Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 06:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eebd4f62226099e38ea29bfdaf68a0f35d61bad496e184355dd323c62f69de07.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
eebd4f62226099e38ea29bfdaf68a0f35d61bad496e184355dd323c62f69de07.exe
-
Size
453KB
-
MD5
224254c1241c3dc4d29fbc533387d8a1
-
SHA1
419bb46a8bf377a71b35421c3d186949a1f3dc73
-
SHA256
eebd4f62226099e38ea29bfdaf68a0f35d61bad496e184355dd323c62f69de07
-
SHA512
77e85ae129be0b22d4a7779bd7fa80fc9a75b1b063a5e5ec08eb10ad9976f440b81026526dbf33f0b989e7abfe078f446bdaa8b647cb97533318b70992c6d6be
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2608-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-31-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2164-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-44-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2944-57-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2772-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-77-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/676-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-171-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/284-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-239-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/524-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-303-0x0000000000270000-0x000000000029A000-memory.dmp family_blackmoon behavioral1/memory/2308-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-318-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2572-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-334-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2784-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-355-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2760-361-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-720-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1904-774-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1612-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-954-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2712-961-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/3036-980-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1004-994-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2220-1022-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-1237-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1868 xlrrrlx.exe 2572 7nbthn.exe 1536 xrlllxf.exe 2164 864006.exe 2944 thbhhh.exe 2772 04624.exe 2804 4688828.exe 2684 dvpdv.exe 2644 tttnnn.exe 1656 5pddj.exe 676 48208.exe 1964 rfxlxfr.exe 2868 228428.exe 1872 84842.exe 2984 e42222.exe 1396 u246402.exe 2988 7ddjd.exe 1556 48848.exe 2596 hnbnbn.exe 284 4224224.exe 2832 6860262.exe 1280 5vjpv.exe 3064 0862880.exe 604 vpjdd.exe 2160 g8068.exe 524 0806228.exe 2372 7jjdp.exe 864 042860.exe 2452 642460.exe 1600 ffxfrrl.exe 2408 bthnbt.exe 2728 lxllrrf.exe 2308 vpdjj.exe 1512 u244666.exe 2572 thtttt.exe 2784 3bbttn.exe 2912 fxrxxrx.exe 2776 btbbbh.exe 2652 vjvdd.exe 2760 046228.exe 2808 bntnhb.exe 1200 08464.exe 2700 nhhbhb.exe 3032 02822.exe 1704 1frrrll.exe 676 6800006.exe 1952 64602.exe 1964 xfrrrrx.exe 1632 nhntbh.exe 1916 42446.exe 1652 5rfxlrl.exe 2984 u422226.exe 1004 jdpjjv.exe 1412 tnbhhh.exe 1968 o828068.exe 1736 u680068.exe 1088 20606.exe 756 pdppd.exe 284 o488068.exe 556 7tbttt.exe 1920 s2862.exe 1616 xxrrfrx.exe 2044 86828.exe 952 3tnntb.exe -
