Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 00:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe
-
Size
453KB
-
MD5
8a455a6a7bb854e7e369d5eb6ec931c5
-
SHA1
06f45e7a87c7436b4332601af212dd7cd7d4c746
-
SHA256
9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf
-
SHA512
7c17fd0cce4f88854ea25251ec838c51616c4518b54e99265f27cef5ef7fdedeb6c9cf512efb08a502e756fa78232cb78f7f95400fd8aef3024251db603ff124
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbety:q7Tc2NYHUrAwfMp3CDty
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/1196-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/756-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-325-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1200-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-1237-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2236-1174-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/884-1137-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2656-756-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2088-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-440-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1804-433-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/700-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-174-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1252-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-39-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2900-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2108 vpjvd.exe 2900 0604426.exe 1196 5rxflrx.exe 2784 04246.exe 2644 ffrfrxr.exe 2616 048084.exe 1616 486824.exe 2456 0240284.exe 2416 vjpjp.exe 2088 rlxfrxf.exe 2604 ttntht.exe 1100 m0880.exe 3000 8262880.exe 2856 vpvvp.exe 2272 pjdjj.exe 1304 w82840.exe 1252 8200220.exe 2600 e48024.exe 2364 86846.exe 588 2646842.exe 776 pjdjp.exe 2296 jjvdj.exe 1600 24280.exe 864 xxxfxlx.exe 496 fxrxrxf.exe 2140 hhbhhn.exe 1596 8202008.exe 700 hbnbbt.exe 892 602806.exe 2072 4828442.exe 1580 2262226.exe 756 vvpdd.exe 2900 vvpvp.exe 3028 7fffrxr.exe 2668 04242.exe 2728 00026.exe 2428 608428.exe 2968 thnhbt.exe 1200 204646.exe 2176 222806.exe 2268 824466.exe 2836 lfflrfx.exe 2848 9ppjd.exe 3000 tntbht.exe 2244 pjjpd.exe 548 k48084.exe 484 1jvvv.exe 1440 6484280.exe 2688 m2086.exe 1792 xxrflxr.exe 1804 9tbnht.exe 2496 vvpdv.exe 2304 664684.exe 1396 7fxrrrf.exe 996 5lrfrxl.exe 948 48020.exe 1692 m4242.exe 2144 fxxflrl.exe 2700 66648.exe 356 0424286.exe 2012 60884.exe 2156 0400220.exe 2004 608040.exe 1580 q80240.exe -
resource yara_rule behavioral1/memory/1196-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/756-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-1193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-1238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-9-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 666244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w42866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q86200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6020.