Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 05:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe
-
Size
455KB
-
MD5
586844b1b9fedf8945bf698ece5ae46f
-
SHA1
de05dcf23bbfecff202fc078b529cac8ae6eca7a
-
SHA256
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17
-
SHA512
cde0c16ad83d110ae8cb3d9289471af6630a7014e99c6c744edad97e976792002cdb56a310777fded3f65c58aee8c8c6e97a6421dea14b05ea66449eb29e40c3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRw:q7Tc2NYHUrAwfMp3CDRw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1780-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-323-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-327-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2768-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-423-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1832-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/940-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/560-537-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2852-587-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2940-598-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2684-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-729-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2668-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-858-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-866-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2596-867-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2768-902-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 9hbnhn.exe 2712 tthnht.exe 2780 hthnbt.exe 3008 466468.exe 2940 g6002.exe 2820 lrffrxr.exe 2572 46268.exe 2692 bbthth.exe 2424 220840.exe 2912 204864.exe 1992 2680682.exe 2000 s6402.exe 2632 2602402.exe 2872 5hbhth.exe 2040 s8802.exe 1584 hhbhtb.exe 2392 44662.exe 1252 tnnthh.exe 1648 86408.exe 1948 ddppd.exe 2220 g8242.exe 1696 6040624.exe 448 1vppj.exe 1872 1xrflrl.exe 1784 q00802.exe 1468 xflfxll.exe 1668 ffxfrll.exe 1044 i862882.exe 2476 8244802.exe 988 xfxlxxr.exe 888 nnbbnb.exe 2168 3nbnbn.exe 1512 fllrxfx.exe 2500 264028.exe 2712 60842.exe 2704 lllxlxr.exe 1508 7pdjd.exe 2812 pvddv.exe 2768 84880.exe 2580 xxrxrfx.exe 2120 pvvvv.exe 2628 lfxflrr.exe 2976 xrlrflx.exe 2912 vdppd.exe 1348 486606.exe 1920 flllfrr.exe 2760 lxrxxlx.exe 2672 8002082.exe 2888 886806.exe 2884 bthnnt.exe 1388 pdppd.exe 1268 rlflrff.exe 1832 9lxlfrf.exe 1424 24220.exe 3040 nthnht.exe 1136 4888006.exe 2944 660206.exe 1872 xlxxffl.exe 940 a2620.exe 2384 2084004.exe 2568 bnnbtb.exe 2196 420868.exe 908 0040224.exe 1468 pvvdp.exe -
resource yara_rule behavioral1/memory/1780-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-323-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2812-327-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2768-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-505-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/884-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-586-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2684-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-729-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2668-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-859-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-902-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2262846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2082440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2644242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o606842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8824880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0688004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1780 