resource yara_rule behavioral1/memory/2608-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-165-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/284-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/524-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1176-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-917-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-994-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/840-1008-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-1059-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-1145-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0866268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxlflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c022606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c222408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8628846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 1868 2608 eebd4f62226099e38ea29bfdaf68a0f35d61bad496e184355dd323c62f69de07.exe 31 PID 2608 wrote to memory of 1868 2608 eebd4f62226099e38ea29bfdaf68a0f35d61bad496e184355dd323c62f69de07.exe 31 PID 2608 wrote to memory of 1868 2608 eebd4f62226099e38ea29bfdaf68a0f35d61bad496e184355dd323c62f69de07.exe 31 PID 2608 wrote to memory of 1868 2608 eebd4f62226099e38ea29bfdaf68a0f35d61bad496e184355dd323c62f69de07.exe 31 PID 1868 wrote to memory of 2572 1868 xlrrrlx.exe 32 PID 1868 wrote to memory of 2572 1868 xlrrrlx.exe 32 PID 1868 wrote to memory of 2572 1868 xlrrrlx.exe 32 PID 1868 wrote to memory of 2572 1868 xlrrrlx.exe 32 PID 2572 wrote to memory of 1536 2572 7nbthn.exe 33 PID 2572 wrote to memory of 1536 2572 7nbthn.exe 33 PID 2572 wrote to memory of 1536 2572 7nbthn.exe 33 PID 2572 wrote to memory of 1536 2572 7nbthn.exe 33 PID 1536 wrote to memory of 2164 1536 xrlllxf.exe 34 PID 1536 wrote to memory of 2164 1536 xrlllxf.exe 34 PID 1536 wrote to memory of 2164 1536 xrlllxf.exe 34 PID 1536 wrote to memory of 2164 1536 xrlllxf.exe 34 PID 2164 wrote to memory of 2944 2164 864006.exe 35 PID 2164 wrote to memory of 2944 2164 864006.exe 35 PID 2164 wrote to memory of 2944 2164 864006.exe 35 PID 2164 wrote to memory of 2944 2164 864006.exe 35 PID 2944 wrote to memory of 2772 2944 thbhhh.exe 36 PID 2944 wrote to memory of 2772 2944 thbhhh.exe 36 PID 2944 wrote to memory of 2772 2944 thbhhh.exe 36 PID 2944 wrote to memory of 2772 2944 thbhhh.exe 36 PID 2772 wrote to memory of 2804 2772 04624.exe 37 PID 2772 wrote to memory of 2804 2772 04624.exe 37 PID 2772 wrote to memory of 2804 2772 04624.exe 37 PID 2772 wrote to memory of 2804 2772 04624.exe 37 PID 2804 wrote to memory of 2684 