Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 18:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe
-
Size
454KB
-
MD5
e3a4dbcf27d4b64e126d834c63a21c62
-
SHA1
1ac94a8574337a2cc636ef31111370b04c1aa079
-
SHA256
949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7
-
SHA512
09d947e82a84631ebef6a25203eede57834941c86021bef933f47e448827eb8356bf9cbeedf99ab7818cdc89469f891c46540ead23bc44c9744971b9064ff4be
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2372-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1336-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-95-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2872-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-151-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1908-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-190-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2728-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-224-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1996-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-229-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1860-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-244-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1504-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-262-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2512-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-301-0x0000000076B50000-0x0000000076C6F000-memory.dmp family_blackmoon behavioral1/memory/1048-302-0x0000000076C70000-0x0000000076D6A000-memory.dmp family_blackmoon behavioral1/memory/1488-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-415-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-466-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1960-474-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2276-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-472-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/832-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/628-514-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/628-537-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1044-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/664-701-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2412-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-902-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2788-928-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2692-1010-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-1030-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-1100-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2976-1242-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2976-1241-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1664 htnttt.exe 2560 668282.exe 2340 1pddj.exe 2044 2648484.exe 1336 o028846.exe 2776 3fxfllx.exe 2856 1ttnhh.exe 2264 i206824.exe 2732 42006.exe 2872 1thbbb.exe 2648 6084668.exe 2216 4800004.exe 988 lfxxfxf.exe 2108 5xllfxf.exe 1904 468444.exe 1908 4424220.exe 2616 rlfxllr.exe 1796 dpjdj.exe 1924 dvpvj.exe 772 62046.exe 1840 ttbhbb.exe 2728 080066.exe 832 0826828.exe 1996 lrxxffr.exe 1860 48602.exe 1504 hbnnbt.exe 1708 264462.exe 2212 20884.exe 2512 u044668.exe 2460 hnhbhn.exe 1980 042824.exe 2040 dvpjv.exe 1048 9nntbh.exe 1564 lfxlxlx.exe 1488 40880.exe 2352 00464.exe 1696 1jvdj.exe 2484 vjvjv.exe 1288 pjvvv.exe 1928 bhbhth.exe 2780 jvjpv.exe 2764 66026.exe 2856 llflffr.exe 2792 tnnbbn.exe 2768 i428406.exe 2668 lfxfllf.exe 2860 3hhhnh.exe 2648 824404.exe 2280 9jjjv.exe 2688 8022662.exe 1848 k46604.exe 2964 202220.exe 1552 048066.exe 2692 ddpjp.exe 2956 thbbnt.exe 2828 vvpjp.exe 1432 1tnnbt.exe 1864 pdvdp.exe 1960 a8842.exe 2276 608028.exe 1632 llllffx.exe 1080 ttnbhn.exe 1520 ddddv.exe 832 26446.exe -