wrote to memory of 2184 1780 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 31 PID 1780 wrote to memory of 2184 1780 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 31 PID 1780 wrote to memory of 2184 1780 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 31 PID 1780 wrote to memory of 2184 1780 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 31 PID 2184 wrote to memory of 2712 2184 9hbnhn.exe 32 PID 2184 wrote to memory of 2712 2184 9hbnhn.exe 32 PID 2184 wrote to memory of 2712 2184 9hbnhn.exe 32 PID 2184 wrote to memory of 2712 2184 9hbnhn.exe 32 PID 2712 wrote to memory of 2780 2712 tthnht.exe 33 PID 2712 wrote to memory of 2780 2712 tthnht.exe 33 PID 2712 wrote to memory of 2780 2712 tthnht.exe 33 PID 2712 wrote to memory of 2780 2712 tthnht.exe 33 PID 2780 wrote to memory of 3008 2780 hthnbt.exe 34 PID 2780 wrote to memory of 3008 2780 hthnbt.exe 34 PID 2780 wrote to memory of 3008 2780 hthnbt.exe 34 PID 2780 wrote to memory of 3008 2780 hthnbt.exe 34 PID 3008 wrote to memory of 2940 3008 466468.exe 35 PID 3008 wrote to memory of 2940 3008 466468.exe 35 PID 3008 wrote to memory of 2940 3008 466468.exe 35 PID 3008 wrote to memory of 2940 3008 466468.exe 35 PID 2940 wrote to memory of 2820 2940 g6002.exe 36 PID 2940 wrote to memory of 2820 2940 g6002.exe 36 PID 2940 wrote to memory of 2820 2940 g6002.exe 36 PID 2940 wrote to memory of 2820 2940 g6002.exe 36 PID 2820 wrote to memory of 2572 2820 lrffrxr.exe 37 PID 2820 wrote to memory of 2572 2820 lrffrxr.exe 37 PID 2820 wrote to memory of 2572 2820 lrffrxr.exe 37 PID 2820 wrote to memory of 2572 2820 lrffrxr.exe 37 PID 2572 wrote to memory of 2692 2572 46268.exe 38 PID 2572 wrote to memory of 2692 2572 46268.exe 38 PID 2572 wrote to memory of 2692 2572 46268.exe 38 PID 2572 wrote to memory of 2692 2572 46268.exe 38 PID 2692 wrote to memory of 2424 2692 bbthth.exe 39 PID 2692 wrote to memory of 2424 2692 bbthth.exe 39 PID 2692 wrote to memory of 2424 2692 bbthth.exe 39 PID 2692 wrote to memory of 2424 2692 bbthth.exe 39 PID 2424 wrote to memory of 2912 2424 220840.exe 40 PID 2424 wrote to memory of 2912 2424 220840.exe 40 PID 2424 wrote to memory of 2912 2424 220840.exe 40 PID 2424 wrote to memory of 2912 2424 220840.exe 40 PID 2912 wrote to memory of 1992 2912 204864.exe 41 PID 2912 wrote to memory of 1992 2912 204864.exe 41 PID 2912 wrote to memory of 1992 2912 204864.exe 41 PID 2912 wrote to memory of 1992 2912 204864.exe 41 PID 1992 wrote to memory of 2000 1992 2680682.exe 42 PID 1992 wrote to memory of 2000 1992 2680682.exe 42 PID 1992 wrote to memory of 2000 1992 2680682.exe 42 PID 1992 wrote to memory of 2000 1992 2680682.exe 42 PID 2000 wrote to memory of 2632 2000 s6402.exe 43 PID 2000 wrote to memory of 2632 2000 s6402.exe 43 PID 2000 wrote to memory of 2632 2000 s6402.exe 43 PID 2000 wrote to memory of 2632 2000 s6402.exe 43 PID 2632 wrote to memory of 2872 2632 2602402.exe 44 PID 2632 wrote to memory of 2872 2632 2602402.exe 44 PID 2632 wrote to memory of 2872 2632 2602402.exe 44 PID 2632 wrote to memory of 2872 2632 2602402.exe 44 PID 2872 wrote to memory of 2040 2872 5hbhth.exe 45 PID 2872 wrote to memory of 2040 2872 5hbhth.exe 45 PID 2872 wrote to memory of 2040 2872 5hbhth.exe 45 PID 2872 wrote to memory of 2040 2872 5hbhth.exe 45 PID 2040 wrote to memory of 1584 2040 s8802.exe 46 PID 2040 wrote to memory of 1584 2040 s8802.exe 46 PID 2040 wrote to memory of 1584 2040 s8802.exe 46 PID 2040 wrote to memory of 1584 2040 s8802.