Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 06:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe
-
Size
454KB
-
MD5
292017c17459514a9baf708a9424c4c7
-
SHA1
16677736b9343ac68a200a293069ef0891932af8
-
SHA256
98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982
-
SHA512
f7176e91d326609e401d02352baf1ba31ee2b208faf5e6b5c7989f267dc4ae5ec6225fb87b57d921e4eca37bcdc2f8e656cc35410b8df227588aeaf472ffe748
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1F:q7Tc2NYHUrAwfMp3CD1F
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2492-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-96-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3064-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-154-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2948-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-178-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2052-183-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1968-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-221-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1764-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-215-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2204-230-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1968-238-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2204-236-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2204-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-242-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2440-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-280-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2508-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-308-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3036-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-321-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/924-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-335-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2756-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-470-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2244-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-505-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/780-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-550-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2676-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-785-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1536-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2524 444046.exe 2328 hthhnh.exe 2856 88828.exe 2696 0046408.exe 2984 dpvpp.exe 2760 0002626.exe 2668 4442626.exe 2724 hnntnb.exe 2544 04686.exe 3064 jpvjd.exe 2248 660868.exe 2876 vppjj.exe 2368 ntnnnn.exe 316 lllxrfx.exe 1960 4026000.exe 2948 0486004.exe 304 82620.exe 1444 5jdvv.exe 2052 xflxrff.exe 1900 u266280.exe 1968 pvpjd.exe 1092 ntnbnb.exe 1764 rxfxlff.exe 2204 820224.exe 2440 2260804.exe 2176 vvpjj.exe 1992 1xxffxx.exe 2508 060208.exe 2404 0242828.exe 1236 c868842.exe 1192 82002.exe 1148 682660.exe 3036 606442.exe 924 2848248.exe 2768 rrrlfrx.exe 2748 6804884.exe 2708 44482.exe 2556 88684.exe 2852 btbbbt.exe 2712 48806.exe 2756 4266408.exe 2724 fxffffx.exe 2004 lxlrflx.exe 1520 ntbnht.exe 844 2842688.exe 2788 28866.exe 2876 rlrrrfr.exe 2796 888002.exe 1720 1pjpd.exe 1324 268848.exe 3040 2440280.exe 2916 xxrllfl.exe 892 rrlfffx.exe 2208 btnbhh.exe 548 26022.exe 2244 620008.exe 972 lfxrllx.exe 1344 hhhbtb.exe 1652 xrffrlf.exe 1316 8066888.exe 1040 9rxlrll.exe 780 e66464.exe 236 tbhtnt.exe 2380 jvjdv.exe -
