Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 22:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
979f5a317d2e59c715eb3475923e76ad596bcc5dde31f1294a57fca1e3a96d7fN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
979f5a317d2e59c715eb3475923e76ad596bcc5dde31f1294a57fca1e3a96d7fN.exe
-
Size
454KB
-
MD5
1f8ebb5f32dba39b5d2fd24f1fa1b6f0
-
SHA1
857eaabab23326f1dd9db4f84a0716db7d23215e
-
SHA256
979f5a317d2e59c715eb3475923e76ad596bcc5dde31f1294a57fca1e3a96d7f
-
SHA512
be083541a8b123c38ecca5de2e9b73bae1c91cbee28368ed8979848216e209ed9eed187ae596fe22ea045cc66d02268357245f20d7c6973df66131a0ba183e17
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2944-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-23-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2852-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2404-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-120-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2916-119-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2876-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-174-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2180-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-231-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1036-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-630-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-663-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2528-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-744-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2408-800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-1080-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2176-1161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-1229-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/1056-1341-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3004 pjdjv.exe 2852 dpppd.exe 1916 xrfxllr.exe 2140 4688484.exe 2764 ntbtnh.exe 1648 0866266.exe 480 26840.exe 1688 rxfffxx.exe 836 0468062.exe 2404 0282266.exe 1808 jddjd.exe 2916 7nbttn.exe 3060 7xrrllf.exe 2928 k80048.exe 2876 hbtttt.exe 1800 frlflfl.exe 1988 9dvjd.exe 2180 68488.exe 808 u848884.exe 2260 i084428.exe 348 a8068.exe 840 a8662.exe 1948 tnhttt.exe 1524 u666608.exe 2208 bbntnn.exe 1036 868882.exe 1604 9jdpd.exe 1700 64262.exe 1788 ppjvd.exe 1848 1jvdd.exe 1820 tbthnb.exe 1584 e80666.exe 1372 420684.exe 2728 xxflrfr.exe 2828 604022.exe 2692 0428480.exe 2864 pddjv.exe 1920 lfxfllr.exe 2620 646200.exe 796 k86666.exe 776 9xrxxlr.exe 2152 64224.exe 1704 820688.exe 2400 frxfflr.exe 1296 nnnbhn.exe 3064 66468.exe 2908 9lxxxfl.exe 3052 q08400.exe 2300 jdjpd.exe 2896 4206880.exe 2636 004084.exe 1564 48028.exe 668 pvjvd.exe 1800 22668.exe 2256 200066.exe 1768 486240.exe 2136 btttnh.exe 2476 884460.exe 1612 e82804.exe 1640 o022824.exe 300 m0802.exe 1676 q02800.exe 1744 5xrlxfl.exe 1284 xxrxxfl.exe -