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe"C:\Users\Admin\AppData\Local\Temp\e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\9hbnhn.exec:\9hbnhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\tthnht.exec:\tthnht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\hthnbt.exec:\hthnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\466468.exec:\466468.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\g6002.exec:\g6002.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\lrffrxr.exec:\lrffrxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\46268.exec:\46268.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\bbthth.exec:\bbthth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\220840.exec:\220840.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\204864.exec:\204864.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\2680682.exec:\2680682.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\s6402.exec:\s6402.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\2602402.exec:\2602402.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\5hbhth.exec:\5hbhth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\s8802.exec:\s8802.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\hhbhtb.exec:\hhbhtb.exe17⤵
- Executes dropped EXE
PID:1584 -
\??\c:\44662.exec:\44662.exe18⤵
- Executes dropped EXE
PID:2392 -
\??\c:\tnnthh.exec:\tnnthh.exe19⤵
- Executes dropped EXE
PID:1252 -
\??\c:\86408.exec:\86408.exe20⤵
- Executes dropped EXE
PID:1648 -
\??\c:\ddppd.exec:\ddppd.exe21⤵
- Executes dropped EXE
PID:1948 -
\??\c:\g8242.exec:\g8242.exe22⤵
- Executes dropped EXE
PID:2220 -
\??\c:\6040624.exec:\6040624.exe23⤵
- Executes dropped EXE
PID:1696 -
\??\c:\1vppj.exec:\1vppj.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\1xrflrl.exec:\1xrflrl.exe25⤵
- Executes dropped EXE
PID:1872 -
\??\c:\q00802.exec:\q00802.exe26⤵
- Executes dropped EXE
PID:1784 -
\??\c:\xflfxll.exec:\xflfxll.exe27⤵
- Executes dropped EXE
PID:1468 -
\??\c:\ffxfrll.exec:\ffxfrll.exe28⤵
- Executes dropped EXE
PID:1668 -
\??\c:\i862882.exec:\i862882.exe29⤵
- Executes dropped EXE
PID:1044 -
\??\c:\8244802.exec:\8244802.exe30⤵
- Executes dropped EXE
PID:2476 -
\??\c:\xfxlxxr.exec:\xfxlxxr.exe31⤵
- Executes dropped EXE
PID:988 -
\??\c:\nnbbnb.exec:\nnbbnb.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\3nbnbn.exec:\3nbnbn.exe33⤵
- Executes dropped EXE
PID:2168 -
\??\c:\fllrxfx.exec:\fllrxfx.exe34⤵
- Executes dropped EXE
PID:1512 -
\??\c:\264028.exec:\264028.exe35⤵
- Executes dropped EXE
PID:2500 -
\??\c:\60842.exec:\60842.exe36⤵
- Executes dropped EXE
PID:2712 -
\??\c:\lllxlxr.exec:\lllxlxr.exe37⤵
- Executes dropped EXE
PID:2704 -
\??\c:\7pdjd.exec:\7pdjd.exe38⤵
- Executes dropped EXE
PID:1508 -
\??\c:\pvddv.exec:\pvddv.exe39⤵
- Executes dropped EXE
PID:2812 -
\??\c:\84880.exec:\84880.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xxrxrfx.exec:\xxrxrfx.exe41⤵
- Executes dropped EXE
PID:2580 -
\??\c:\pvvvv.exec:\pvvvv.exe42⤵
- Executes dropped EXE
PID:2120 -
\??\c:\lfxflrr.exec:\lfxflrr.exe43⤵
- Executes dropped EXE
PID:2628 -
\??\c:\xrlrflx.exec:\xrlrflx.exe44⤵
- Executes dropped EXE
PID:2976 -
\??\c:\vdppd.exec:\vdppd.exe45⤵
- Executes dropped EXE
PID:2912 -
\??\c:\486606.exec:\486606.exe46⤵
- Executes dropped EXE
PID:1348 -
\??\c:\flllfrr.exec:\flllfrr.exe47⤵
- Executes dropped EXE
PID:1920 -
\??\c:\lxrxxlx.exec:\lxrxxlx.exe48⤵
- Executes dropped EXE
PID:2760 -
\??\c:\8002082.exec:\8002082.exe49⤵
- Executes dropped EXE
PID:2672 -
\??\c:\886806.exec:\886806.exe50⤵
- Executes dropped EXE
PID:2888 -
\??\c:\bthnnt.exec:\bthnnt.exe51⤵
