Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04/02/2025, 20:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4335b1476747773fcea4ec6c7568d3ac1950344e48d734873a7a20d096e01637.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4335b1476747773fcea4ec6c7568d3ac1950344e48d734873a7a20d096e01637.exe
-
Size
455KB
-
MD5
e878d3d06259c8c05d9ca007f582f1d4
-
SHA1
00326b2c406b6a69cce410523d1d06d505c88dec
-
SHA256
4335b1476747773fcea4ec6c7568d3ac1950344e48d734873a7a20d096e01637
-
SHA512
930e644baca687b940b388453bc768cda5f4a5a5c9e5958a167909858fd25f155e203436bf4474498cd8116df7d3342da68fe90566927117d6dd2ecc181ce27f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRd:q7Tc2NYHUrAwfMp3CDRd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/1540-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2604-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-102-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2116-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/544-154-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1528-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-191-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/888-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-226-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1344-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-262-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2336-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-351-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/2752-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-394-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3056-402-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3052-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-417-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/544-446-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2220-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-517-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-515-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/852-568-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1540-581-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2112-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-761-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2236-768-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/1664-773-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1736-783-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2948-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-822-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3020-825-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2452-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/984-1010-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-1230-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2496 llxlxrr.exe 2636 4804002.exe 2376 ttnntt.exe 2764 nhhbtt.exe 2368 82628.exe 2752 080680.exe 2900 i822402.exe 2896 rfrrfxl.exe 2868 dvvvp.exe 2664 m8662.exe 2604 62462.exe 2116 6460262.exe 624 486888.exe 580 1flllxr.exe 2836 5hbtbh.exe 264 rrrfrfx.exe 544 fffrfll.exe 1528 s8868.exe 2864 864404.exe 2216 08400.exe 2244 3bthnh.exe 888 flxffxf.exe 1664 tnhhnh.exe 940 04228.exe 1248 nnhnth.exe 1040 2426622.exe 1344 bnhbnt.exe 1620 w64400.exe 2180 2622884.exe 1928 42068.exe 2208 vjvvd.exe 2312 xllflfl.exe 1964 s8028.exe 1552 u260484.exe 576 q24000.exe 2336 lflrrll.exe 2632 dvdjj.exe 2356 8240602.exe 2880 a4666.exe 2744 jvpvj.exe 2680 jdppp.exe 2752 1dpdd.exe 1980 68066.exe 2896 m4224.exe 2552 nttnnh.exe 2112 246288.exe 2672 m4802.exe 3056 486682.exe 3052 jdjpv.exe 1148 g2626.exe 860 bntbbt.exe 1140 vjddj.exe 688 xxxfffl.exe 2080 6406440.exe 544 860622.exe 984 ffrrxxl.exe 2592 m2446.exe 748 48280.exe 2420 8640284.exe 684 862424.exe 2204 4600628.exe 1076 nbthhn.exe 1396 6862222.exe 2220 w28066.exe -
