Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 15:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe
-
Size
453KB
-
MD5
ce63ad30c4fc21683f52c105f311b457
-
SHA1
0e2ba74fcb74ef12a42dacf42cf3f648542414d9
-
SHA256
95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb
-
SHA512
2fc35c04f97e41cf7fa421ce9f1003daf74dd465318da4d8339268ffdbdfce3fcc0373d892977374f320307eba8f4d7c408a9ae698dceedf1447ac1800bd3d37
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2668-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-192-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/948-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/944-216-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1404-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-298-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1544-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-474-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1596-488-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2384-487-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-498-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2528-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-930-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-972-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1372-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2708 66408.exe 2764 086288.exe 2836 820244.exe 2832 vpjvd.exe 1864 ddpvj.exe 2636 pppdp.exe 3036 40480.exe 316 868848.exe 1984 hbthth.exe 2948 04668.exe 1656 9hbnbh.exe 2860 7lxrrrx.exe 2852 xxlxlrx.exe 1740 c668068.exe 1488 1bntth.exe 1844 i662880.exe 2356 60246.exe 1940 k46626.exe 2296 8604000.exe 2100 7pvvp.exe 948 8644040.exe 2452 bnbhtt.exe 944 flrrxrl.exe 1728 xlfffxf.exe 1404 e62288.exe 2292 m8428.exe 3016 9dvvv.exe 2300 4488440.exe 788 868800.exe 2260 08444.exe 2224 vpdjj.exe 1732 3bnnnh.exe 2028 bnnttt.exe 1544 226468.exe 2716 nbnhnn.exe 2804 hbttbh.exe 2128 4866288.exe 2836 424448.exe 2740 lrfrfxx.exe 2756 dvvvd.exe 2624 02488.exe 2616 nbnhhh.exe 2868 rflllll.exe 3036 xlxxfxf.exe 444 lfrllll.exe 1712 vpjdd.exe 1688 4240440.exe 2256 pjdjp.exe 2188 64284.exe 1276 hthbhb.exe 2828 048802.exe 2904 flflxfx.exe 2080 660800.exe 1988 646244.exe 1588 pjvdj.exe 2212 480060.exe 2384 48680.exe 1968 26246.exe 1908 5rflrrl.exe 1964 46844.exe 1596 042422.exe 2132 w42288.exe 2984 e86244.exe 1040 xrxrfll.exe -
resource yara_rule behavioral1/memory/2668-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-102-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2860-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-325-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2616-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-474-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2528-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/976-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-867-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-930-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-943-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-972-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1372-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0822666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6066468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k88022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u268002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q84484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0228484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2708 2668 