- Executes dropped EXE
PID:2884 -
\??\c:\pdppd.exec:\pdppd.exe52⤵
- Executes dropped EXE
PID:1388 -
\??\c:\rlflrff.exec:\rlflrff.exe53⤵
- Executes dropped EXE
PID:1268 -
\??\c:\9lxlfrf.exec:\9lxlfrf.exe54⤵
- Executes dropped EXE
PID:1832 -
\??\c:\24220.exec:\24220.exe55⤵
- Executes dropped EXE
PID:1424 -
\??\c:\nthnht.exec:\nthnht.exe56⤵
- Executes dropped EXE
PID:3040 -
\??\c:\4888006.exec:\4888006.exe57⤵
- Executes dropped EXE
PID:1136 -
\??\c:\660206.exec:\660206.exe58⤵
- Executes dropped EXE
PID:2944 -
\??\c:\xlxxffl.exec:\xlxxffl.exe59⤵
- Executes dropped EXE
PID:1872 -
\??\c:\a2620.exec:\a2620.exe60⤵
- Executes dropped EXE
PID:940 -
\??\c:\2084004.exec:\2084004.exe61⤵
- Executes dropped EXE
PID:2384 -
\??\c:\bnnbtb.exec:\bnnbtb.exe62⤵
- Executes dropped EXE
PID:2568 -
\??\c:\420868.exec:\420868.exe63⤵
- Executes dropped EXE
PID:2196 -
\??\c:\0040224.exec:\0040224.exe64⤵
- Executes dropped EXE
PID:908 -
\??\c:\pvvdp.exec:\pvvdp.exe65⤵
- Executes dropped EXE
PID:1468 -
\??\c:\1lrrrrr.exec:\1lrrrrr.exe66⤵PID:2428
-
\??\c:\xlffffl.exec:\xlffffl.exe67⤵PID:1720
-
\??\c:\s6668.exec:\s6668.exe68⤵PID:1576
-
\??\c:\nhtttt.exec:\nhtttt.exe69⤵PID:560
-
\??\c:\fxrrrxf.exec:\fxrrrxf.exe70⤵PID:2288
-
\??\c:\5vdvp.exec:\5vdvp.exe71⤵PID:1416
-
\??\c:\226688.exec:\226688.exe72⤵PID:2356
-
\??\c:\s2668.exec:\s2668.exe73⤵PID:1524
-
\??\c:\xrrxrrf.exec:\xrrxrrf.exe74⤵PID:2700
-
\??\c:\nnbhbh.exec:\nnbhbh.exe75⤵PID:884
-
\??\c:\vpvpv.exec:\vpvpv.exe76⤵PID:2724
-
\??\c:\w60022.exec:\w60022.exe77⤵PID:2852
-
\??\c:\btbntn.exec:\btbntn.exe78⤵PID:2592
-
\??\c:\dvvjj.exec:\dvvjj.exe79⤵PID:2940
-
\??\c:\5thttt.exec:\5thttt.exe80⤵PID:2684
-
\??\c:\w80082.exec:\w80082.exe81⤵PID:1196
-
\??\c:\646244.exec:\646244.exe82⤵PID:2740
-
\??\c:\fflrxxr.exec:\fflrxxr.exe83⤵PID:2120
-
\??\c:\260680.exec:\260680.exe84⤵PID:2388
-
\??\c:\nhnhth.exec:\nhnhth.exe85⤵PID:2264
-
\??\c:\626480.exec:\626480.exe86⤵PID:2284
-
\??\c:\i086804.exec:\i086804.exe87⤵PID:2000
-
\??\c:\260202.exec:\260202.exe88⤵PID:2632
-
\??\c:\64288.exec:\64288.exe89⤵PID:2948
-
\??\c:\4402420.exec:\4402420.exe90⤵PID:2552
-
\??\c:\bthhnt.exec:\bthhnt.exe91⤵PID:540
-
\??\c:\q00688.exec:\q00688.exe92⤵PID:664
-
\??\c:\btttth.exec:\btttth.exe93⤵PID:1340
-
\??\c:\xlffllf.exec:\xlffllf.exe94⤵PID:320
-
\??\c:\xlflrrr.exec:\xlflrrr.exe95⤵PID:2096
-
\??\c:\bnthbn.exec:\bnthbn.exe96⤵PID:2936
-
\??\c:\q02466.exec:\q02466.exe97⤵PID:1740
-
\??\c:\6466668.exec:\6466668.exe98⤵PID:1588
-
\??\c:\nhthtt.exec:\nhthtt.exe99⤵PID:1940
-
\??\c:\fxrxfrr.exec:\fxrxfrr.exe100⤵PID:2668
-
\??\c:\tnthhn.exec:\tnthhn.exe101⤵PID:620
-
\??\c:\nhtbnt.exec:\nhtbnt.exe102⤵PID:940
-
\??\c:\tnhhtb.exec:\tnhhtb.exe103⤵PID:996
-
\??\c:\20606.exec:\20606.exe104⤵PID:1652
-
\??\c:\m2666.exec:\m2666.exe105⤵PID:2196
-
\??\c:\o606806.exec:\o606806.exe106⤵PID:2004
-
\??\c:\s6008.exec:\s6008.exe107⤵PID:1468
-
\??\c:\q68088.exec:\q68088.exe108⤵PID:2428
-
\??\c:\424640.exec:\424640.exe109⤵PID:1720
-
\??\c:\424082.exec:\424082.exe110⤵PID:1400
-
\??\c:\64288.exec:\64288.exe111⤵PID:560
-
\??\c:\608844.exec:\608844.exe112⤵PID:2288
-
\??\c:\608800.exec:\608800.exe113⤵PID:2168
-
\??\c:\a4880.exec:\a4880.exe114⤵PID:2356
-
\??\c:\rrllrxl.exec:\rrllrxl.exe115⤵
- System Location Discovery: System Language Discovery
PID:1524 -
\??\c:\vpdjp.exec:\vpdjp.exe116⤵PID:3020
-
\??\c:\rffxfxx.exec:\rffxfxx.exe117⤵PID:2848
-
\??\c:\220086.exec:\220086.exe118⤵PID:2800
-
\??\c:\nnttbh.exec:\nnttbh.exe119⤵PID:2596
-
\??\c:\nbtbnt.exec:\nbtbnt.exe120⤵PID:2744
-
\??\c:\rrxrxfl.exec:\rrxrxfl.exe121⤵PID:2768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-