Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 10:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18092830742bb1ad4cb10e8a711b545d10c3736790c2548d5f8625c02b6984e5.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
18092830742bb1ad4cb10e8a711b545d10c3736790c2548d5f8625c02b6984e5.exe
-
Size
456KB
-
MD5
918d744d88bbe0f870f02a270f9a45aa
-
SHA1
e8a0a79d9ecaa01e56032fb1b827108cd6a0b32d
-
SHA256
18092830742bb1ad4cb10e8a711b545d10c3736790c2548d5f8625c02b6984e5
-
SHA512
f6bec7fd3459d6bee304cf16b1c9cc6bae5de1733a5c033e4276f845a79adb75926beac5b12e9ab1bd4f909303c6426c27ccafcf6c054ec33bbdaa1555981c39
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRS:q7Tc2NYHUrAwfMp3CDRS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/656-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-71-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3040-73-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2540-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-467-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1880-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-675-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2704 820006.exe 2824 482282.exe 2924 m2048.exe 2584 jjdjv.exe 2724 008068.exe 2588 64606.exe 3040 m4280.exe 264 424068.exe 1076 3bnhnt.exe 2540 dpjjp.exe 2008 42462.exe 2280 rlxfrlf.exe 2796 lxxxflx.exe 2660 4862406.exe 972 lfxxllf.exe 740 4868844.exe 1372 btnttt.exe 2352 pjvdv.exe 1856 tnbbbb.exe 2064 llffrrl.exe 1260 vvpvp.exe 1792 486688.exe 2984 ffrxlxl.exe 996 ddvvd.exe 2528 6220866.exe 1888 2684068.exe 2988 bhbnbb.exe 2520 u428468.exe 304 0040680.exe 556 k20026.exe 1724 602844.exe 2480 60448.exe 1572 ffxrxfr.exe 2688 04060.exe 2824 rrlrrfl.exe 2800 vvvvd.exe 2580 220828.exe 1864 6626044.exe 2604 9xrrxrx.exe 2588 rrlfrxr.exe 2636 jdjdj.exe 316 e00202.exe 1712 7fxxflf.exe 1408 0084660.exe 1036 5xxrfrl.exe 844 2008288.exe 2240 e46688.exe 1616 82402.exe 2880 848226.exe 2900 rllxrrl.exe 572 26080.exe 1064 86406.exe 1868 086240.exe 2124 jjvjv.exe 2396 2268402.exe 2432 26884.exe 1908 bttnth.exe 1880 c046404.exe 1648 88486.exe 540 08628.exe 1592 nnhnbt.exe 1680 llxfrff.exe 1436 48228.exe 2324 9jdjv.exe -
resource yara_rule behavioral1/memory/656-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-90-0x0000000001C80000-0x0000000001CAA000-memory.dmp upx behavioral1/memory/2540-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-768-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 656 wrote to memory of 2704 656 18092830742bb1ad4cb10e8a711b545d10c3736790c2548d5f8625c02b6984e5.exe 30 PID 656 wrote to memory of 2704 656 18092830742bb1ad4cb10e8a711b545d10c3736790c2548d5f8625c02b6984e5.exe 30 PID 656 wrote to memory of 2704 656 18092830742bb1ad4cb10e8a711b545d10c3736790c2548d5f8625c02b6984e5.exe 30 PID 656 wrote to memory of 2704 656 18092830742bb1ad4cb10e8a711b545d10c3736790c2548d5f8625c02b6984e5.exe 30 PID 2704 wrote to memory of 2824 2704 820006.exe 31 PID 2704 wrote to memory of 2824 2704 820006.exe 31 PID 2704 wrote to memory of 2824 2704 820006.exe 31 PID 2704 wrote to memory of 2824 2704 820006.exe 31 PID 2824 wrote to memory of 2924 2824 482282.exe 32 PID 2824 wrote to memory of 2924 2824 482282.exe 32 PID 2824 wrote to memory of 2924 2824 482282.exe 32 PID 2824 wrote to memory of 2924 2824 482282.exe 32 PID 2924 wrote to memory of 2584 