resource yara_rule behavioral1/memory/2944-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-956-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-1093-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-1161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-1204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-1342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-1377-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0800666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e46004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k00844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2080626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w62604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8640224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8820240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2944 wrote to memory of 3004 2944 979f5a317d2e59c715eb3475923e76ad596bcc5dde31f1294a57fca1e3a96d7fN.exe 30 PID 2944 wrote to memory of 3004 2944 979f5a317d2e59c715eb3475923e76ad596bcc5dde31f1294a57fca1e3a96d7fN.exe 30 PID 2944 wrote to memory of 3004 2944 979f5a317d2e59c715eb3475923e76ad596bcc5dde31f1294a57fca1e3a96d7fN.exe 30 PID 2944 wrote to memory of 3004 2944 979f5a317d2e59c715eb3475923e76ad596bcc5dde31f1294a57fca1e3a96d7fN.exe 30 PID 3004 wrote to memory of 2852 3004 pjdjv.exe 31 PID 3004 wrote to memory of 2852 3004 pjdjv.exe 31 PID 3004 wrote to memory of 2852 3004 pjdjv.exe 31 PID 3004 wrote to memory of 2852 3004 pjdjv.exe 31 PID 2852 wrote to memory of 1916 2852 dpppd.exe 32 PID 2852 wrote to memory of 1916 2852 dpppd.exe 32 PID 2852 wrote to memory of 1916 2852 dpppd.exe 32 PID 2852 wrote to memory of 1916 2852 dpppd.exe 32 PID 1916 wrote to memory of 2140 1916 xrfxllr.exe 33 PID 1916 wrote to memory of 2140 1916 xrfxllr.exe 33 PID 1916 wrote to memory of 2140 1916 xrfxllr.exe 33 PID 1916 wrote to memory of 2140 1916 xrfxllr.exe 33 PID 2140 wrote to memory of 2764 2140 4688484.exe 34 PID 2140 wrote to memory of 2764 2140 4688484.exe 34 PID 2140 wrote to memory of 2764 2140 4688484.exe 34 PID 2140 wrote to memory of 2764 2140 4688484.exe 34 PID 2764 wrote to memory of 1648 2764 ntbtnh.exe 35 PID 2764 wrote to memory of 1648 2764 ntbtnh.exe 35 PID 2764 wrote to memory of 1648 2764 ntbtnh.exe 35 PID 2764 wrote to memory of 1648 2764 ntbtnh.exe 35 PID 1648 wrote to memory of 480 1648 0866266.exe 36 PID 1648 wrote to memory of 480 1648 0866266.exe 36 PID 1648 wrote to memory of 480 1648 0866266.exe 36 PID 1648 wrote to memory of 480 1648 0866266.exe 36 PID 480 wrote to memory of 1688 480 26840.exe 37 PID 480 wrote to memory of 1688 480 26840.exe 37 PID 480 wrote to memory of 1688 480 26840.exe 37 PID 480 wrote to memory of 1688 480 26840.exe 37 PID 1688 wrote to memory of 836 1688 rxfffxx.exe 38 PID 1688 wrote to memory of 836 1688 rxfffxx.exe 38 PID 1688 wrote to memory of 836 1688 rxfffxx.exe 38 PID 1688 wrote to memory of 836 1688 rxfffxx.exe 38 PID 836 wrote to memory of 