95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe 30 PID 2668 wrote to memory of 2708 2668 95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe 30 PID 2668 wrote to memory of 2708 2668 95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe 30 PID 2668 wrote to memory of 2708 2668 95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe 30 PID 2708 wrote to memory of 2764 2708 66408.exe 31 PID 2708 wrote to memory of 2764 2708 66408.exe 31 PID 2708 wrote to memory of 2764 2708 66408.exe 31 PID 2708 wrote to memory of 2764 2708 66408.exe 31 PID 2764 wrote to memory of 2836 2764 086288.exe 32 PID 2764 wrote to memory of 2836 2764 086288.exe 32 PID 2764 wrote to memory of 2836 2764 086288.exe 32 PID 2764 wrote to memory of 2836 2764 086288.exe 32 PID 2836 wrote to memory of 2832 2836 820244.exe 33 PID 2836 wrote to memory of 2832 2836 820244.exe 33 PID 2836 wrote to memory of 2832 2836 820244.exe 33 PID 2836 wrote to memory of 2832 2836 820244.exe 33 PID 2832 wrote to memory of 1864 2832 vpjvd.exe 34 PID 2832 wrote to memory of 1864 2832 vpjvd.exe 34 PID 2832 wrote to memory of 1864 2832 vpjvd.exe 34 PID 2832 wrote to memory of 1864 2832 vpjvd.exe 34 PID 1864 wrote to memory of 2636 1864 ddpvj.exe 35 PID 1864 wrote to memory of 2636 1864 ddpvj.exe 35 PID 1864 wrote to memory of 2636 1864 ddpvj.exe 35 PID 1864 wrote to memory of 2636 1864 ddpvj.exe 35 PID 2636 wrote to memory of 3036 2636 pppdp.exe 36 PID 2636 wrote to memory of 3036 2636 pppdp.exe 36 PID 2636 wrote to memory of 3036 2636 pppdp.exe 36 PID 2636 wrote to memory of 3036 2636 pppdp.exe 36 PID 3036 wrote to memory of 316 3036 40480.exe 37 PID 3036 wrote to memory of 316 3036 40480.exe 37 PID 3036 wrote to memory of 316 3036 40480.exe 37 PID 3036 wrote to memory of 316 3036 40480.exe 37 PID 316 wrote to memory of 1984 316 868848.exe 38 PID 316 wrote to memory of 1984 316 868848.exe 38 PID 316 wrote to memory of 1984 316 868848.exe 38 PID 316 wrote to memory of 1984 316 868848.exe 38 PID 1984 wrote to memory of 2948 1984 hbthth.exe 39 PID 1984 wrote to memory of 2948 1984 hbthth.exe 39 PID 1984 wrote to memory of 2948 1984 hbthth.exe 39 PID 1984 wrote to memory of 2948 1984 hbthth.exe 39 PID 2948 wrote to memory of 1656 2948 04668.exe 40 PID 2948 wrote to memory of 1656 2948 04668.exe 40 PID 2948 wrote to memory of 1656 2948 04668.exe 40 PID 2948 wrote to memory of 1656 2948 04668.exe 40 PID 1656 wrote to memory of 2860 1656 9hbnbh.exe 41 PID 1656 wrote to memory of 2860 1656 9hbnbh.exe 41 PID 1656 wrote to memory of 2860 1656 9hbnbh.exe 41 PID 1656 wrote to memory of 2860 1656 9hbnbh.exe 41 PID 2860 wrote to memory of 2852 2860 7lxrrrx.exe 42 PID 2860 wrote to memory of 2852 2860 7lxrrrx.exe 42 PID 2860 wrote to memory of 2852 2860 7lxrrrx.exe 42 PID 2860 wrote to memory of 2852 2860 7lxrrrx.exe 42 PID 2852 wrote to memory of 1740 2852 xxlxlrx.exe 43 PID 2852 wrote to memory of 1740 2852 xxlxlrx.exe 43 PID 2852 wrote to memory of 1740 2852 xxlxlrx.exe 43 PID 2852 wrote to memory of 1740 2852 xxlxlrx.exe 43 PID 1740 wrote to memory of 1488 1740 c668068.exe 44 PID 1740 wrote to memory of 1488 1740 c668068.exe 44 PID 1740 wrote to memory of 1488 1740 c668068.exe 44 PID 1740 wrote to memory of 1488 1740 c668068.exe 44 PID 1488 wrote to memory of 1844 1488 1bntth.exe 45 PID 1488 wrote to memory of 1844 1488 1bntth.exe 45 PID 1488 wrote to memory of 1844 1488 1bntth.exe 45 PID 1488 wrote to memory of 1844 1488 1bntth.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe"C:\Users\Admin\AppData\Local\Temp\95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\66408.exec:\66408.