resource yara_rule behavioral1/memory/2492-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-6-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2524-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-335-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2556-350-0x0000000000530000-0x000000000055A000-memory.dmp upx behavioral1/memory/2756-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-708-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2052-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-805-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o488028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w82484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0408684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4042024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q00206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2524 2492 98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe 31 PID 2492 wrote to memory of 2524 2492 98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe 31 PID 2492 wrote to memory of 2524 2492 98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe 31 PID 2492 wrote to memory of 2524 2492 98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe 31 PID 2524 wrote to memory of 2328 2524 444046.exe 32 PID 2524 wrote to memory of 2328 2524 444046.exe 32 PID 2524 wrote to memory of 2328 2524 444046.exe 32 PID 2524 wrote to memory of 2328 2524 444046.exe 32 PID 2328 wrote to memory of 2856 2328 hthhnh.exe 33 PID 2328 wrote to memory of 2856 2328 hthhnh.exe 33 PID 2328 wrote to memory of 2856 2328 hthhnh.exe 33 PID 2328 wrote to memory of 2856 2328 hthhnh.exe 33 PID 2856 wrote to memory of 2696 2856 88828.exe 34 PID 2856 wrote to memory of 2696 2856 88828.exe 34 PID 2856 wrote to memory of 2696 2856 88828.exe 34 PID 2856 wrote to memory of 2696 2856 88828.exe 34 PID 2696 wrote to memory of 2984 2696 0046408.exe 35 PID 2696 wrote to memory of 2984 2696 0046408.exe 35 PID 2696 wrote to memory of 2984 2696 0046408.exe 35 PID 2696 wrote to memory of 2984 2696 0046408.exe 35 PID 2984 wrote to memory of 2760 2984 dpvpp.exe 36 PID 2984 wrote to memory of 2760 2984 dpvpp.exe 36 PID 2984 wrote to memory of 2760 2984 dpvpp.exe 36 PID 2984 wrote to memory of 2760 2984 dpvpp.exe 36 PID 2760 wrote to memory of 2668 2760 0002626.exe 37 PID 2760 wrote to memory of 2668 2760 0002626.exe 37 PID 2760 wrote to memory of 2668 2760 0002626.exe 37 PID 2760 wrote to memory of 2668 2760 0002626.exe 37 PID 2668 wrote to memory of 2724 2668 4442626.exe 38 PID 2668 wrote to memory of 2724 2668 4442626.exe 38 PID 2668 wrote to memory of 2724 2668 4442626.exe 38 PID 2668 wrote to memory of 2724 2668 4442626.exe 38 PID 2724 wrote to memory of 2544 2724 hnntnb.exe 39 PID 2724 wrote to memory of 2544 2724 hnntnb.exe 39 PID 2724 wrote to memory of 2544 2724 hnntnb.exe 39 PID 2724 wrote to memory of 2544 2724 hnntnb.exe 39 PID 2544 wrote to memory of 3064 2544 04686.exe 40 PID 2544 wrote to memory of 3064 2544 04686.exe 40 PID 2544 wrote to memory of 3064 2544 04686.exe 40 PID 2544 wrote to memory of 3064 2544 04686.exe 40 PID 3064 wrote to memory of 2248 3064 jpvjd.exe 41 PID 3064 wrote to memory of 2248 3064 jpvjd.exe 41 PID 3064 wrote to memory of 2248 3064 jpvjd.exe 41 PID 3064 wrote to memory of 2248 3064 jpvjd.exe 41 PID 2248 wrote to memory of 2876 2248 660868.exe 42 PID 2248 wrote to memory of 2876 2248 660868.exe 42 PID 2248 wrote to memory of 2876 2248 660868.exe 42 PID 2248 wrote to memory of 2876 2248 660868.exe 42 PID 2876 wrote to memory of 2368 2876 vppjj.exe 43 PID 2876 wrote to memory of 2368 2876 vppjj.exe 43 PID 2876 wrote to memory of 2368 2876 vppjj.exe 43 PID 2876 wrote to memory of 2368 2876 vppjj.exe 43 PID 2368 wrote to memory of 316 2368 ntnnnn.exe 44 PID 2368 wrote to memory of 316 2368 ntnnnn.exe 44 PID 2368 wrote to memory of 316 2368 ntnnnn.exe 44 PID 2368 wrote to memory of 316 2368 ntnnnn.exe 44 PID 316 wrote to memory of 1960 316 lllxrfx.exe 45 PID 316 wrote to memory of 1960 316 lllxrfx.exe 45 PID 316 wrote to memory of 1960 316 lllxrfx.exe 45 PID 316 wrote to memory of 1960 316 lllxrfx.exe 45 PID 1960 wrote to memory of 2948 1960 4026000.exe 46 PID 1960 wrote to memory of 2948 1960 4026000.exe 46 PID 1960 wrote to memory of 2948 1960 4026000.exe 46 PID 1960 wrote to memory of 2948 1960 4026000.