2404 836 0468062.exe 39 PID 836 wrote to memory of 2404 836 0468062.exe 39 PID 836 wrote to memory of 2404 836 0468062.exe 39 PID 836 wrote to memory of 2404 836 0468062.exe 39 PID 2404 wrote to memory of 1808 2404 0282266.exe 40 PID 2404 wrote to memory of 1808 2404 0282266.exe 40 PID 2404 wrote to memory of 1808 2404 0282266.exe 40 PID 2404 wrote to memory of 1808 2404 0282266.exe 40 PID 1808 wrote to memory of 2916 1808 jddjd.exe 41 PID 1808 wrote to memory of 2916 1808 jddjd.exe 41 PID 1808 wrote to memory of 2916 1808 jddjd.exe 41 PID 1808 wrote to memory of 2916 1808 jddjd.exe 41 PID 2916 wrote to memory of 3060 2916 7nbttn.exe 42 PID 2916 wrote to memory of 3060 2916 7nbttn.exe 42 PID 2916 wrote to memory of 3060 2916 7nbttn.exe 42 PID 2916 wrote to memory of 3060 2916 7nbttn.exe 42 PID 3060 wrote to memory of 2928 3060 7xrrllf.exe 43 PID 3060 wrote to memory of 2928 3060 7xrrllf.exe 43 PID 3060 wrote to memory of 2928 3060 7xrrllf.exe 43 PID 3060 wrote to memory of 2928 3060 7xrrllf.exe 43 PID 2928 wrote to memory of 2876 2928 k80048.exe 44 PID 2928 wrote to memory of 2876 2928 k80048.exe 44 PID 2928 wrote to memory of 2876 2928 k80048.exe 44 PID 2928 wrote to memory of 2876 2928 k80048.exe 44 PID 2876 wrote to memory of 1800 2876 hbtttt.exe 45 PID 2876 wrote to memory of 1800 2876 hbtttt.exe 45 PID 2876 wrote to memory of 1800 2876 hbtttt.exe 45 PID 2876 wrote to memory of 1800 2876 hbtttt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\979f5a317d2e59c715eb3475923e76ad596bcc5dde31f1294a57fca1e3a96d7fN.exe"C:\Users\Admin\AppData\Local\Temp\979f5a317d2e59c715eb3475923e76ad596bcc5dde31f1294a57fca1e3a96d7fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\pjdjv.exec:\pjdjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\dpppd.exec:\dpppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\xrfxllr.exec:\xrfxllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\4688484.exec:\4688484.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\ntbtnh.exec:\ntbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\0866266.exec:\0866266.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\26840.exec:\26840.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480 -
\??\c:\rxfffxx.exec:\rxfffxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\0468062.exec:\0468062.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\0282266.exec:\0282266.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\jddjd.exec:\jddjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\7nbttn.exec:\7nbttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\7xrrllf.exec:\7xrrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\k80048.exec:\k80048.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\hbtttt.exec:\hbtttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\frlflfl.exec:\frlflfl.exe17⤵
- Executes dropped EXE
PID:1800 -
\??\c:\9dvjd.exec:\9dvjd.exe18⤵
- Executes dropped EXE