resource yara_rule behavioral1/memory/2372-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1336-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1336-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-383-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2688-415-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2688-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-915-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-1023-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-1030-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-1061-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-1080-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-1093-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-1131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-1180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-1274-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i202446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c662066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2206888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4802846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1664 2372 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 30 PID 2372 wrote to memory of 1664 2372 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 30 PID 2372 wrote to memory of 1664 2372 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 30 PID 2372 wrote to memory of 1664 2372 949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe 30 PID 1664 wrote to memory of 2560 1664 htnttt.exe 31 PID 1664 wrote to memory of 2560 1664 htnttt.exe 31 PID 1664 wrote to memory of 2560 1664 htnttt.exe 31 PID 1664 wrote to memory of 2560 1664 htnttt.exe 31 PID 2560 wrote to memory of 2340 2560 668282.exe 32 PID 2560 wrote to memory of 2340 2560 668282.exe 32 PID 2560 wrote to memory of 2340 2560 668282.exe 32 PID 2560 wrote to memory of 2340 2560 668282.exe 32 PID 2340 wrote to memory of 2044 2340 1pddj.exe 33 PID 2340 wrote to memory of 2044 2340 1pddj.exe 33 PID 2340 wrote to memory of 2044 2340 1pddj.exe 33 PID 2340 wrote to memory of 2044 2340 1pddj.exe 33 PID 2044 wrote to memory of 1336 2044 2648484.exe 34 PID 2044 wrote to memory of 1336 2044 2648484.exe 34 PID 2044 wrote to memory of 1336 2044 2648484.exe 34 PID 2044 wrote to memory of 1336 2044 2648484.exe 34 PID 1336 wrote to memory of 2776 1336 o028846.exe 35 PID 1336 wrote to memory of 2776 1336 o028846.exe 35 PID 1336 wrote to memory of 2776 1336 o028846.exe 35 PID 1336 wrote to memory of 2776 1336 o028846.exe 35 PID 2776 wrote to memory of 2856 2776 3fxfllx.exe 36 PID 2776 wrote to memory of 2856 2776 3fxfllx.exe 36 PID 2776 wrote to memory of 2856 2776 3fxfllx.exe 36 PID 2776 wrote to memory of 2856 2776 3fxfllx.exe 36 PID 2856 wrote to memory of 2264 2856 1ttnhh.exe 37 PID 2856 wrote to memory of 2264 2856 1ttnhh.exe 37 PID 2856 wrote to memory of 2264 2856 1ttnhh.exe 37 PID 2856 wrote to memory of 2264 2856 1ttnhh.exe 37 PID 2264 wrote to memory of 2732 2264 i206824.exe 38 PID 2264 wrote to memory of 2732 2264 i206824.exe 38 PID 2264 wrote to memory of 2732 2264 i206824.exe 38 PID 2264 wrote to memory of 2732 2264 i206824.exe 38 PID 2732 wrote to memory of 2872 2732 42006.exe 39 PID 2732 wrote to memory of 2872 2732 42006.exe 39 PID 2732 wrote to memory of 2872 2732 42006.exe 39 PID 2732 wrote to memory of 2872 2732 42006.exe 39 PID 2872 wrote to memory of 2648 2872 1thbbb.exe 40 PID 2872 wrote to memory of 2648 2872 1thbbb.exe 40 PID 2872 wrote to memory of 2648 2872 1thbbb.exe 40 PID 2872 wrote to memory of 2648 2872 1thbbb.exe 40 PID 2648 wrote to memory of 2216 2648 6084668.exe 41 PID 2648 wrote to memory of 2216 2648 6084668.exe 41 PID 2648 wrote to memory of 2216 2648 6084668.exe 41 PID 2648 wrote to memory of 2216 2648 6084668.exe 41 PID 2216 wrote to memory of 988 2216 4800004.exe 42 PID 2216 wrote to memory of 988 2216 4800004.exe 42 PID 2216 wrote to memory of 988 2216 4800004.exe 42 PID 2216 wrote to memory of 988 2216 4800004.exe 42 PID 988 wrote to memory of 2108 988 lfxxfxf.exe 43 PID 988 wrote to memory of 2108 988 lfxxfxf.exe 43 PID 988 wrote to memory of 2108 988 lfxxfxf.exe 43 PID 988 wrote to memory of 2108 988 lfxxfxf.exe 43 PID 2108 wrote to memory of 1904 2108 5xllfxf.exe 44 PID 2108 wrote to memory of 1904 2108 5xllfxf.exe 44 PID 2108 wrote to memory of 1904 2108 5xllfxf.exe 44 PID 2108 wrote to memory of 1904 2108 5xllfxf.exe 44 PID 1904 wrote to memory of 1908 1904 468444.exe 45 PID 1904 wrote to memory of 1908 1904 468444.exe 45 PID 1904 wrote to memory of 1908 1904 468444.exe 45 PID 1904 wrote to memory of 1908 1904 468444.