2924 m2048.exe 33 PID 2924 wrote to memory of 2584 2924 m2048.exe 33 PID 2924 wrote to memory of 2584 2924 m2048.exe 33 PID 2924 wrote to memory of 2584 2924 m2048.exe 33 PID 2584 wrote to memory of 2724 2584 jjdjv.exe 34 PID 2584 wrote to memory of 2724 2584 jjdjv.exe 34 PID 2584 wrote to memory of 2724 2584 jjdjv.exe 34 PID 2584 wrote to memory of 2724 2584 jjdjv.exe 34 PID 2724 wrote to memory of 2588 2724 008068.exe 35 PID 2724 wrote to memory of 2588 2724 008068.exe 35 PID 2724 wrote to memory of 2588 2724 008068.exe 35 PID 2724 wrote to memory of 2588 2724 008068.exe 35 PID 2588 wrote to memory of 3040 2588 64606.exe 36 PID 2588 wrote to memory of 3040 2588 64606.exe 36 PID 2588 wrote to memory of 3040 2588 64606.exe 36 PID 2588 wrote to memory of 3040 2588 64606.exe 36 PID 3040 wrote to memory of 264 3040 m4280.exe 37 PID 3040 wrote to memory of 264 3040 m4280.exe 37 PID 3040 wrote to memory of 264 3040 m4280.exe 37 PID 3040 wrote to memory of 264 3040 m4280.exe 37 PID 264 wrote to memory of 1076 264 424068.exe 38 PID 264 wrote to memory of 1076 264 424068.exe 38 PID 264 wrote to memory of 1076 264 424068.exe 38 PID 264 wrote to memory of 1076 264 424068.exe 38 PID 1076 wrote to memory of 2540 1076 3bnhnt.exe 39 PID 1076 wrote to memory of 2540 1076 3bnhnt.exe 39 PID 1076 wrote to memory of 2540 1076 3bnhnt.exe 39 PID 1076 wrote to memory of 2540 1076 3bnhnt.exe 39 PID 2540 wrote to memory of 2008 2540 dpjjp.exe 40 PID 2540 wrote to memory of 2008 2540 dpjjp.exe 40 PID 2540 wrote to memory of 2008 2540 dpjjp.exe 40 PID 2540 wrote to memory of 2008 2540 dpjjp.exe 40 PID 2008 wrote to memory of 2280 2008 42462.exe 41 PID 2008 wrote to memory of 2280 2008 42462.exe 41 PID 2008 wrote to memory of 2280 2008 42462.exe 41 PID 2008 wrote to memory of 2280 2008 42462.exe 41 PID 2280 wrote to memory of 2796 2280 rlxfrlf.exe 42 PID 2280 wrote to memory of 2796 2280 rlxfrlf.exe 42 PID 2280 wrote to memory of 2796 2280 rlxfrlf.exe 42 PID 2280 wrote to memory of 2796 2280 rlxfrlf.exe 42 PID 2796 wrote to memory of 2660 2796 lxxxflx.exe 43 PID 2796 wrote to memory of 2660 2796 lxxxflx.exe 43 PID 2796 wrote to memory of 2660 2796 lxxxflx.exe 43 PID 2796 wrote to memory of 2660 2796 lxxxflx.exe 43 PID 2660 wrote to memory of 972 2660 4862406.exe 44 PID 2660 wrote to memory of 972 2660 4862406.exe 44 PID 2660 wrote to memory of 972 2660 4862406.exe 44 PID 2660 wrote to memory of 972 2660 4862406.exe 44 PID 972 wrote to memory of 740 972 lfxxllf.exe 45 PID 972 wrote to memory of 740 972 lfxxllf.exe 45 PID 972 wrote to memory of 740 972 lfxxllf.exe 45 PID 972 wrote to memory of 740 972 lfxxllf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\18092830742bb1ad4cb10e8a711b545d10c3736790c2548d5f8625c02b6984e5.exe"C:\Users\Admin\AppData\Local\Temp\18092830742bb1ad4cb10e8a711b545d10c3736790c2548d5f8625c02b6984e5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:656 -
