exec:\q84066.exe30⤵
- Executes dropped EXE
PID:1552 -
\??\c:\3vvdd.exec:\3vvdd.exe31⤵
- Executes dropped EXE
PID:1948 -
\??\c:\9lffrxr.exec:\9lffrxr.exe32⤵
- Executes dropped EXE
PID:2684 -
\??\c:\3lfflfl.exec:\3lfflfl.exe33⤵
- Executes dropped EXE
PID:2632 -
\??\c:\424888.exec:\424888.exe34⤵
- Executes dropped EXE
PID:1736 -
\??\c:\nbnntt.exec:\nbnntt.exe35⤵
- Executes dropped EXE
PID:1964 -
\??\c:\824622.exec:\824622.exe36⤵
- Executes dropped EXE
PID:2420 -
\??\c:\082242.exec:\082242.exe37⤵
- Executes dropped EXE
PID:2120 -
\??\c:\dpvvj.exec:\dpvvj.exe38⤵
- Executes dropped EXE
PID:1996 -
\??\c:\ttbhtt.exec:\ttbhtt.exe39⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lfrxflx.exec:\lfrxflx.exe40⤵
- Executes dropped EXE
PID:2936 -
\??\c:\2684028.exec:\2684028.exe41⤵
- Executes dropped EXE
PID:2744 -
\??\c:\002088.exec:\002088.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\i028062.exec:\i028062.exe43⤵
- Executes dropped EXE
PID:2844 -
\??\c:\nhnnnn.exec:\nhnnnn.exe44⤵
- Executes dropped EXE
PID:2752 -
\??\c:\a0828.exec:\a0828.exe45⤵
- Executes dropped EXE
PID:2880 -
\??\c:\q02826.exec:\q02826.exe46⤵
- Executes dropped EXE
PID:788 -
\??\c:\bthntn.exec:\bthntn.exe47⤵
- Executes dropped EXE
PID:1172 -
\??\c:\20228.exec:\20228.exe48⤵
- Executes dropped EXE
PID:1444 -
\??\c:\s2002.exec:\s2002.exe49⤵
- Executes dropped EXE
PID:1716 -
\??\c:\1vddv.exec:\1vddv.exe50⤵
- Executes dropped EXE
PID:2984 -
\??\c:\nbtnnn.exec:\nbtnnn.exe51⤵
- Executes dropped EXE
PID:2772 -
\??\c:\ppjdp.exec:\ppjdp.exe52⤵
- Executes dropped EXE
PID:1496 -
\??\c:\frxrxfl.exec:\frxrxfl.exe53⤵
- Executes dropped EXE
PID:1684 -
\??\c:\fffllrx.exec:\fffllrx.exe54⤵
- Executes dropped EXE
PID:2032 -
\??\c:\020066.exec:\020066.exe55⤵
- Executes dropped EXE
PID:2004 -
\??\c:\1lrxffl.exec:\1lrxffl.exe56⤵
- Executes dropped EXE
PID:2288 -
\??\c:\lxfxxxl.exec:\lxfxxxl.exe57⤵
- Executes dropped EXE
PID:1632 -
\??\c:\04280.exec:\04280.exe58⤵
- Executes dropped EXE
PID:896 -
\??\c:\424888.exec:\424888.exe59⤵
- Executes dropped EXE
PID:2396 -
\??\c:\202888.exec:\202888.exe60⤵
- Executes dropped EXE
PID:2168 -
\??\c:\64222.exec:\64222.exe61⤵
- Executes dropped EXE
PID:768 -
\??\c:\pdpvd.exec:\pdpvd.exe62⤵
- Executes dropped EXE
PID:2300 -
\??\c:\424444.exec:\424444.exe63⤵
- Executes dropped EXE
PID:2692 -
\??\c:\7hnnhh.exec:\7hnnhh.exe64⤵
- Executes dropped EXE
PID:1708 -
\??\c:\48224.exec:\48224.exe65⤵
- Executes dropped EXE
PID:564 -
\??\c:\hthhhh.exec:\hthhhh.exe66⤵PID:2352
-
\??\c:\9lflrxf.exec:\9lflrxf.exe67⤵PID:2068