resource yara_rule behavioral1/memory/1540-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-102-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2116-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-402-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3052-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-612-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2112-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/984-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-1048-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-1190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q86206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c806262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u260484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82628.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2496 1540 4335b1476747773fcea4ec6c7568d3ac1950344e48d734873a7a20d096e01637.exe 30 PID 1540 wrote to memory of 2496 1540 4335b1476747773fcea4ec6c7568d3ac1950344e48d734873a7a20d096e01637.exe 30 PID 1540 wrote to memory of 2496 1540 4335b1476747773fcea4ec6c7568d3ac1950344e48d734873a7a20d096e01637.exe 30 PID 1540 wrote to memory of 2496 1540 4335b1476747773fcea4ec6c7568d3ac1950344e48d734873a7a20d096e01637.exe 30 PID 2496 wrote to memory of 2636 2496 llxlxrr.exe 31 PID 2496 wrote to memory of 2636 2496 llxlxrr.exe 31 PID 2496 wrote to memory of 2636 2496 llxlxrr.exe 31 PID 2496 wrote to memory of 2636 2496 llxlxrr.exe 31 PID 2636 wrote to memory of 2376 2636 4804002.exe 32 PID 2636 wrote to memory of 2376 2636 4804002.exe 32 PID 2636 wrote to memory of 2376 2636 4804002.exe 32 PID 2636 wrote to memory of 2376 2636 4804002.exe 32 PID 2376 wrote to memory of 2764 2376 ttnntt.exe 33 PID 2376 wrote to memory of 2764 2376 ttnntt.exe 33 PID 2376 wrote to memory of 2764 2376 ttnntt.exe 33 PID 2376 wrote to memory of 2764 2376 ttnntt.exe 33 PID 2764 wrote to memory of 2368 2764 nhhbtt.exe 34 PID 2764 wrote to memory of 2368 2764 nhhbtt.exe 34 PID 2764 wrote to memory of 2368 2764 nhhbtt.exe 34 PID 2764 wrote to memory of 2368 2764 nhhbtt.exe 34 PID 2368 wrote to memory of 2752 2368 82628.exe 35 PID 2368 wrote to memory of 2752 2368 82628.exe 35 PID 2368 wrote to memory of 2752 2368 82628.exe 35 PID 2368 wrote to memory of 2752 2368 82628.exe 35 PID 2752 wrote to memory of 2900 2752 080680.exe 36 PID 2752 wrote to memory of 2900 2752 080680.exe 36 PID 2752 wrote to memory of 2900 2752 080680.exe 36 PID 2752 wrote to memory of 2900 2752 080680.exe 36 PID 2900 wrote to memory of 2896 2900 i822402.exe 37 PID 2900 wrote to memory of 2896 2900 i822402.exe 37 PID 2900 wrote to memory of 2896 2900 i822402.exe 37 PID 2900 wrote to memory of 2896 2900 i822402.exe 37 PID 2896 wrote to memory of 2868 2896 rfrrfxl.exe 38 PID 2896 wrote to memory of 2868 2896 rfrrfxl.exe 38 PID 2896 wrote to memory of 2868 2896 rfrrfxl.exe 38 PID 2896 wrote to memory of 2868 2896 rfrrfxl.exe 38 PID 2868 wrote to memory of 2664 2868 dvvvp.exe 39 PID 2868 wrote to memory of 2664 2868 dvvvp.exe 39 PID 2868 wrote to memory of 2664 2868 dvvvp.exe 39 PID 2868 wrote to memory of 2664 2868 dvvvp.exe 39 PID 2664 wrote to memory of 2604 2664 m8662.exe 40 PID 2664 wrote to memory of 2604 2664 m8662.exe 40 PID 2664 wrote to memory of 2604 2664 m8662.exe 40 PID 2664 wrote to memory of 2604 2664 m8662.exe 40 PID 2604 wrote to memory of 2116 2604 62462.exe 41 PID 2604 wrote to memory of 2116 2604 62462.exe 41 PID 2604 wrote to memory of 2116 2604 62462.exe 41 PID 2604 wrote to memory of 2116 2604 62462.exe 41 PID 2116 wrote to memory of 624 2116 6460262.exe 42 PID 2116 wrote to memory of 624 2116 6460262.exe 42 PID 2116 wrote to memory of 624 2116 6460262.exe 42 PID 2116 wrote to memory of 624 2116 6460262.exe 42 PID 624 wrote to memory of 580 624 486888.exe 43 PID 624 wrote to memory of 580 624 486888.exe 43 PID 624 wrote to memory of 580 624 486888.exe 43 PID 624 wrote to memory