2804 4688828.exe 38 PID 2804 wrote to memory of 2684 2804 4688828.exe 38 PID 2804 wrote to memory of 2684 2804 4688828.exe 38 PID 2804 wrote to memory of 2684 2804 4688828.exe 38 PID 2684 wrote to memory of 2644 2684 dvpdv.exe 39 PID 2684 wrote to memory of 2644 2684 dvpdv.exe 39 PID 2684 wrote to memory of 2644 2684 dvpdv.exe 39 PID 2684 wrote to memory of 2644 2684 dvpdv.exe 39 PID 2644 wrote to memory of 1656 2644 tttnnn.exe 40 PID 2644 wrote to memory of 1656 2644 tttnnn.exe 40 PID 2644 wrote to memory of 1656 2644 tttnnn.exe 40 PID 2644 wrote to memory of 1656 2644 tttnnn.exe 40 PID 1656 wrote to memory of 676 1656 5pddj.exe 41 PID 1656 wrote to memory of 676 1656 5pddj.exe 41 PID 1656 wrote to memory of 676 1656 5pddj.exe 41 PID 1656 wrote to memory of 676 1656 5pddj.exe 41 PID 676 wrote to memory of 1964 676 48208.exe 42 PID 676 wrote to memory of 1964 676 48208.exe 42 PID 676 wrote to memory of 1964 676 48208.exe 42 PID 676 wrote to memory of 1964 676 48208.exe 42 PID 1964 wrote to memory of 2868 1964 rfxlxfr.exe 43 PID 1964 wrote to memory of 2868 1964 rfxlxfr.exe 43 PID 1964 wrote to memory of 2868 1964 rfxlxfr.exe 43 PID 1964 wrote to memory of 2868 1964 rfxlxfr.exe 43 PID 2868 wrote to memory of 1872 2868 228428.exe 44 PID 2868 wrote to memory of 1872 2868 228428.exe 44 PID 2868 wrote to memory of 1872 2868 228428.exe 44 PID 2868 wrote to memory of 1872 2868 228428.exe 44 PID 1872 wrote to memory of 2984 1872 84842.exe 45 PID 1872 wrote to memory of 2984 1872 84842.exe 45 PID 1872 wrote to memory of 2984 1872 84842.exe 45 PID 1872 wrote to memory of 2984 1872 84842.exe 45 PID 2984 wrote to memory of 1396 2984 e42222.exe 46 PID 2984 wrote to memory of 1396 2984 e42222.exe 46 PID 2984 wrote to memory of 1396 2984 e42222.exe 46 PID 2984 wrote to memory of 1396 2984 e42222.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\eebd4f62226099e38ea29bfdaf68a0f35d61bad496e184355dd323c62f69de07.exe"C:\Users\Admin\AppData\Local\Temp\eebd4f62226099e38ea29bfdaf68a0f35d61bad496e184355dd323c62f69de07.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\xlrrrlx.exec:\xlrrrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\7nbthn.exec:\7nbthn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\xrlllxf.exec:\xrlllxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\864006.exec:\864006.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\thbhhh.exec:\thbhhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\04624.exec:\04624.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\4688828.exec:\4688828.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\dvpdv.exec:\dvpdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\tttnnn.exec:\tttnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\5pddj.exec:\5pddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\48208.exec:\48208.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\rfxlxfr.exec:\rfxlxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\228428.exec:\228428.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\84842.exec:\84842.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\e42222.exec:\e42222.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\u246402.exec:\u246402.exe17⤵