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\086288.exec:\086288.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\820244.exec:\820244.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\vpjvd.exec:\vpjvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\ddpvj.exec:\ddpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\pppdp.exec:\pppdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\40480.exec:\40480.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\868848.exec:\868848.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\hbthth.exec:\hbthth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\04668.exec:\04668.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\9hbnbh.exec:\9hbnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\7lxrrrx.exec:\7lxrrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\xxlxlrx.exec:\xxlxlrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\c668068.exec:\c668068.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\1bntth.exec:\1bntth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\i662880.exec:\i662880.exe17⤵
- Executes dropped EXE
PID:1844 -
\??\c:\60246.exec:\60246.exe18⤵
- Executes dropped EXE
PID:2356 -
\??\c:\k46626.exec:\k46626.exe19⤵
- Executes dropped EXE
PID:1940 -
\??\c:\8604000.exec:\8604000.exe20⤵
- Executes dropped EXE
PID:2296 -
\??\c:\7pvvp.exec:\7pvvp.exe21⤵
- Executes dropped EXE
PID:2100 -
\??\c:\8644040.exec:\8644040.exe22⤵
- Executes dropped EXE
PID:948 -
\??\c:\bnbhtt.exec:\bnbhtt.exe23⤵
- Executes dropped EXE
PID:2452 -
\??\c:\flrrxrl.exec:\flrrxrl.exe24⤵
- Executes dropped EXE
PID:944 -
\??\c:\xlfffxf.exec:\xlfffxf.exe25⤵
- Executes dropped EXE
PID:1728 -
\??\c:\e62288.exec:\e62288.exe26⤵
- Executes dropped EXE
PID:1404 -
\??\c:\m8428.exec:\m8428.exe27⤵
- Executes dropped EXE
PID:2292 -
\??\c:\9dvvv.exec:\9dvvv.exe28⤵
- Executes dropped EXE
PID:3016 -
\??\c:\4488440.exec:\4488440.exe29⤵
- Executes dropped EXE
PID:2300 -
\??\c:\868800.exec:\868800.exe30⤵
- Executes dropped EXE
PID:788 -
\??\c:\08444.exec:\08444.exe31⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vpdjj.exec:\vpdjj.exe32⤵
- Executes dropped EXE
PID:2224 -
\??\c:\3bnnnh.exec:\3bnnnh.exe33⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bnnttt.exec:\bnnttt.exe34⤵
- Executes dropped EXE
PID:2028 -
\??\c:\226468.exec:\226468.exe35⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nbnhnn.exec:\nbnhnn.exe36⤵
- Executes dropped EXE
PID:2716 -
\??\c:\hbttbh.exec:\hbttbh.exe37⤵
- Executes dropped EXE
PID:2804 -
\??\c:\4866288.exec:\4866288.exe38⤵
- Executes dropped EXE
PID:2128 -
\??\c:\424448.exec:\424448.exe39⤵
- Executes dropped EXE
PID:2836 -
\??\c:\lrfrfxx.exec:\lrfrfxx.exe40⤵
- Executes dropped EXE
PID:2740 -
\??\c:\dvvvd.exec:\dvvvd.exe41⤵
- Executes dropped EXE
PID:2756 -
\??\c:\02488.exec:\02488.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\nbnhhh.exec:\nbnhhh.exe43⤵
- Executes dropped EXE
PID:2616 -
\??\c:\rflllll.exec:\rflllll.exe44⤵
- Executes dropped EXE
PID:2868 -
\??\c:\xlxxfxf.exec:\xlxxfxf.exe45⤵
- Executes dropped EXE
PID:3036 -
\??\c:\lfrllll.exec:\lfrllll.exe46⤵
- Executes dropped EXE
PID:444 -
\??\c:\vpjdd.exec:\vpjdd.exe47⤵
- Executes dropped EXE
PID:1712 -
\??\c:\4240440.exec:\4240440.exe48⤵
- Executes dropped EXE
PID:1688 -
\??\c:\pjdjp.exec:\pjdjp.exe49⤵
- Executes dropped EXE
PID:2256 -
\??\c:\64284.exec:\64284.exe50⤵
- Executes dropped EXE
PID:2188 -
\??\c:\hthbhb.exec:\hthbhb.exe51⤵
- Executes dropped EXE
PID:1276 -