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe"C:\Users\Admin\AppData\Local\Temp\949c6377d7cd3f104932a4c7b51ee766fae3ab018f4919c3d03331cfde70ecf7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\htnttt.exec:\htnttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\668282.exec:\668282.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\1pddj.exec:\1pddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\2648484.exec:\2648484.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\o028846.exec:\o028846.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\3fxfllx.exec:\3fxfllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\1ttnhh.exec:\1ttnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\i206824.exec:\i206824.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\42006.exec:\42006.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\1thbbb.exec:\1thbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\6084668.exec:\6084668.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\4800004.exec:\4800004.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\lfxxfxf.exec:\lfxxfxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\5xllfxf.exec:\5xllfxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\468444.exec:\468444.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\4424220.exec:\4424220.exe17⤵
- Executes dropped EXE
PID:1908 -
\??\c:\rlfxllr.exec:\rlfxllr.exe18⤵
- Executes dropped EXE
PID:2616 -
\??\c:\dpjdj.exec:\dpjdj.exe19⤵
- Executes dropped EXE
PID:1796 -
\??\c:\dvpvj.exec:\dvpvj.exe20⤵
- Executes dropped EXE
PID:1924 -
\??\c:\62046.exec:\62046.exe21⤵
- Executes dropped EXE
PID:772 -
\??\c:\ttbhbb.exec:\ttbhbb.exe22⤵
- Executes dropped EXE
PID:1840 -
\??\c:\080066.exec:\080066.exe23⤵
- Executes dropped EXE
PID:2728 -
\??\c:\0826828.exec:\0826828.exe24⤵
- Executes dropped EXE
PID:832 -
\??\c:\lrxxffr.exec:\lrxxffr.exe25⤵
- Executes dropped EXE
PID:1996 -
\??\c:\48602.exec:\48602.exe26⤵
- Executes dropped EXE
PID:1860 -
\??\c:\hbnnbt.exec:\hbnnbt.exe27⤵
- Executes dropped EXE
PID:1504 -
\??\c:\264462.exec:\264462.exe28⤵
- Executes dropped EXE
PID:1708 -
\??\c:\20884.exec:\20884.exe29⤵
- Executes dropped EXE
PID:2212 -
\??\c:\u044668.exec:\u044668.exe30⤵
- Executes dropped EXE
PID:2512 -
\??\c:\hnhbhn.exec:\hnhbhn.exe31⤵
- Executes dropped EXE
PID:2460 -
\??\c:\042824.exec:\042824.exe32⤵
- Executes dropped EXE
PID:1980 -
\??\c:\dvpjv.exec:\dvpjv.exe33⤵
- Executes dropped EXE
PID:2040 -
\??\c:\9nntbh.exec:\9nntbh.exe34⤵
- Executes dropped EXE
PID:1048 -
\??\c:\i240624.exec:\i240624.exe35⤵PID:2564
-
\??\c:\lfxlxlx.exec:\lfxlxlx.exe36⤵
- Executes dropped EXE
PID:1564 -
\??\c:\40880.exec:\40880.exe37⤵
- Executes dropped EXE
PID:1488 -
\??\c:\00464.exec:\00464.exe38⤵
- Executes dropped EXE
PID:2352 -
\??\c:\1jvdj.exec:\1jvdj.exe39⤵
- Executes dropped EXE
PID:1696 -
\??\c:\vjvjv.exec:\vjvjv.exe40⤵
- Executes dropped EXE
PID:2484 -
\??\c:\pjvvv.exec:\pjvvv.exe41⤵
- Executes dropped EXE
PID:1288 -
\??\c:\bhbhth.exec:\bhbhth.exe42⤵
- Executes dropped EXE
PID:1928 -
\??\c:\jvjpv.exec:\jvjpv.exe43⤵
- Executes dropped EXE
PID:2780 -
\??\c:\66026.exec:\66026.exe44⤵
- Executes dropped EXE
PID:2764 -
\??\c:\llflffr.exec:\llflffr.exe45⤵
- Executes dropped EXE
PID:2856 -
\??\c:\tnnbbn.exec:\tnnbbn.exe46⤵
- Executes dropped EXE
PID:2792 -