- Executes dropped EXE
PID:1396 -
\??\c:\7ddjd.exec:\7ddjd.exe18⤵
- Executes dropped EXE
PID:2988 -
\??\c:\48848.exec:\48848.exe19⤵
- Executes dropped EXE
PID:1556 -
\??\c:\hnbnbn.exec:\hnbnbn.exe20⤵
- Executes dropped EXE
PID:2596 -
\??\c:\4224224.exec:\4224224.exe21⤵
- Executes dropped EXE
PID:284 -
\??\c:\6860262.exec:\6860262.exe22⤵
- Executes dropped EXE
PID:2832 -
\??\c:\5vjpv.exec:\5vjpv.exe23⤵
- Executes dropped EXE
PID:1280 -
\??\c:\0862880.exec:\0862880.exe24⤵
- Executes dropped EXE
PID:3064 -
\??\c:\vpjdd.exec:\vpjdd.exe25⤵
- Executes dropped EXE
PID:604 -
\??\c:\g8068.exec:\g8068.exe26⤵
- Executes dropped EXE
PID:2160 -
\??\c:\0806228.exec:\0806228.exe27⤵
- Executes dropped EXE
PID:524 -
\??\c:\7jjdp.exec:\7jjdp.exe28⤵
- Executes dropped EXE
PID:2372 -
\??\c:\042860.exec:\042860.exe29⤵
- Executes dropped EXE
PID:864 -
\??\c:\642460.exec:\642460.exe30⤵
- Executes dropped EXE
PID:2452 -
\??\c:\ffxfrrl.exec:\ffxfrrl.exe31⤵
- Executes dropped EXE
PID:1600 -
\??\c:\bthnbt.exec:\bthnbt.exe32⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lxllrrf.exec:\lxllrrf.exe33⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vpdjj.exec:\vpdjj.exe34⤵
- Executes dropped EXE
PID:2308 -
\??\c:\u244666.exec:\u244666.exe35⤵
- Executes dropped EXE
PID:1512 -
\??\c:\thtttt.exec:\thtttt.exe36⤵
- Executes dropped EXE
PID:2572 -
\??\c:\3bbttn.exec:\3bbttn.exe37⤵
- Executes dropped EXE
PID:2784 -
\??\c:\fxrxxrx.exec:\fxrxxrx.exe38⤵
- Executes dropped EXE
PID:2912 -
\??\c:\btbbbh.exec:\btbbbh.exe39⤵
- Executes dropped EXE
PID:2776 -
\??\c:\vjvdd.exec:\vjvdd.exe40⤵
- Executes dropped EXE
PID:2652 -
\??\c:\046228.exec:\046228.exe41⤵
- Executes dropped EXE
PID:2760 -
\??\c:\bntnhb.exec:\bntnhb.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\08464.exec:\08464.exe43⤵
- Executes dropped EXE
PID:1200 -
\??\c:\nhhbhb.exec:\nhhbhb.exe44⤵
- Executes dropped EXE
PID:2700 -
\??\c:\02822.exec:\02822.exe45⤵
- Executes dropped EXE
PID:3032 -
\??\c:\1frrrll.exec:\1frrrll.exe46⤵
- Executes dropped EXE
PID:1704 -
\??\c:\6800006.exec:\6800006.exe47⤵
- Executes dropped EXE
PID:676 -
\??\c:\64602.exec:\64602.exe48⤵
- Executes dropped EXE
PID:1952 -
\??\c:\xfrrrrx.exec:\xfrrrrx.exe49⤵
- Executes dropped EXE
PID:1964 -
\??\c:\nhntbh.exec:\nhntbh.exe50⤵
- Executes dropped EXE
PID:1632 -
\??\c:\42446.exec:\42446.exe51⤵
- Executes dropped EXE
PID:1916 -
\??\c:\5rfxlrl.exec:\5rfxlrl.exe52⤵
- Executes dropped EXE
PID:1652 -
\??\c:\u422226.exec:\u422226.exe53⤵
- Executes dropped EXE
PID:2984 -
\??\c:\jdpjjv.exec:\jdpjjv.exe54⤵
- Executes dropped EXE
PID:1004 -
\??\c:\tnbhhh.exec:\tnbhhh.exe55⤵
- Executes dropped EXE
PID:1412 -
\??\c:\o828068.exec:\o828068.exe56⤵
- Executes dropped EXE
PID:1968 -
\??\c:\u680068.exec:\u680068.exe57⤵
- Executes dropped EXE
PID:1736 -
\??\c:\20606.exec:\20606.exe58⤵
- Executes dropped EXE