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2108 2956 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 31 PID 2956 wrote to memory of 2108 2956 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 31 PID 2956 wrote to memory of 2108 2956 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 31 PID 2956 wrote to memory of 2108 2956 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 31 PID 2108 wrote to memory of 2900 2108 vpjvd.exe 32 PID 2108 wrote to memory of 2900 2108 vpjvd.exe 32 PID 2108 wrote to memory of 2900 2108 vpjvd.exe 32 PID 2108 wrote to memory of 2900 2108 vpjvd.exe 32 PID 2900 wrote to memory of 1196 2900 0604426.exe 33 PID 2900 wrote to memory of 1196 2900 0604426.exe 33 PID 2900 wrote to memory of 1196 2900 0604426.exe 33 PID 2900 wrote to memory of 1196 2900 0604426.exe 33 PID 1196 wrote to memory of 2784 1196 5rxflrx.exe 34 PID 1196 wrote to memory of 2784 1196 5rxflrx.exe 34 PID 1196 wrote to memory of 2784 1196 5rxflrx.exe 34 PID 1196 wrote to memory of 2784 1196 5rxflrx.exe 34 PID 2784 wrote to memory of 2644 2784 04246.exe 35 PID 2784 wrote to memory of 2644 2784 04246.exe 35 PID 2784 wrote to memory of 2644 2784 04246.exe 35 PID 2784 wrote to memory of 2644 2784 04246.exe 35 PID 2644 wrote to memory of 2616 2644 ffrfrxr.exe 36 PID 2644 wrote to memory of 2616 2644 ffrfrxr.exe 36 PID 2644 wrote to memory of 2616 2644 ffrfrxr.exe 36 PID 2644 wrote to memory of 2616 2644 ffrfrxr.exe 36 PID 2616 wrote to memory of 1616 2616 048084.exe 37 PID 2616 wrote to memory of 1616 2616 048084.exe 37 PID 2616 wrote to memory of 1616 2616 048084.exe 37 PID 2616 wrote to memory of 1616 2616 048084.exe 37 PID 1616 wrote to memory of 2456 1616 486824.exe 38 PID 1616 wrote to memory of 2456 1616 486824.exe 38 PID 1616 wrote to memory of 2456 1616 486824.exe 38 PID 1616 wrote to memory of 2456 1616 486824.exe 38 PID 2456 wrote to memory of 2416 2456 0240284.exe 39 PID 2456 wrote to memory of 2416 2456 0240284.exe 39 PID 2456 wrote to memory of 2416 2456 0240284.exe 39 PID 2456 wrote to memory of 2416 2456 0240284.exe 39 PID 2416 wrote to memory of 2088 2416 vjpjp.exe 40 PID 2416 wrote to memory of 2088 2416 vjpjp.exe 40 PID 2416 wrote to memory of 2088 2416 vjpjp.exe 40 PID 2416 wrote to memory of 2088 2416 vjpjp.exe 40 PID 2088 wrote to memory of 2604 2088 rlxfrxf.exe 41 PID 2088 wrote to memory of 2604 2088 rlxfrxf.exe 41 PID 2088 wrote to memory of 2604 2088 rlxfrxf.exe 41 PID 2088 wrote to memory of 2604 2088 rlxfrxf.exe 41 PID 2604 wrote to memory of 1100 2604 ttntht.exe 42 PID 2604 wrote to memory of 1100 2604 ttntht.exe 42 PID 2604 wrote to memory of 1100 2604 ttntht.exe 42 PID 2604 wrote to memory of 1100 2604 ttntht.exe 42 PID 1100 wrote to memory of 3000 1100 m0880.exe 2028 PID 1100 wrote to memory of 3000 1100 m0880.exe 2028 PID 1100 wrote to memory of 3000 1100 m0880.exe 2028 PID 1100 wrote to memory of 3000 1100 m0880.exe 2028 PID 3000 wrote to memory of 2856 3000 8262880.exe 1953 PID 3000 wrote to memory of 2856 3000 8262880.exe 1953 PID 3000 wrote to memory of 2856 3000 8262880.exe 1953 PID 3000 wrote to memory of 2856 3000 8262880.exe 1953 PID 2856 wrote to memory of 2272 2856 vpvvp.exe 45 PID 2856 wrote to memory of 2272 2856 vpvvp.exe 45 PID 2856 wrote to memory of 2272 2856 vpvvp.exe 45 PID 2856 wrote to memory of 2272 2856 vpvvp.exe 45 PID 2272 wrote to memory of 1304 2272 pjdjj.exe 46 PID 2272 wrote to memory of 1304 2272 pjdjj.exe 46 PID 2272 wrote to memory of 1304 2272 pjdjj.exe 46 PID 2272 wrote to memory of 1304 2272 pjdjj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe"C:\Users\Admin\AppData\Local\Temp\9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\vpjvd.exec:\vpjvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\0604426.exec:\0604426.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\5rxflrx.exec:\5rxflrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\04246.exec:\04246.