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe"C:\Users\Admin\AppData\Local\Temp\98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\444046.exec:\444046.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\hthhnh.exec:\hthhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\88828.exec:\88828.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\0046408.exec:\0046408.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\dpvpp.exec:\dpvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\0002626.exec:\0002626.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\4442626.exec:\4442626.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\hnntnb.exec:\hnntnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\04686.exec:\04686.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\jpvjd.exec:\jpvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\660868.exec:\660868.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\vppjj.exec:\vppjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\ntnnnn.exec:\ntnnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\lllxrfx.exec:\lllxrfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\4026000.exec:\4026000.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\0486004.exec:\0486004.exe17⤵
- Executes dropped EXE
PID:2948 -
\??\c:\82620.exec:\82620.exe18⤵
- Executes dropped EXE
PID:304 -
\??\c:\5jdvv.exec:\5jdvv.exe19⤵
- Executes dropped EXE
PID:1444 -
\??\c:\xflxrff.exec:\xflxrff.exe20⤵
- Executes dropped EXE
PID:2052 -
\??\c:\u266280.exec:\u266280.exe21⤵
- Executes dropped EXE
PID:1900 -
\??\c:\pvpjd.exec:\pvpjd.exe22⤵
- Executes dropped EXE
PID:1968 -
\??\c:\ntnbnb.exec:\ntnbnb.exe23⤵
- Executes dropped EXE
PID:1092 -
\??\c:\rxfxlff.exec:\rxfxlff.exe24⤵
- Executes dropped EXE
PID:1764 -
\??\c:\820224.exec:\820224.exe25⤵
- Executes dropped EXE
PID:2204 -
\??\c:\2260804.exec:\2260804.exe26⤵
- Executes dropped EXE
PID:2440 -
\??\c:\vvpjj.exec:\vvpjj.exe27⤵
- Executes dropped EXE
PID:2176 -
\??\c:\1xxffxx.exec:\1xxffxx.exe28⤵
- Executes dropped EXE
PID:1992 -
\??\c:\060208.exec:\060208.exe29⤵
- Executes dropped EXE
PID:2508 -
\??\c:\0242828.exec:\0242828.exe30⤵
- Executes dropped EXE
PID:2404 -
\??\c:\c868842.exec:\c868842.exe31⤵
- Executes dropped EXE
PID:1236 -
\??\c:\82002.exec:\82002.exe32⤵
- Executes dropped EXE
PID:1192 -
\??\c:\682660.exec:\682660.exe33⤵
- Executes dropped EXE
PID:1148 -
\??\c:\606442.exec:\606442.exe34⤵
- Executes dropped EXE
PID:3036 -
\??\c:\2848248.exec:\2848248.exe35⤵
- Executes dropped EXE
PID:924 -
\??\c:\rrrlfrx.exec:\rrrlfrx.exe36⤵
- Executes dropped EXE
PID:2768 -
\??\c:\6804884.exec:\6804884.exe37⤵
- Executes dropped EXE
PID:2748 -
\??\c:\44482.exec:\44482.exe38⤵
- Executes dropped EXE
PID:2708 -
\??\c:\88684.exec:\88684.exe39⤵
- Executes dropped EXE
PID:2556 -
\??\c:\btbbbt.exec:\btbbbt.exe40⤵
- Executes dropped EXE
PID:2852 -
\??\c:\48806.exec:\48806.exe41⤵
- Executes dropped EXE
PID:2712 -
\??\c:\4266408.exec:\4266408.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\fxffffx.exec:\fxffffx.exe43⤵
- Executes dropped EXE
PID:2724 -
\??\c:\lxlrflx.exec:\lxlrflx.exe44⤵
- Executes dropped EXE
PID:2004 -
\??\c:\ntbnht.exec:\ntbnht.exe45⤵
- Executes dropped EXE
PID:1520 -
\??\c:\2842688.exec:\2842688.exe46⤵
- Executes dropped EXE
PID:844 -
\??\c:\28866.exec:\28866.exe47⤵
- Executes dropped EXE
PID:2788 -
\??\c:\rlrrrfr.exec:\rlrrrfr.exe48⤵
- Executes dropped EXE
PID:2876 -