-
\??\c:\pjdjv.exec:\pjdjv.exe68⤵PID:2524
-
\??\c:\hthhtn.exec:\hthhtn.exe69⤵PID:1520
-
\??\c:\jvpvv.exec:\jvpvv.exe70⤵PID:2192
-
\??\c:\0026622.exec:\0026622.exe71⤵PID:1616
-
\??\c:\thntbt.exec:\thntbt.exe72⤵PID:1088
-
\??\c:\420000.exec:\420000.exe73⤵
- System Location Discovery: System Language Discovery
PID:1964 -
\??\c:\hthnbh.exec:\hthnbh.exe74⤵PID:624
-
\??\c:\dvpvv.exec:\dvpvv.exe75⤵PID:2488
-
\??\c:\jvvjp.exec:\jvvjp.exe76⤵PID:2252
-
\??\c:\nhbhtb.exec:\nhbhtb.exe77⤵PID:2948
-
\??\c:\206066.exec:\206066.exe78⤵PID:548
-
\??\c:\04246.exec:\04246.exe79⤵PID:2828
-
\??\c:\pjddj.exec:\pjddj.exe80⤵PID:3020
-
\??\c:\frffllx.exec:\frffllx.exe81⤵PID:2500
-
\??\c:\llfxfrx.exec:\llfxfrx.exe82⤵PID:2924
-
\??\c:\hhbhtt.exec:\hhbhtt.exe83⤵PID:2844
-
\??\c:\9rflrlr.exec:\9rflrlr.exe84⤵PID:2540
-
\??\c:\04846.exec:\04846.exe85⤵PID:2836
-
\??\c:\6662020.exec:\6662020.exe86⤵PID:2140
-
\??\c:\0004200.exec:\0004200.exe87⤵PID:1968
-
\??\c:\1tbhht.exec:\1tbhht.exe88⤵PID:2908
-
\??\c:\hbntbb.exec:\hbntbb.exe89⤵PID:2492
-
\??\c:\1thnnn.exec:\1thnnn.exe90⤵PID:688
-
\??\c:\6488446.exec:\6488446.exe91⤵PID:1500
-
\??\c:\1bnnbb.exec:\1bnnbb.exe92⤵PID:700
-
\??\c:\3frrfll.exec:\3frrfll.exe93⤵PID:2772
-
\??\c:\rxllrlx.exec:\rxllrlx.exe94⤵PID:1492
-
\??\c:\04846.exec:\04846.exe95⤵PID:1684
-
\??\c:\860200.exec:\860200.exe96⤵PID:2040
-
\??\c:\s0406.exec:\s0406.exe97⤵PID:2748
-
\??\c:\604428.exec:\604428.exe98⤵PID:2200
-
\??\c:\2660062.exec:\2660062.exe99⤵PID:828
-
\??\c:\048648.exec:\048648.exe100⤵PID:2608
-
\??\c:\9dpjv.exec:\9dpjv.exe101⤵PID:636
-
\??\c:\264400.exec:\264400.exe102⤵PID:1440
-
\??\c:\482840.exec:\482840.exe103⤵PID:2168
-
\??\c:\44626.exec:\44626.exe104⤵PID:2316
-
\??\c:\s8208.exec:\s8208.exe105⤵PID:2460
-
\??\c:\hnbnbn.exec:\hnbnbn.exe106⤵PID:2284
-
\??\c:\tbthbh.exec:\tbthbh.exe107⤵PID:2688
-
\??\c:\rxrxfff.exec:\rxrxfff.exe108⤵PID:2256
-
\??\c:\nbntbh.exec:\nbntbh.exe109⤵PID:908
-
\??\c:\9rfxfff.exec:\9rfxfff.exe110⤵PID:1948
-
\??\c:\hbtbhn.exec:\hbtbhn.exe111⤵PID:348
-
\??\c:\htbhht.exec:\htbhht.exe112⤵PID:2432
-
\??\c:\6044628.exec:\6044628.exe113⤵PID:3056
-
\??\c:\btntbb.exec:\btntbb.exe114⤵PID:1576
-
\??\c:\204084.exec:\204084.exe115⤵PID:2144
-
\??\c:\000600.exec:\000600.exe116⤵PID:1704
-
\??\c:\jdppp.exec:\jdppp.exe117⤵PID:2852
-
\??\c:\860642.exec:\860642.exe118⤵PID:2868
-
\??\c:\ttnnhn.exec:\ttnnhn.exe119⤵PID:1040
-
\??\c:\k44684.exec:\k44684.exe120⤵PID:548
-
\??\c:\jjpdd.exec:\jjpdd.exe121⤵PID:2824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-