\??\c:\820006.exec:\820006.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\482282.exec:\482282.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\m2048.exec:\m2048.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\jjdjv.exec:\jjdjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\008068.exec:\008068.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\64606.exec:\64606.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\m4280.exec:\m4280.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\424068.exec:\424068.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\3bnhnt.exec:\3bnhnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\dpjjp.exec:\dpjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\42462.exec:\42462.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\rlxfrlf.exec:\rlxfrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\lxxxflx.exec:\lxxxflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\4862406.exec:\4862406.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\lfxxllf.exec:\lfxxllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\4868844.exec:\4868844.exe17⤵
- Executes dropped EXE
PID:740 -
\??\c:\btnttt.exec:\btnttt.exe18⤵
- Executes dropped EXE
PID:1372 -
\??\c:\pjvdv.exec:\pjvdv.exe19⤵
- Executes dropped EXE
PID:2352 -
\??\c:\tnbbbb.exec:\tnbbbb.exe20⤵
- Executes dropped EXE
PID:1856 -
\??\c:\llffrrl.exec:\llffrrl.exe21⤵
- Executes dropped EXE
PID:2064 -
\??\c:\vvpvp.exec:\vvpvp.exe22⤵
- Executes dropped EXE
PID:1260 -
\??\c:\486688.exec:\486688.exe23⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ffrxlxl.exec:\ffrxlxl.exe24⤵
- Executes dropped EXE
PID:2984 -
\??\c:\ddvvd.exec:\ddvvd.exe25⤵
- Executes dropped EXE
PID:996 -
\??\c:\6220866.exec:\6220866.exe26⤵
- Executes dropped EXE
PID:2528 -
\??\c:\2684068.exec:\2684068.exe27⤵
- Executes dropped EXE
PID:1888 -
\??\c:\bhbnbb.exec:\bhbnbb.exe28⤵
- Executes dropped EXE
PID:2988 -
\??\c:\u428468.exec:\u428468.exe29⤵
- Executes dropped EXE
PID:2520 -
\??\c:\0040680.exec:\0040680.exe30⤵
- Executes dropped EXE
PID:304 -
\??\c:\k20026.exec:\k20026.exe31⤵
- Executes dropped EXE
PID:556 -
\??\c:\602844.exec:\602844.exe32⤵
- Executes dropped EXE
PID:1724 -
\??\c:\60448.exec:\60448.exe33⤵
- Executes dropped EXE
PID:2480 -
\??\c:\ffxrxfr.exec:\ffxrxfr.exe34⤵
- Executes dropped EXE
PID:1572 -
\??\c:\04060.exec:\04060.exe35⤵
- Executes dropped EXE
PID:2688 -
\??\c:\rrlrrfl.exec:\rrlrrfl.exe36⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vvvvd.exec:\vvvvd.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\220828.exec:\220828.exe38⤵
- Executes dropped EXE
PID:2580 -
\??\c:\6626044.exec:\6626044.exe39⤵
- Executes dropped EXE
PID:1864 -
\??\c:\9xrrxrx.exec:\9xrrxrx.exe40⤵
- Executes dropped EXE
PID:2604 -
\??\c:\rrlfrxr.exec:\rrlfrxr.exe41⤵
- Executes dropped EXE
PID:2588 -
\??\c:\jdjdj.exec:\jdjdj.exe42⤵
- Executes dropped EXE
PID:2636 -
\??\c:\e00202.exec:\e00202.exe43⤵
- Executes dropped EXE
PID:316 -
\??\c:\7fxxflf.exec:\7fxxflf.exe44⤵
- Executes dropped EXE
PID:1712 -
\??\c:\0084660.exec:\0084660.exe45⤵
- Executes dropped EXE
PID:1408 -
\??\c:\5xxrfrl.exec:\5xxrfrl.exe46⤵
- Executes dropped EXE
PID:1036 -
\??\c:\2008288.exec:\2008288.exe47⤵
- Executes dropped EXE
PID:844 -
\??\c:\e46688.exec:\e46688.exe48⤵
- Executes dropped EXE
PID:2240 -
\??\c:\82402.exec:\82402.exe49⤵
- Executes dropped EXE
PID:1616 -
\??\c:\848226.exec:\848226.exe50⤵
- Executes dropped EXE
PID:2880 -
\??\c:\rllxrrl.exec:\rllxrrl.exe51⤵
- Executes dropped EXE
PID:2900 -
\??\c:\26080.exec:\26080.exe52⤵
- Executes dropped EXE
PID:572 -
\??\c:\86406.exec:\86406.exe53⤵
- Executes dropped EXE
PID:1064 -
\??\c:\086240.exec:\086240.exe54⤵
- Executes dropped EXE
PID:1868 -
\??\c:\jjvjv.exec:\jjvjv.exe55⤵