PID:1988 -
\??\c:\68488.exec:\68488.exe19⤵
- Executes dropped EXE
PID:2180 -
\??\c:\u848884.exec:\u848884.exe20⤵
- Executes dropped EXE
PID:808 -
\??\c:\i084428.exec:\i084428.exe21⤵
- Executes dropped EXE
PID:2260 -
\??\c:\a8068.exec:\a8068.exe22⤵
- Executes dropped EXE
PID:348 -
\??\c:\a8662.exec:\a8662.exe23⤵
- Executes dropped EXE
PID:840 -
\??\c:\tnhttt.exec:\tnhttt.exe24⤵
- Executes dropped EXE
PID:1948 -
\??\c:\u666608.exec:\u666608.exe25⤵
- Executes dropped EXE
PID:1524 -
\??\c:\bbntnn.exec:\bbntnn.exe26⤵
- Executes dropped EXE
PID:2208 -
\??\c:\868882.exec:\868882.exe27⤵
- Executes dropped EXE
PID:1036 -
\??\c:\9jdpd.exec:\9jdpd.exe28⤵
- Executes dropped EXE
PID:1604 -
\??\c:\64262.exec:\64262.exe29⤵
- Executes dropped EXE
PID:1700 -
\??\c:\ppjvd.exec:\ppjvd.exe30⤵
- Executes dropped EXE
PID:1788 -
\??\c:\1jvdd.exec:\1jvdd.exe31⤵
- Executes dropped EXE
PID:1848 -
\??\c:\tbthnb.exec:\tbthnb.exe32⤵
- Executes dropped EXE
PID:1820 -
\??\c:\e80666.exec:\e80666.exe33⤵
- Executes dropped EXE
PID:1584 -
\??\c:\420684.exec:\420684.exe34⤵
- Executes dropped EXE
PID:1372 -
\??\c:\xxflrfr.exec:\xxflrfr.exe35⤵
- Executes dropped EXE
PID:2728 -
\??\c:\604022.exec:\604022.exe36⤵
- Executes dropped EXE
PID:2828 -
\??\c:\0428480.exec:\0428480.exe37⤵
- Executes dropped EXE
PID:2692 -
\??\c:\pddjv.exec:\pddjv.exe38⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lfxfllr.exec:\lfxfllr.exe39⤵
- Executes dropped EXE
PID:1920 -
\??\c:\646200.exec:\646200.exe40⤵
- Executes dropped EXE
PID:2620 -
\??\c:\k86666.exec:\k86666.exe41⤵
- Executes dropped EXE
PID:796 -
\??\c:\9xrxxlr.exec:\9xrxxlr.exe42⤵
- Executes dropped EXE
PID:776 -
\??\c:\64224.exec:\64224.exe43⤵
- Executes dropped EXE
PID:2152 -
\??\c:\820688.exec:\820688.exe44⤵
- Executes dropped EXE
PID:1704 -
\??\c:\frxfflr.exec:\frxfflr.exe45⤵
- Executes dropped EXE
PID:2400 -
\??\c:\nnnbhn.exec:\nnnbhn.exe46⤵
- Executes dropped EXE
PID:1296 -
\??\c:\66468.exec:\66468.exe47⤵
- Executes dropped EXE
PID:3064 -
\??\c:\9lxxxfl.exec:\9lxxxfl.exe48⤵
- Executes dropped EXE
PID:2908 -
\??\c:\q08400.exec:\q08400.exe49⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jdjpd.exec:\jdjpd.exe50⤵
- Executes dropped EXE
PID:2300 -
\??\c:\4206880.exec:\4206880.exe51⤵
- Executes dropped EXE
PID:2896 -
\??\c:\004084.exec:\004084.exe52⤵
- Executes dropped EXE
PID:2636 -
\??\c:\48028.exec:\48028.exe53⤵
- Executes dropped EXE
PID:1564 -
\??\c:\pvjvd.exec:\pvjvd.exe54⤵
- Executes dropped EXE
PID:668 -
\??\c:\22668.exec:\22668.exe55⤵
- Executes dropped EXE
PID:1800 -
\??\c:\200066.exec:\200066.exe56⤵
- Executes dropped EXE
PID:2256 -
\??\c:\486240.exec:\486240.exe57⤵
- Executes dropped EXE
PID:1768 -
\??\c:\btttnh.exec:\btttnh.exe58⤵
- Executes dropped EXE
PID:2136 -
\??\c:\884460.exec:\884460.exe59⤵
- Executes dropped EXE
PID:2476 -
\??\c:\e82804.exec:\e82804.exe60⤵
- Executes dropped EXE
PID:1612 -
\??\c:\o022824.exec:\o022824.exe61⤵