\??\c:\048802.exec:\048802.exe52⤵
- Executes dropped EXE
PID:2828 -
\??\c:\flflxfx.exec:\flflxfx.exe53⤵
- Executes dropped EXE
PID:2904 -
\??\c:\660800.exec:\660800.exe54⤵
- Executes dropped EXE
PID:2080 -
\??\c:\646244.exec:\646244.exe55⤵
- Executes dropped EXE
PID:1988 -
\??\c:\pjvdj.exec:\pjvdj.exe56⤵
- Executes dropped EXE
PID:1588 -
\??\c:\480060.exec:\480060.exe57⤵
- Executes dropped EXE
PID:2212 -
\??\c:\48680.exec:\48680.exe58⤵
- Executes dropped EXE
PID:2384 -
\??\c:\26246.exec:\26246.exe59⤵
- Executes dropped EXE
PID:1968 -
\??\c:\5rflrrl.exec:\5rflrrl.exe60⤵
- Executes dropped EXE
PID:1908 -
\??\c:\46844.exec:\46844.exe61⤵
- Executes dropped EXE
PID:1964 -
\??\c:\042422.exec:\042422.exe62⤵
- Executes dropped EXE
PID:1596 -
\??\c:\w42288.exec:\w42288.exe63⤵
- Executes dropped EXE
PID:2132 -
\??\c:\e86244.exec:\e86244.exe64⤵
- Executes dropped EXE
PID:2984 -
\??\c:\xrxrfll.exec:\xrxrfll.exe65⤵
- Executes dropped EXE
PID:1040 -
\??\c:\vpjjp.exec:\vpjjp.exe66⤵PID:968
-
\??\c:\rfrlflr.exec:\rfrlflr.exe67⤵PID:2528
-
\??\c:\4200886.exec:\4200886.exe68⤵PID:1716
-
\??\c:\04268.exec:\04268.exe69⤵PID:1912
-
\??\c:\a4284.exec:\a4284.exe70⤵PID:2976
-
\??\c:\5rfxrrx.exec:\5rfxrrx.exe71⤵PID:1876
-
\??\c:\608488.exec:\608488.exe72⤵PID:684
-
\??\c:\rlflllx.exec:\rlflllx.exe73⤵PID:1652
-
\??\c:\20840.exec:\20840.exe74⤵PID:1272
-
\??\c:\26488.exec:\26488.exe75⤵PID:976
-
\??\c:\5pdjj.exec:\5pdjj.exe76⤵PID:1608
-
\??\c:\rfxlrxf.exec:\rfxlrxf.exe77⤵PID:2784
-
\??\c:\hhbnbn.exec:\hhbnbn.exe78⤵PID:2700
-
\??\c:\lfflxlf.exec:\lfflxlf.exe79⤵PID:2708
-
\??\c:\tbhtnn.exec:\tbhtnn.exe80⤵PID:2716
-
\??\c:\htbbbh.exec:\htbbbh.exe81⤵PID:2888
-
\??\c:\0420286.exec:\0420286.exe82⤵PID:2792
-
\??\c:\64006.exec:\64006.exe83⤵PID:2836
-
\??\c:\60864.exec:\60864.exe84⤵PID:2740
-
\??\c:\28462.exec:\28462.exe85⤵PID:1932
-
\??\c:\llfrxfx.exec:\llfrxfx.exe86⤵PID:2624
-
\??\c:\04284.exec:\04284.exe87⤵PID:2732
-
\??\c:\2644224.exec:\2644224.exe88⤵PID:2156
-
\??\c:\8680222.exec:\8680222.exe89⤵PID:1928
-
\??\c:\5xlxxxr.exec:\5xlxxxr.exe90⤵PID:1144
-
\??\c:\4240628.exec:\4240628.exe91⤵PID:2380
-
\??\c:\i422062.exec:\i422062.exe92⤵PID:2948
-
\??\c:\bbthnn.exec:\bbthnn.exe93⤵PID:1656
-
\??\c:\nhtbhh.exec:\nhtbhh.exe94⤵PID:2188
-
\??\c:\vjjdd.exec:\vjjdd.exe95⤵PID:2908
-
\??\c:\bhhbnn.exec:\bhhbnn.exe96⤵PID:2620
-
\??\c:\0480628.exec:\0480628.exe97⤵PID:2904
-
\??\c:\8206446.exec:\8206446.exe98⤵PID:2332
-
\??\c:\i640664.exec:\i640664.exe99⤵PID:1988
-
\??\c:\u488444.exec:\u488444.exe100⤵PID:1160
-
\??\c:\xrxxfxf.exec:\xrxxfxf.exe101⤵PID:2212
-
\??\c:\4824068.exec:\4824068.exe102⤵PID:2968
-
\??\c:\xxrfffl.exec:\xxrfffl.exe103⤵PID:1936
-
\??\c:\826860.exec:\826860.exe104⤵PID:1948
-
\??\c:\ffxxxrr.exec:\ffxxxrr.exe105⤵PID:1964
-
\??\c:\rllrflx.exec:\rllrflx.exe106⤵PID:2460
-
\??\c:\bththh.exec:\bththh.exe107⤵PID:2132
-
\??\c:\5tthnn.exec:\5tthnn.exe108⤵PID:996
-
\??\c:\djdjp.exec:\djdjp.exe109⤵PID:2960
-
\??\c:\02484.exec:\02484.exe110⤵PID:1060
-
\??\c:\thtnbb.exec:\thtnbb.exe111⤵PID:1684
-
\??\c:\ddjpp.exec:\ddjpp.exe112⤵PID:1404
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe113⤵PID:2292
-
\??\c:\0824028.exec:\0824028.exe114⤵PID:1464
-
\??\c:\86888.exec:\86888.exe115⤵PID:2488
-
\??\c:\bbthth.exec:\bbthth.exe116⤵PID:2272
-
\??\c:\rlfxfff.exec:\rlfxfff.exe117⤵PID:1132
-
\??\c:\6864464.exec:\6864464.exe118⤵PID:1624
-
\??\c:\rflfxll.exec:\rflfxll.exe119⤵PID:2480
-
\??\c:\2684280.exec:\2684280.exe120⤵PID:1608
-
\??\c:\9xxxllx.exec:\9xxxllx.exe121⤵PID:2472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-