- Executes dropped EXE
PID:2124 -
\??\c:\2268402.exec:\2268402.exe56⤵
- Executes dropped EXE
PID:2396 -
\??\c:\26884.exec:\26884.exe57⤵
- Executes dropped EXE
PID:2432 -
\??\c:\bttnth.exec:\bttnth.exe58⤵
- Executes dropped EXE
PID:1908 -
\??\c:\c046404.exec:\c046404.exe59⤵
- Executes dropped EXE
PID:1880 -
\??\c:\88486.exec:\88486.exe60⤵
- Executes dropped EXE
PID:1648 -
\??\c:\08628.exec:\08628.exe61⤵
- Executes dropped EXE
PID:540 -
\??\c:\nnhnbt.exec:\nnhnbt.exe62⤵
- Executes dropped EXE
PID:1592 -
\??\c:\llxfrff.exec:\llxfrff.exe63⤵
- Executes dropped EXE
PID:1680 -
\??\c:\48228.exec:\48228.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436 -
\??\c:\9jdjv.exec:\9jdjv.exe65⤵
- Executes dropped EXE
PID:2324 -
\??\c:\2084628.exec:\2084628.exe66⤵PID:1504
-
\??\c:\s2066.exec:\s2066.exe67⤵PID:1336
-
\??\c:\202800.exec:\202800.exe68⤵PID:2328
-
\??\c:\60840.exec:\60840.exe69⤵PID:812
-
\??\c:\602422.exec:\602422.exe70⤵PID:2488
-
\??\c:\pvjpv.exec:\pvjpv.exe71⤵PID:2312
-
\??\c:\5xlfllr.exec:\5xlfllr.exe72⤵PID:2320
-
\??\c:\828844.exec:\828844.exe73⤵PID:868
-
\??\c:\bbthtb.exec:\bbthtb.exe74⤵PID:2700
-
\??\c:\nnnthn.exec:\nnnthn.exe75⤵PID:1660
-
\??\c:\ddvdj.exec:\ddvdj.exe76⤵PID:1580
-
\??\c:\660240.exec:\660240.exe77⤵PID:2808
-
\??\c:\rlxxllr.exec:\rlxxllr.exe78⤵PID:2836
-
\??\c:\7thhbb.exec:\7thhbb.exe79⤵PID:2792
-
\??\c:\7lllfrr.exec:\7lllfrr.exe80⤵PID:2756
-
\??\c:\2022486.exec:\2022486.exe81⤵PID:2148
-
\??\c:\3pdjv.exec:\3pdjv.exe82⤵PID:2608
-
\??\c:\4022086.exec:\4022086.exe83⤵PID:2604
-
\??\c:\rxrfxlf.exec:\rxrfxlf.exe84⤵PID:1932
-
\??\c:\i640280.exec:\i640280.exe85⤵PID:2636
-
\??\c:\lffrrxl.exec:\lffrrxl.exe86⤵PID:316
-
\??\c:\486806.exec:\486806.exe87⤵PID:1712
-
\??\c:\btnbnt.exec:\btnbnt.exe88⤵PID:1928
-
\??\c:\xxfxffr.exec:\xxfxffr.exe89⤵PID:2500
-
\??\c:\4020604.exec:\4020604.exe90⤵PID:844
-
\??\c:\1lflrrf.exec:\1lflrrf.exe91⤵PID:1696
-
\??\c:\o428008.exec:\o428008.exe92⤵PID:2204
-
\??\c:\3rlxfrx.exec:\3rlxfrx.exe93⤵PID:2544
-
\??\c:\tnbnbb.exec:\tnbnbb.exe94⤵PID:2628
-
\??\c:\jdjjv.exec:\jdjjv.exe95⤵PID:2996
-
\??\c:\jdpjd.exec:\jdpjd.exe96⤵PID:2440
-
\??\c:\rlxrxfr.exec:\rlxrxfr.exe97⤵PID:1588
-
\??\c:\s8246.exec:\s8246.exe98⤵PID:1868
-
\??\c:\3jjdp.exec:\3jjdp.exe99⤵PID:2384
-
\??\c:\2206802.exec:\2206802.exe100⤵PID:1968
-
\??\c:\66068.exec:\66068.exe101⤵PID:1856
-
\??\c:\ffxfrxr.exec:\ffxfrxr.exe102⤵PID:1908
-
\??\c:\7tnbhn.exec:\7tnbhn.exe103⤵PID:1260
-
\??\c:\5dppd.exec:\5dppd.exe104⤵
- System Location Discovery: System Language Discovery
PID:596 -
\??\c:\04246.exec:\04246.exe105⤵PID:540
-
\??\c:\9rxlxxl.exec:\9rxlxxl.exe106⤵PID:2452
-
\??\c:\9pppj.exec:\9pppj.exe107⤵PID:1736
-
\??\c:\xrllrxl.exec:\xrllrxl.exe108⤵PID:1436
-
\??\c:\80880.exec:\80880.exe109⤵PID:2024
-
\??\c:\4464608.exec:\4464608.exe110⤵PID:2972
-
\??\c:\9btnbh.exec:\9btnbh.exe111⤵PID:1632
-
\??\c:\488424.exec:\488424.exe112⤵PID:2084
-
\??\c:\1rflrff.exec:\1rflrff.exe113⤵PID:1272
-
\??\c:\llfrflx.exec:\llfrflx.exe114⤵PID:2304
-
\??\c:\dpjjj.exec:\dpjjj.exe115⤵PID:2224
-
\??\c:\4264826.exec:\4264826.exe116⤵PID:1132
-
\??\c:\6406844.exec:\6406844.exe117⤵PID:1072
-
\??\c:\u602086.exec:\u602086.exe118⤵PID:2096
-
\??\c:\jdvpv.exec:\jdvpv.exe119⤵PID:2704
-
\??\c:\jdpvd.exec:\jdpvd.exe120⤵PID:1572
-
\??\c:\u468446.exec:\u468446.exe121⤵PID:1580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-