\??\c:\i428406.exec:\i428406.exe47⤵
- Executes dropped EXE
PID:2768 -
\??\c:\lfxfllf.exec:\lfxfllf.exe48⤵
- Executes dropped EXE
PID:2668 -
\??\c:\3hhhnh.exec:\3hhhnh.exe49⤵
- Executes dropped EXE
PID:2860 -
\??\c:\824404.exec:\824404.exe50⤵
- Executes dropped EXE
PID:2648 -
\??\c:\9jjjv.exec:\9jjjv.exe51⤵
- Executes dropped EXE
PID:2280 -
\??\c:\8022662.exec:\8022662.exe52⤵
- Executes dropped EXE
PID:2688 -
\??\c:\k46604.exec:\k46604.exe53⤵
- Executes dropped EXE
PID:1848 -
\??\c:\202220.exec:\202220.exe54⤵
- Executes dropped EXE
PID:2964 -
\??\c:\048066.exec:\048066.exe55⤵
- Executes dropped EXE
PID:1552 -
\??\c:\ddpjp.exec:\ddpjp.exe56⤵
- Executes dropped EXE
PID:2692 -
\??\c:\thbbnt.exec:\thbbnt.exe57⤵
- Executes dropped EXE
PID:2956 -
\??\c:\vvpjp.exec:\vvpjp.exe58⤵
- Executes dropped EXE
PID:2828 -
\??\c:\1tnnbt.exec:\1tnnbt.exe59⤵
- Executes dropped EXE
PID:1432 -
\??\c:\pdvdp.exec:\pdvdp.exe60⤵
- Executes dropped EXE
PID:1864 -
\??\c:\a8842.exec:\a8842.exe61⤵
- Executes dropped EXE
PID:1960 -
\??\c:\608028.exec:\608028.exe62⤵
- Executes dropped EXE
PID:2276 -
\??\c:\llllffx.exec:\llllffx.exe63⤵
- Executes dropped EXE
PID:1632 -
\??\c:\ttnbhn.exec:\ttnbhn.exe64⤵
- Executes dropped EXE
PID:1080 -
\??\c:\ddddv.exec:\ddddv.exe65⤵
- Executes dropped EXE
PID:1520 -
\??\c:\26446.exec:\26446.exe66⤵
- Executes dropped EXE
PID:832 -
\??\c:\a6402.exec:\a6402.exe67⤵PID:628
-
\??\c:\rlxflfl.exec:\rlxflfl.exe68⤵PID:2516
-
\??\c:\ddpvd.exec:\ddpvd.exe69⤵PID:2228
-
\??\c:\btntnn.exec:\btntnn.exe70⤵PID:2008
-
\??\c:\9tbhnt.exec:\9tbhnt.exe71⤵PID:1772
-
\??\c:\nhtbnh.exec:\nhtbnh.exe72⤵PID:2428
-
\??\c:\042860.exec:\042860.exe73⤵PID:2268
-
\??\c:\jvjjp.exec:\jvjjp.exe74⤵PID:2168
-
\??\c:\9jvdp.exec:\9jvdp.exe75⤵PID:1940
-
\??\c:\xrflrlr.exec:\xrflrlr.exe76⤵PID:1044
-
\??\c:\dvpdp.exec:\dvpdp.exe77⤵PID:1752
-
\??\c:\00464.exec:\00464.exe78⤵PID:2400
-
\??\c:\604084.exec:\604084.exe79⤵PID:344
-
\??\c:\9pjpv.exec:\9pjpv.exe80⤵PID:1664
-
\??\c:\xxrfxxl.exec:\xxrfxxl.exe81⤵PID:1040
-
\??\c:\08006.exec:\08006.exe82⤵PID:948
-
\??\c:\4828004.exec:\4828004.exe83⤵PID:2344
-
\??\c:\c662066.exec:\c662066.exe84⤵
- System Location Discovery: System Language Discovery
PID:2368 -
\??\c:\1vpvv.exec:\1vpvv.exe85⤵PID:2484
-
\??\c:\8688000.exec:\8688000.exe86⤵PID:2060
-
\??\c:\7fxflrx.exec:\7fxflrx.exe87⤵PID:2772
-
\??\c:\pdjpv.exec:\pdjpv.exe88⤵PID:2840
-
\??\c:\djvdd.exec:\djvdd.exe89⤵PID:2776
-
\??\c:\08662.exec:\08662.exe90⤵PID:2856
-
\??\c:\5dvvj.exec:\5dvvj.exe91⤵PID:2732
-
\??\c:\k64026.exec:\k64026.exe92⤵PID:1236
-
\??\c:\i266800.exec:\i266800.exe93⤵PID:2696
-
\??\c:\48680.exec:\48680.exe94⤵PID:2680
-
\??\c:\7llflrx.exec:\7llflrx.exe95⤵PID:1808
-
\??\c:\s2680.exec:\s2680.exe96⤵PID:664
-
\??\c:\c084424.exec:\c084424.exe97⤵PID:2940
-
\??\c:\1xrflrl.exec:\1xrflrl.exe98⤵PID:2072
-
\??\c:\c046846.exec:\c046846.exe99⤵PID:1584
-
\??\c:\hththn.exec:\hththn.exe100⤵PID:2944
-
\??\c:\rlfrxfr.exec:\rlfrxfr.exe101⤵PID:2256
-
\??\c:\48400.exec:\48400.exe102⤵PID:1316
-
\??\c:\00024.exec:\00024.exe103⤵PID:1964
-
\??\c:\2640224.exec:\2640224.exe104⤵PID:2532
-
\??\c:\q08400.exec:\q08400.exe105⤵PID:2252
-
\??\c:\g6888.exec:\g6888.exe106⤵PID:2224
-
\??\c:\7vvpv.exec:\7vvpv.exe107⤵PID:2276
-
\??\c:\3bbbnt.exec:\3bbbnt.exe108⤵PID:680
-
\??\c:\042428.exec:\042428.exe109⤵PID:2596
-
\??\c:\rlxxxxx.exec:\rlxxxxx.exe110⤵PID:1520
-
\??\c:\xxrrxrf.exec:\xxrrxrf.exe111⤵PID:1852
-
\??\c:\608028.exec:\608028.exe112⤵PID:1700
-
\??\c:\tthnhb.exec:\tthnhb.exe113⤵PID:2516
-
\??\c:\442206.exec:\442206.exe114⤵PID:2492
-
\??\c:\5jppd.exec:\5jppd.exe115⤵PID:2520
-
\??\c:\046844.exec:\046844.exe116⤵PID:2260
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe117⤵PID:1612
-
\??\c:\2246420.exec:\2246420.exe118⤵PID:1968
-
\??\c:\0420286.exec:\0420286.exe119⤵PID:2412
-
\??\c:\pppvj.exec:\pppvj.exe120⤵PID:356
-
\??\c:\vvpdv.exec:\vvpdv.exe121⤵PID:2196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-