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\ffrfrxr.exec:\ffrfrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\048084.exec:\048084.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\486824.exec:\486824.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\0240284.exec:\0240284.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\vjpjp.exec:\vjpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\ttntht.exec:\ttntht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\m0880.exec:\m0880.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\8262880.exec:\8262880.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\vpvvp.exec:\vpvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\pjdjj.exec:\pjdjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\w82840.exec:\w82840.exe17⤵
- Executes dropped EXE
PID:1304 -
\??\c:\8200220.exec:\8200220.exe18⤵
- Executes dropped EXE
PID:1252 -
\??\c:\e48024.exec:\e48024.exe19⤵
- Executes dropped EXE
PID:2600 -
\??\c:\86846.exec:\86846.exe20⤵
- Executes dropped EXE
PID:2364 -
\??\c:\2646842.exec:\2646842.exe21⤵
- Executes dropped EXE
PID:588 -
\??\c:\pjdjp.exec:\pjdjp.exe22⤵
- Executes dropped EXE
PID:776 -
\??\c:\jjvdj.exec:\jjvdj.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296 -
\??\c:\24280.exec:\24280.exe24⤵
- Executes dropped EXE
PID:1600 -
\??\c:\xxxfxlx.exec:\xxxfxlx.exe25⤵
- Executes dropped EXE
PID:864 -
\??\c:\fxrxrxf.exec:\fxrxrxf.exe26⤵
- Executes dropped EXE
PID:496 -
\??\c:\hhbhhn.exec:\hhbhhn.exe27⤵
- Executes dropped EXE
PID:2140 -
\??\c:\8202008.exec:\8202008.exe28⤵
- Executes dropped EXE
PID:1596 -
\??\c:\hbnbbt.exec:\hbnbbt.exe29⤵
- Executes dropped EXE
PID:700 -
\??\c:\602806.exec:\602806.exe30⤵
- Executes dropped EXE
PID:892 -
\??\c:\4828442.exec:\4828442.exe31⤵
- Executes dropped EXE
PID:2072 -
\??\c:\2262226.exec:\2262226.exe32⤵
- Executes dropped EXE
PID:1580 -
\??\c:\vvpdd.exec:\vvpdd.exe33⤵
- Executes dropped EXE
PID:756 -
\??\c:\vvpvp.exec:\vvpvp.exe34⤵
- Executes dropped EXE
PID:2900 -
\??\c:\7fffrxr.exec:\7fffrxr.exe35⤵
- Executes dropped EXE
PID:3028 -
\??\c:\04242.exec:\04242.exe36⤵
- Executes dropped EXE
PID:2668 -
\??\c:\00026.exec:\00026.exe37⤵
- Executes dropped EXE
PID:2728 -
\??\c:\608428.exec:\608428.exe38⤵
- Executes dropped EXE
PID:2428 -
\??\c:\thnhbt.exec:\thnhbt.exe39⤵
- Executes dropped EXE
PID:2968 -
\??\c:\204646.exec:\204646.exe40⤵
- Executes dropped EXE
PID:1200 -
\??\c:\222806.exec:\222806.exe41⤵
- Executes dropped EXE
PID:2176 -
\??\c:\824466.exec:\824466.exe42⤵
- Executes dropped EXE
PID:2268 -
\??\c:\lfflrfx.exec:\lfflrfx.exe43⤵
- Executes dropped EXE
PID:2836 -
\??\c:\9ppjd.exec:\9ppjd.exe44⤵
- Executes dropped EXE
PID:2848 -
\??\c:\tntbht.exec:\tntbht.exe45⤵
- Executes dropped EXE
PID:3000 -
\??\c:\pjjpd.exec:\pjjpd.exe46⤵
- Executes dropped EXE
PID:2244 -
\??\c:\k48084.exec:\k48084.exe47⤵
- Executes dropped EXE
PID:548 -
\??\c:\1jvvv.exec:\1jvvv.exe48⤵
- Executes dropped EXE
PID:484 -
\??\c:\6484280.exec:\6484280.exe49⤵
- Executes dropped EXE
PID:1440 -
\??\c:\m2086.exec:\m2086.exe50⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xxrflxr.exec:\xxrflxr.exe51⤵
- Executes dropped EXE
PID:1792 -
\??\c:\9tbnht.exec:\9tbnht.exe52⤵
- Executes dropped EXE
PID:1804 -
\??\c:\vvpdv.exec:\vvpdv.exe53⤵
- Executes dropped EXE
PID:2496 -
\??\c:\664684.exec:\664684.exe54⤵
- Executes dropped EXE
PID:2304 -