\??\c:\888002.exec:\888002.exe49⤵
- Executes dropped EXE
PID:2796 -
\??\c:\1pjpd.exec:\1pjpd.exe50⤵
- Executes dropped EXE
PID:1720 -
\??\c:\268848.exec:\268848.exe51⤵
- Executes dropped EXE
PID:1324 -
\??\c:\2440280.exec:\2440280.exe52⤵
- Executes dropped EXE
PID:3040 -
\??\c:\xxrllfl.exec:\xxrllfl.exe53⤵
- Executes dropped EXE
PID:2916 -
\??\c:\rrlfffx.exec:\rrlfffx.exe54⤵
- Executes dropped EXE
PID:892 -
\??\c:\btnbhh.exec:\btnbhh.exe55⤵
- Executes dropped EXE
PID:2208 -
\??\c:\26022.exec:\26022.exe56⤵
- Executes dropped EXE
PID:548 -
\??\c:\620008.exec:\620008.exe57⤵
- Executes dropped EXE
PID:2244 -
\??\c:\lfxrllx.exec:\lfxrllx.exe58⤵
- Executes dropped EXE
PID:972 -
\??\c:\hhhbtb.exec:\hhhbtb.exe59⤵
- Executes dropped EXE
PID:1344 -
\??\c:\xrffrlf.exec:\xrffrlf.exe60⤵
- Executes dropped EXE
PID:1652 -
\??\c:\8066888.exec:\8066888.exe61⤵
- Executes dropped EXE
PID:1316 -
\??\c:\9rxlrll.exec:\9rxlrll.exe62⤵
- Executes dropped EXE
PID:1040 -
\??\c:\e66464.exec:\e66464.exe63⤵
- Executes dropped EXE
PID:780 -
\??\c:\tbhtnt.exec:\tbhtnt.exe64⤵
- Executes dropped EXE
PID:236 -
\??\c:\jvjdv.exec:\jvjdv.exe65⤵
- Executes dropped EXE
PID:2380 -
\??\c:\3vppj.exec:\3vppj.exe66⤵PID:1256
-
\??\c:\i080686.exec:\i080686.exe67⤵PID:2444
-
\??\c:\888084.exec:\888084.exe68⤵PID:1492
-
\??\c:\40600.exec:\40600.exe69⤵PID:1656
-
\??\c:\04460.exec:\04460.exe70⤵PID:2956
-
\??\c:\666820.exec:\666820.exe71⤵PID:2516
-
\??\c:\6804000.exec:\6804000.exe72⤵PID:2260
-
\??\c:\8224648.exec:\8224648.exe73⤵PID:2456
-
\??\c:\482800.exec:\482800.exe74⤵PID:1588
-
\??\c:\888024.exec:\888024.exe75⤵PID:2096
-
\??\c:\nhbthh.exec:\nhbthh.exe76⤵PID:3036
-
\??\c:\nnthbn.exec:\nnthbn.exe77⤵PID:2000
-
\??\c:\8486682.exec:\8486682.exe78⤵PID:2832
-
\??\c:\k00640.exec:\k00640.exe79⤵PID:2700
-
\??\c:\jjddv.exec:\jjddv.exe80⤵PID:2676
-
\??\c:\ddjpj.exec:\ddjpj.exe81⤵PID:2844
-
\??\c:\0466028.exec:\0466028.exe82⤵PID:2720
-
\??\c:\c228240.exec:\c228240.exe83⤵PID:2820
-
\??\c:\bhnnhh.exec:\bhnnhh.exe84⤵PID:2568
-
\??\c:\3rfxlxr.exec:\3rfxlxr.exe85⤵PID:2560
-
\??\c:\1djpd.exec:\1djpd.exe86⤵
- System Location Discovery: System Language Discovery
PID:2672 -
\??\c:\7bbnhh.exec:\7bbnhh.exe87⤵PID:628
-
\??\c:\4244222.exec:\4244222.exe88⤵PID:2376
-
\??\c:\bnhtbn.exec:\bnhtbn.exe89⤵PID:788
-
\??\c:\44842.exec:\44842.exe90⤵PID:1816
-
\??\c:\826686.exec:\826686.exe91⤵PID:2368
-
\??\c:\006600.exec:\006600.exe92⤵PID:2796
-
\??\c:\bhbnht.exec:\bhbnht.exe93⤵PID:1984
-
\??\c:\bnbbtb.exec:\bnbbtb.exe94⤵PID:564
-
\??\c:\00082.exec:\00082.exe95⤵PID:3040
-
\??\c:\484448.exec:\484448.exe96⤵PID:2104
-
\??\c:\7rllrrf.exec:\7rllrrf.exe97⤵PID:2152
-
\??\c:\ttbtnb.exec:\ttbtnb.exe98⤵PID:1936
-
\??\c:\flllxxx.exec:\flllxxx.exe99⤵PID:848
-
\??\c:\0404242.exec:\0404242.exe100⤵PID:2052
-
\??\c:\s0408.exec:\s0408.exe101⤵PID:1608
-
\??\c:\8402624.exec:\8402624.exe102⤵PID:852
-
\??\c:\0028842.exec:\0028842.exe103⤵PID:1060
-
\??\c:\440886.exec:\440886.exe104⤵PID:908
-
\??\c:\rllxllf.exec:\rllxllf.exe105⤵PID:560
-
\??\c:\604286.exec:\604286.exe106⤵PID:1672
-
\??\c:\jpvdd.exec:\jpvdd.exe107⤵PID:1536
-
\??\c:\vppvp.exec:\vppvp.exe108⤵PID:3004
-
\??\c:\pddpj.exec:\pddpj.exe109⤵PID:2432
-
\??\c:\o820242.exec:\o820242.exe110⤵PID:696
-
\??\c:\hnnbtn.exec:\hnnbtn.exe111⤵PID:2284
-
\??\c:\680802.exec:\680802.exe112⤵PID:1756
-
\??\c:\c664242.exec:\c664242.exe113⤵PID:1736
-
\??\c:\hnhthb.exec:\hnhthb.exe114⤵PID:2956
-
\??\c:\0624482.exec:\0624482.exe115⤵PID:1396
-
\??\c:\bhhhhb.exec:\bhhhhb.exe116⤵PID:2524
-
\??\c:\286400.exec:\286400.exe117⤵PID:1600
-
\??\c:\frxflfl.exec:\frxflfl.exe118⤵PID:1148
-
\??\c:\0248488.exec:\0248488.exe119⤵PID:1596
-
\??\c:\hnhtnb.exec:\hnhtnb.exe120⤵PID:3036
-
\??\c:\tbbbbn.exec:\tbbbbn.exe121⤵PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-