PID:1088 -
\??\c:\pdppd.exec:\pdppd.exe59⤵
- Executes dropped EXE
PID:756 -
\??\c:\o488068.exec:\o488068.exe60⤵
- Executes dropped EXE
PID:284 -
\??\c:\7tbttt.exec:\7tbttt.exe61⤵
- Executes dropped EXE
PID:556 -
\??\c:\s2862.exec:\s2862.exe62⤵
- Executes dropped EXE
PID:1920 -
\??\c:\xxrrfrx.exec:\xxrrfrx.exe63⤵
- Executes dropped EXE
PID:1616 -
\??\c:\86828.exec:\86828.exe64⤵
- Executes dropped EXE
PID:2044 -
\??\c:\3tnntb.exec:\3tnntb.exe65⤵
- Executes dropped EXE
PID:952 -
\??\c:\422800.exec:\422800.exe66⤵PID:1680
-
\??\c:\pvjpd.exec:\pvjpd.exe67⤵PID:1044
-
\??\c:\202882.exec:\202882.exe68⤵PID:1032
-
\??\c:\486280.exec:\486280.exe69⤵PID:1628
-
\??\c:\822244.exec:\822244.exe70⤵PID:2208
-
\??\c:\1bnbhn.exec:\1bnbhn.exe71⤵PID:996
-
\??\c:\864464.exec:\864464.exe72⤵PID:1844
-
\??\c:\bnhtnb.exec:\bnhtnb.exe73⤵PID:2068
-
\??\c:\vpddj.exec:\vpddj.exe74⤵PID:2388
-
\??\c:\0424220.exec:\0424220.exe75⤵PID:2576
-
\??\c:\8640666.exec:\8640666.exe76⤵PID:984
-
\??\c:\86228.exec:\86228.exe77⤵PID:1812
-
\??\c:\64840.exec:\64840.exe78⤵PID:2568
-
\??\c:\60224.exec:\60224.exe79⤵PID:1300
-
\??\c:\9vpdd.exec:\9vpdd.exe80⤵PID:1536
-
\??\c:\822462.exec:\822462.exe81⤵PID:2920
-
\??\c:\rlflrxl.exec:\rlflrxl.exe82⤵PID:2176
-
\??\c:\08246.exec:\08246.exe83⤵PID:2916
-
\??\c:\i866824.exec:\i866824.exe84⤵PID:2240
-
\??\c:\8200606.exec:\8200606.exe85⤵PID:2760
-
\??\c:\bhttbt.exec:\bhttbt.exe86⤵PID:2812
-
\??\c:\5fxxrxx.exec:\5fxxrxx.exe87⤵PID:2780
-
\??\c:\bthttt.exec:\bthttt.exe88⤵PID:2456
-
\??\c:\pjdpv.exec:\pjdpv.exe89⤵PID:2696
-
\??\c:\bbhbhn.exec:\bbhbhn.exe90⤵PID:2084
-
\??\c:\q86206.exec:\q86206.exe91⤵PID:2952
-
\??\c:\42062.exec:\42062.exe92⤵PID:836
-
\??\c:\rlfxllf.exec:\rlfxllf.exe93⤵PID:2868
-
\??\c:\frrrrrr.exec:\frrrrrr.exe94⤵PID:1580
-
\??\c:\jvjpd.exec:\jvjpd.exe95⤵PID:1944
-
\??\c:\1nhhht.exec:\1nhhht.exe96⤵PID:2968
-
\??\c:\fxllxfl.exec:\fxllxfl.exe97⤵PID:1176
-
\??\c:\vpppv.exec:\vpppv.exe98⤵PID:2964
-
\??\c:\tnbhhn.exec:\tnbhhn.exe99⤵PID:1768
-
\??\c:\xrfllfr.exec:\xrfllfr.exe100⤵PID:2740
-
\??\c:\nhbhtt.exec:\nhbhtt.exe101⤵PID:236
-
\??\c:\424004.exec:\424004.exe102⤵PID:2596
-
\??\c:\bthnbb.exec:\bthnbb.exe103⤵PID:2268
-
\??\c:\c244422.exec:\c244422.exe104⤵PID:324
-
\??\c:\2028408.exec:\2028408.exe105⤵PID:1532
-
\??\c:\nbbbtt.exec:\nbbbtt.exe106⤵PID:1904
-
\??\c:\0046004.exec:\0046004.exe107⤵PID:2108
-
\??\c:\hbtttn.exec:\hbtttn.exe108⤵PID:768
-
\??\c:\i262446.exec:\i262446.exe109⤵PID:1468
-
\??\c:\3pppv.exec:\3pppv.exe110⤵PID:1464
-
\??\c:\046284.exec:\046284.exe111⤵PID:2260
-
\??\c:\686626.exec:\686626.exe112⤵PID:1032
-
\??\c:\vjjdj.exec:\vjjdj.exe113⤵PID:1612
-
\??\c:\rlxxrrr.exec:\rlxxrrr.exe114⤵PID:2208
-
\??\c:\084488.exec:\084488.exe115⤵PID:1460
-
\??\c:\k40828.exec:\k40828.exe116⤵PID:2556
-
\??\c:\9nhhnt.exec:\9nhhnt.exe117⤵PID:2408
-
\??\c:\thbhht.exec:\thbhht.exe118⤵PID:2544
-
\??\c:\vpdpj.exec:\vpdpj.exe119⤵PID:2308
-
\??\c:\864004.exec:\864004.exe120⤵PID:2536
-
\??\c:\462222.exec:\462222.exe121⤵PID:1512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-