- Executes dropped EXE
PID:1640 -
\??\c:\m0802.exec:\m0802.exe62⤵
- Executes dropped EXE
PID:300 -
\??\c:\q02800.exec:\q02800.exe63⤵
- Executes dropped EXE
PID:1676 -
\??\c:\5xrlxfl.exec:\5xrlxfl.exe64⤵
- Executes dropped EXE
PID:1744 -
\??\c:\xxrxxfl.exec:\xxrxxfl.exe65⤵
- Executes dropped EXE
PID:1284 -
\??\c:\vjpdp.exec:\vjpdp.exe66⤵PID:960
-
\??\c:\pjppj.exec:\pjppj.exe67⤵PID:1892
-
\??\c:\pjdjp.exec:\pjdjp.exe68⤵PID:1048
-
\??\c:\824006.exec:\824006.exe69⤵PID:2516
-
\??\c:\k26800.exec:\k26800.exe70⤵PID:1720
-
\??\c:\5vdvv.exec:\5vdvv.exe71⤵PID:1388
-
\??\c:\604628.exec:\604628.exe72⤵PID:988
-
\??\c:\6046446.exec:\6046446.exe73⤵PID:2588
-
\??\c:\fffrrrx.exec:\fffrrrx.exe74⤵PID:1580
-
\??\c:\1rrxlrx.exec:\1rrxlrx.exe75⤵PID:1820
-
\??\c:\ddppp.exec:\ddppp.exe76⤵PID:2824
-
\??\c:\608028.exec:\608028.exe77⤵PID:3016
-
\??\c:\fxrrfxx.exec:\fxrrfxx.exe78⤵PID:3068
-
\??\c:\826066.exec:\826066.exe79⤵PID:2852
-
\??\c:\26884.exec:\26884.exe80⤵PID:2704
-
\??\c:\pvvjd.exec:\pvvjd.exe81⤵PID:2712
-
\??\c:\dvpvd.exec:\dvpvd.exe82⤵PID:2764
-
\??\c:\nnhtnt.exec:\nnhtnt.exe83⤵PID:2556
-
\??\c:\82468.exec:\82468.exe84⤵PID:592
-
\??\c:\64846.exec:\64846.exe85⤵PID:1476
-
\??\c:\a6406.exec:\a6406.exe86⤵PID:1856
-
\??\c:\5hntth.exec:\5hntth.exe87⤵PID:2080
-
\??\c:\ddddp.exec:\ddddp.exe88⤵PID:836
-
\??\c:\djvpp.exec:\djvpp.exe89⤵
- System Location Discovery: System Language Discovery
PID:2848 -
\??\c:\82068.exec:\82068.exe90⤵
- System Location Discovery: System Language Discovery
PID:2672 -
\??\c:\9rxxrxf.exec:\9rxxrxf.exe91⤵PID:2156
-
\??\c:\tbnbnh.exec:\tbnbnh.exe92⤵PID:2528
-
\??\c:\i044064.exec:\i044064.exe93⤵PID:3048
-
\??\c:\rrflrfr.exec:\rrflrfr.exe94⤵PID:2788
-
\??\c:\tnbhnb.exec:\tnbhnb.exe95⤵PID:3020
-
\??\c:\o640228.exec:\o640228.exe96⤵PID:1724
-
\??\c:\04842.exec:\04842.exe97⤵PID:880
-
\??\c:\q06844.exec:\q06844.exe98⤵PID:1456
-
\??\c:\vpjdj.exec:\vpjdj.exe99⤵PID:2196
-
\??\c:\fxxxxxf.exec:\fxxxxxf.exe100⤵PID:2180
-
\??\c:\djdvd.exec:\djdvd.exe101⤵PID:2204
-
\??\c:\thhhnt.exec:\thhhnt.exe102⤵PID:2072
-
\??\c:\3pjjp.exec:\3pjjp.exe103⤵PID:1080
-
\??\c:\9rfflfr.exec:\9rfflfr.exe104⤵PID:2668
-
\??\c:\hbbnbn.exec:\hbbnbn.exe105⤵PID:1144
-
\??\c:\lfrflrl.exec:\lfrflrl.exe106⤵PID:300
-
\??\c:\1vjdd.exec:\1vjdd.exe107⤵PID:1520
-
\??\c:\frxxxrr.exec:\frxxxrr.exe108⤵PID:1780
-
\??\c:\9lfxrrr.exec:\9lfxrrr.exe109⤵PID:1028
-
\??\c:\a8068.exec:\a8068.exe110⤵PID:2612
-
\??\c:\68066.exec:\68066.exe111⤵PID:1692
-
\??\c:\a4000.exec:\a4000.exe112⤵PID:2408
-
\??\c:\tthntn.exec:\tthntn.exe113⤵PID:1764
-
\??\c:\nnntbh.exec:\nnntbh.exe114⤵PID:1720
-
\??\c:\lfllfxf.exec:\lfllfxf.exe115⤵PID:2584
-
\??\c:\246666.exec:\246666.exe116⤵PID:1952
-
\??\c:\tntnnn.exec:\tntnnn.exe117⤵PID:1872
-
\??\c:\264688.exec:\264688.exe118⤵PID:2984
-
\??\c:\k06660.exec:\k06660.exe119⤵PID:2416
-
\??\c:\9djjj.exec:\9djjj.exe120⤵PID:2892
-
\??\c:\424048.exec:\424048.exe121⤵PID:3016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-