\??\c:\7fxrrrf.exec:\7fxrrrf.exe55⤵
- Executes dropped EXE
PID:1396 -
\??\c:\5lrfrxl.exec:\5lrfrxl.exe56⤵
- Executes dropped EXE
PID:996 -
\??\c:\48020.exec:\48020.exe57⤵
- Executes dropped EXE
PID:948 -
\??\c:\m4242.exec:\m4242.exe58⤵
- Executes dropped EXE
PID:1692 -
\??\c:\fxxflrl.exec:\fxxflrl.exe59⤵
- Executes dropped EXE
PID:2144 -
\??\c:\66648.exec:\66648.exe60⤵
- Executes dropped EXE
PID:2700 -
\??\c:\0424286.exec:\0424286.exe61⤵
- Executes dropped EXE
PID:356 -
\??\c:\60884.exec:\60884.exe62⤵
- Executes dropped EXE
PID:2012 -
\??\c:\0400220.exec:\0400220.exe63⤵
- Executes dropped EXE
PID:2156 -
\??\c:\608040.exec:\608040.exe64⤵
- Executes dropped EXE
PID:2004 -
\??\c:\q80240.exec:\q80240.exe65⤵
- Executes dropped EXE
PID:1580 -
\??\c:\nnhnnn.exec:\nnhnnn.exe66⤵PID:2932
-
\??\c:\i448000.exec:\i448000.exe67⤵PID:2908
-
\??\c:\ddvdp.exec:\ddvdp.exe68⤵PID:2336
-
\??\c:\2086406.exec:\2086406.exe69⤵PID:2652
-
\??\c:\22208.exec:\22208.exe70⤵PID:936
-
\??\c:\826206.exec:\826206.exe71⤵PID:2740
-
\??\c:\9hnthn.exec:\9hnthn.exe72⤵PID:2056
-
\??\c:\8042402.exec:\8042402.exe73⤵PID:1676
-
\??\c:\26080.exec:\26080.exe74⤵PID:2080
-
\??\c:\3dvdj.exec:\3dvdj.exe75⤵PID:2088
-
\??\c:\3jjjv.exec:\3jjjv.exe76⤵PID:2948
-
\??\c:\pjppv.exec:\pjppv.exe77⤵PID:2984
-
\??\c:\1jddp.exec:\1jddp.exe78⤵PID:2708
-
\??\c:\btntbh.exec:\btntbh.exe79⤵PID:2380
-
\??\c:\frfrxfr.exec:\frfrxfr.exe80⤵PID:2444
-
\??\c:\7fxlrrf.exec:\7fxlrrf.exe81⤵PID:2272
-
\??\c:\864006.exec:\864006.exe82⤵PID:2076
-
\??\c:\6462824.exec:\6462824.exe83⤵PID:1304
-
\??\c:\4424880.exec:\4424880.exe84⤵PID:1052
-
\??\c:\m4286.exec:\m4286.exe85⤵PID:2340
-
\??\c:\vvvjp.exec:\vvvjp.exe86⤵PID:2940
-
\??\c:\i084668.exec:\i084668.exe87⤵PID:2736
-
\??\c:\jdvvd.exec:\jdvvd.exe88⤵PID:1148
-
\??\c:\8202002.exec:\8202002.exe89⤵PID:340
-
\??\c:\9pjvp.exec:\9pjvp.exe90⤵PID:2584
-
\??\c:\00402.exec:\00402.exe91⤵PID:1600
-
\??\c:\62826.exec:\62826.exe92⤵PID:844
-
\??\c:\vvvjd.exec:\vvvjd.exe93⤵PID:1684
-
\??\c:\vvpdd.exec:\vvpdd.exe94⤵PID:2564
-
\??\c:\ppjpd.exec:\ppjpd.exe95⤵PID:1980
-
\??\c:\82624.exec:\82624.exe96⤵
- System Location Discovery: System Language Discovery
PID:1588 -
\??\c:\e88422.exec:\e88422.exe97⤵PID:2016
-
\??\c:\4808060.exec:\4808060.exe98⤵PID:2316
-
\??\c:\jdvdp.exec:\jdvdp.exe99⤵PID:2956
-
\??\c:\xxrxlxr.exec:\xxrxlxr.exe100⤵PID:572
-
\??\c:\i244668.exec:\i244668.exe101⤵PID:2108
-
\??\c:\26448.exec:\26448.exe102⤵PID:2656
-
\??\c:\824084.exec:\824084.exe103⤵
- System Location Discovery: System Language Discovery
PID:2756 -
\??\c:\26402.exec:\26402.exe104⤵PID:2720
-
\??\c:\048688.exec:\048688.exe105⤵PID:2692
-
\??\c:\u084286.exec:\u084286.exe106⤵PID:2224
-
\??\c:\9pjpv.exec:\9pjpv.exe107⤵PID:1864
-
\??\c:\3ttnnt.exec:\3ttnnt.exe108⤵PID:1616
-
\??\c:\048068.exec:\048068.exe109⤵PID:2868
-
\??\c:\pvvpd.exec:\pvvpd.exe110⤵PID:1412
-
\??\c:\802282.exec:\802282.exe111⤵PID:2120
-
\??\c:\a4846.exec:\a4846.exe112⤵PID:2844
-
\??\c:\1dddd.exec:\1dddd.exe113⤵PID:2772
-
\??\c:\hbnbbb.exec:\hbnbbb.exe114⤵PID:3024
-
\??\c:\fxlrxrx.exec:\fxlrxrx.exe115⤵PID:1160
-
\??\c:\7fxxffr.exec:\7fxxffr.exe116⤵PID:2856
-
\??\c:\pjvvj.exec:\pjvvj.exe117⤵
- System Location Discovery: System Language Discovery
PID:2244 -
\??\c:\202806.exec:\202806.exe118⤵PID:2840
-
\??\c:\u462824.exec:\u462824.exe119⤵PID:2272
-
\??\c:\u206824.exec:\u206824.exe120⤵PID:1940
-
\??\c:\64668.exec:\64668.exe121⤵PID:320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-