of 580 624 486888.exe 43 PID 580 wrote to memory of 2836 580 1flllxr.exe 44 PID 580 wrote to memory of 2836 580 1flllxr.exe 44 PID 580 wrote to memory of 2836 580 1flllxr.exe 44 PID 580 wrote to memory of 2836 580 1flllxr.exe 44 PID 2836 wrote to memory of 264 2836 5hbtbh.exe 45 PID 2836 wrote to memory of 264 2836 5hbtbh.exe 45 PID 2836 wrote to memory of 264 2836 5hbtbh.exe 45 PID 2836 wrote to memory of 264 2836 5hbtbh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4335b1476747773fcea4ec6c7568d3ac1950344e48d734873a7a20d096e01637.exe"C:\Users\Admin\AppData\Local\Temp\4335b1476747773fcea4ec6c7568d3ac1950344e48d734873a7a20d096e01637.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\llxlxrr.exec:\llxlxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\4804002.exec:\4804002.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\ttnntt.exec:\ttnntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\nhhbtt.exec:\nhhbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\82628.exec:\82628.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\080680.exec:\080680.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\i822402.exec:\i822402.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\rfrrfxl.exec:\rfrrfxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\dvvvp.exec:\dvvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\m8662.exec:\m8662.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\62462.exec:\62462.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\6460262.exec:\6460262.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\486888.exec:\486888.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\1flllxr.exec:\1flllxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\5hbtbh.exec:\5hbtbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\rrrfrfx.exec:\rrrfrfx.exe17⤵
- Executes dropped EXE
PID:264 -
\??\c:\fffrfll.exec:\fffrfll.exe18⤵
- Executes dropped EXE
PID:544 -
\??\c:\s8868.exec:\s8868.exe19⤵
- Executes dropped EXE
PID:1528 -
\??\c:\864404.exec:\864404.exe20⤵
- Executes dropped EXE
PID:2864 -
\??\c:\08400.exec:\08400.exe21⤵
- Executes dropped EXE
PID:2216 -
\??\c:\3bthnh.exec:\3bthnh.exe22⤵
- Executes dropped EXE
PID:2244 -
\??\c:\flxffxf.exec:\flxffxf.exe23⤵
- Executes dropped EXE
PID:888 -
\??\c:\tnhhnh.exec:\tnhhnh.exe24⤵
- Executes dropped EXE
PID:1664 -
\??\c:\04228.exec:\04228.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:940 -
\??\c:\nnhnth.exec:\nnhnth.exe26⤵
- Executes dropped EXE
PID:1248 -
\??\c:\2426622.exec:\2426622.exe27⤵
- Executes dropped EXE
PID:1040 -
\??\c:\bnhbnt.exec:\bnhbnt.exe28⤵
- Executes dropped EXE
PID:1344 -
\??\c:\w64400.exec:\w64400.exe29⤵
- Executes dropped EXE
PID:1620 -
\??\c:\2622884.exec:\2622884.exe30⤵
- Executes dropped EXE
PID:2180 -
\??\c:\42068.exec:\42068.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928 -
\??\c:\vjvvd.exec:\vjvvd.exe32⤵
- Executes dropped EXE
PID:2208 -
\??\c:\xllflfl.exec:\xllflfl.exe33⤵
- Executes dropped EXE
PID:2312 -
\??\c:\s8028.exec:\s8028.exe34⤵
- Executes dropped EXE
PID:1964 -
\??\c:\u260484.exec:\u260484.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
\??\c:\q24000.exec:\q24000.exe36⤵
- Executes dropped EXE
PID:576 -
\??\c:\lflrrll.exec:\lflrrll.exe37⤵
- Executes dropped EXE
PID:2336 -
\??\c:\dvdjj.exec:\dvdjj.exe38⤵
- Executes dropped EXE
PID:2632 -
\??\c:\8240602.exec:\8240602.exe39⤵
- Executes dropped EXE
PID:2356 -
\??\c:\a4666.exec:\a4666.exe40⤵
- Executes dropped EXE
PID:2880 -
\??\c:\jvpvj.exec:\jvpvj.exe41⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jdppp.exec:\jdppp.exe42⤵
- Executes dropped EXE
PID:2680 -
\??\c:\1dpdd.exec:\1dpdd.exe43⤵
- Executes dropped EXE
PID:2752 -
\??\c:\68066.exec:\68066.exe44⤵
- Executes dropped EXE
PID:1980 -
\??\c:\m4224.exec:\m4224.exe45⤵
- Executes dropped EXE
PID:2896 -
\??\c:\nttnnh.exec:\nttnnh.exe46⤵
- Executes dropped EXE
PID:2552 -
\??\c:\246288.exec:\246288.exe47⤵
- Executes dropped EXE
PID:2112 -
\??\c:\m4802.exec:\m4802.exe48⤵
- Executes dropped EXE
PID:2672 -
\??\c:\486682.exec:\486682.exe49⤵
- Executes dropped EXE
PID:3056 -
\??\c:\jdjpv.exec:\jdjpv.exe50⤵
- Executes dropped EXE
PID:3052 -
\??\c:\g2626.exec:\g2626.exe51⤵
- Executes dropped EXE
PID:1148 -
\??\c:\bntbbt.exec:\bntbbt.exe52⤵
- Executes dropped EXE
PID:860 -
\??\c:\vjddj.exec:\vjddj.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
\??\c:\xxxfffl.exec:\xxxfffl.exe54⤵
- Executes dropped EXE
PID:688 -
\??\c:\6406440.exec:\6406440.exe55⤵
- Executes dropped EXE
PID:2080 -
\??\c:\860622.exec:\860622.exe56⤵
- Executes dropped EXE
PID:544 -
\??\c:\ffrrxxl.exec:\ffrrxxl.exe57⤵
- Executes dropped EXE
PID:984 -
\??\c:\m2446.exec:\m2446.exe58⤵
- Executes dropped EXE
PID:2592 -
\??\c:\48280.exec:\48280.exe59⤵
- Executes dropped EXE
PID:748 -
\??\c:\8640284.exec:\8640284.exe60⤵
- Executes dropped EXE
PID:2420 -
\??\c:\862424.exec:\862424.exe61⤵
- Executes dropped EXE
PID:684 -
\??\c:\4600628.exec:\4600628.exe62⤵
- Executes dropped EXE
PID:2204 -
\??\c:\nbthhn.exec:\nbthhn.exe63⤵
- Executes dropped EXE
PID:1076 -
\??\c:\6862222.exec:\6862222.exe64⤵
- Executes dropped EXE
PID:1396 -
\??\c:\w28066.exec:\w28066.exe65⤵
- Executes dropped EXE
PID:2220 -
\??\c:\i020606.exec:\i020606.exe66⤵PID:2028
-
\??\c:\ntnnbb.exec:\ntnnbb.exe67⤵PID:608
-
\??\c:\xxffflx.exec:\xxffflx.exe68⤵PID:1844
-
\??\c:\c848488.exec:\c848488.exe69⤵PID:2400
-
\??\c:\8082888.exec:\8082888.exe70⤵PID:2904
-
\??\c:\0466606.exec:\0466606.exe71⤵PID:2232
-
\??\c:\48284.exec:\48284.exe72⤵PID:2944
-
\??\c:\hbnhbn.exec:\hbnhbn.exe73⤵PID:872
-
\??\c:\dvppd.exec:\dvppd.exe74⤵PID:852
-
\??\c:\httbnt.exec:\httbnt.exe75⤵PID:1272
-
\??\c:\a2006.exec:\a2006.exe76⤵PID:1540
-
\??\c:\e20002.exec:\e20002.exe77⤵
- System Location Discovery: System Language Discovery
PID:1236 -
\??\c:\hhbbtb.exec:\hhbbtb.exe78⤵PID:2480
-
\??\c:\4868446.exec:\4868446.exe79⤵PID:2360
-
\??\c:\vvpdv.exec:\vvpdv.exe80⤵PID:2632
-
\??\c:\7rllrxf.exec:\7rllrxf.exe81⤵PID:2404
-
\??\c:\0422888.exec:\0422888.exe82⤵PID:2100
-
\??\c:\1bhhhh.exec:\1bhhhh.exe83⤵PID:2816
-
\??\c:\dvdjp.exec:\dvdjp.exe84⤵PID:2656
-
\??\c:\0866284.exec:\0866284.exe85⤵PID:2668
-
\??\c:\u866824.exec:\u866824.exe86⤵PID:2852
-
\??\c:\86884.exec:\86884.exe87⤵PID:1980
-
\??\c:\044022.exec:\044022.exe88⤵PID:2564
-
\??\c:\o220224.exec:\o220224.exe89⤵PID:2552
-
\??\c:\frffxfl.exec:\frffxfl.exe90⤵PID:2112
-
\??\c:\tthtbh.exec:\tthtbh.exe91⤵PID:1120
-
\??\c:\26464.exec:\26464.exe92⤵PID:1712
-
\??\c:\tttbnn.exec:\tttbnn.exe93⤵PID:2848
-
\??\c:\c264664.exec:\c264664.exe94⤵PID:2844
-
\??\c:\htnbhn.exec:\htnbhn.exe95⤵PID:860
-
\??\c:\thnbnh.exec:\thnbnh.exe96⤵PID:1240
-
\??\c:\42604.exec:\42604.exe97⤵PID:264
-
\??\c:\5nbhhn.exec:\5nbhhn.exe98⤵PID:2456
-
\??\c:\4244600.exec:\4244600.exe99⤵PID:1988
-
\??\c:\4804040.exec:\4804040.exe100⤵PID:744
-
\??\c:\q60206.exec:\q60206.exe101⤵PID:2648
-
\??\c:\fxllffl.exec:\fxllffl.exe102⤵PID:2236
-
\??\c:\6646406.exec:\6646406.exe103⤵PID:900
-
\??\c:\djvvj.exec:\djvvj.exe104⤵PID:2224
-
\??\c:\204888.exec:\204888.exe105⤵PID:2188
-
\??\c:\s2062.exec:\s2062.exe106⤵PID:1664
-
\??\c:\9bbnhn.exec:\9bbnhn.exe107⤵PID:1736
-
\??\c:\60880.exec:\60880.exe108⤵PID:3012
-
\??\c:\206622.exec:\206622.exe109⤵PID:2440
-
\??\c:\464224.exec:\464224.exe110⤵PID:1344
-
\??\c:\5lfffll.exec:\5lfffll.exe111⤵PID:2332
-
\??\c:\4828062.exec:\4828062.exe112⤵PID:2948
-
\??\c:\xxfxlrx.exec:\xxfxlrx.exe113⤵PID:1752
-
\??\c:\dvpvd.exec:\dvpvd.exe114⤵PID:3020
-
\??\c:\20808.exec:\20808.exe115⤵PID:1296
-
\??\c:\lxrrxxx.exec:\lxrrxxx.exe116⤵PID:872
-
\??\c:\s8646.exec:\s8646.exe117⤵PID:2268
-
\??\c:\3bhhbt.exec:\3bhhbt.exe118⤵PID:1588
-
\??\c:\a6800.exec:\a6800.exe119⤵PID:1584
-
\??\c:\42684.exec:\42684.exe120⤵PID:2108
-
\??\c:\tnbhnn.exec:\tnbhnn.exe121⤵PID:576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-