Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 16:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe
-
Size
454KB
-
MD5
28721825a0ddc521165ed2c08b3d04d6
-
SHA1
a9aa4493550b4b1dffb483e460621ac4116a9e0d
-
SHA256
4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2
-
SHA512
89e6d461b3e2e322f8e002357a7f1b284f8332d1450ee7042d66b88ab348c0247cdaf6a3ecd7017b9d65e689786184c8b99bd120df1be20132e451a841e94640
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/3044-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-69-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/408-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1456-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/860-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-195-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/908-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-431-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3060-472-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2384-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-591-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2776-590-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2856-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-619-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2204-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/712-976-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2168-991-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/712-996-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2920-1015-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1068-1022-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2384-1053-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2384-1073-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1076-1099-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2104 224626.exe 2804 hthnnh.exe 2176 0288484.exe 2568 bntttn.exe 2264 thnntn.exe 2536 7bnhhh.exe 2952 8684044.exe 2548 864448.exe 408 82446.exe 1456 3djdd.exe 2088 pdpvd.exe 1088 68488.exe 2092 86602.exe 860 xrxfrll.exe 536 0646660.exe 2348 xfrxxrf.exe 2164 5pdjd.exe 1936 6022840.exe 2924 86866.exe 1988 0422880.exe 2320 206622.exe 2140 lrffffx.exe 908 pjpvv.exe 1580 bhthbn.exe 1660 202444.exe 2008 868400.exe 1748 864888.exe 2572 w62626.exe 1072 2640280.exe 2368 bnbnbb.exe 1812 k86628.exe 584 3dpvv.exe 2672 nbnnnh.exe 2660 e06464.exe 2684 flxxfff.exe 2780 tbhhnh.exe 2740 1nhhbh.exe 2620 pdjdv.exe 2848 bthbbb.exe 2264 q86620.exe 2552 xlrfxlx.exe 2576 5jddd.exe 1156 w08844.exe 2508 42402.exe 2444 824084.exe 1484 bhtnnb.exe 1456 680660.exe 2088 9thnhn.exe 2172 s2488.exe 1516 7xrffxx.exe 2092 vpjpv.exe 860 42844.exe 2152 pjppp.exe 2356 46866.exe 2460 lxfrxxl.exe 1740 468262.exe 1972 tnbbbt.exe 1912 pvpjj.exe 3060 pdjdd.exe 1340 c428068.exe 2320 7jvvd.exe 2384 202844.exe 760 c244064.exe 1536 642840.exe -
resource yara_rule behavioral1/memory/3044-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-69-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/408-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-894-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-991-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1068-1022-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2888-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 224626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2104 3044 4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe 30 PID 3044 wrote to memory of 2104 3044 4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe 30 PID 3044 wrote to memory of 2104 3044 4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe 30 PID 3044 wrote to memory of 2104 3044 4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe 30 PID 2104 wrote to memory of 2804 2104 224626.exe 31 PID 2104 wrote to memory of 2804 2104 224626.exe 31 PID 2104 wrote to memory of 2804 2104 224626.exe 31 PID 2104 wrote to memory of 2804 2104 224626.exe 31 PID 2804 wrote to memory of 2176 2804 hthnnh.exe 32 PID 2804 wrote to memory of 2176 2804 hthnnh.exe 32 PID 2804 wrote to memory of 2176 2804 hthnnh.exe 32 PID 2804 wrote to memory of 2176 2804 hthnnh.exe 32 PID 2176 wrote to memory of 2568 2176 0288484.exe 33 PID 2176 wrote to memory of 2568 2176 0288484.exe 33 PID 2176 wrote to memory of 2568 2176 0288484.exe 33 PID 2176 wrote to memory of 2568 2176 0288484.exe 33 PID 2568 wrote to memory of 2264 2568 bntttn.exe 34 PID 2568 wrote to memory of 2264 2568 bntttn.exe 34 PID 2568 wrote to memory of 2264 2568 bntttn.exe 34 PID 2568 wrote to memory of 2264 2568 bntttn.exe 34 PID 2264 wrote to memory of 2536 2264 thnntn.exe 35 PID 2264 wrote to memory of 2536 2264 thnntn.exe 35 PID 2264 wrote to memory of 2536 2264 thnntn.exe 35 PID 2264 wrote to memory of 2536 2264 thnntn.exe 35 PID 2536 wrote to memory of 2952 2536 7bnhhh.exe 36 PID 2536 wrote to memory of 2952 2536 7bnhhh.exe 36 PID 2536 wrote to memory of 2952 2536 7bnhhh.exe 36 PID 2536 wrote to memory of 2952 2536 7bnhhh.exe 36 PID 2952 wrote to memory of 2548 2952 8684044.exe 37 PID 2952 wrote to memory of 2548 2952 8684044.exe 37 PID 2952 wrote to memory of 2548 2952 8684044.exe 37 PID 2952 wrote to memory of 2548 2952 8684044.exe 37 PID 2548 wrote to memory of 408 2548 864448.exe 38 PID 2548 wrote to memory of 408 2548 864448.exe 38 PID 2548 wrote to memory of 408 2548 864448.exe 38 PID 2548 wrote to memory of 408 2548 864448.exe 38 PID 408 wrote to memory of 1456 408 82446.exe 39 PID 408 wrote to memory of 1456 408 82446.exe 39 PID 408 wrote to memory of 1456 408 82446.exe 39 PID 408 wrote to memory of 1456 408 82446.exe 39 PID 1456 wrote to memory of 2088 1456 3djdd.exe 40 PID 1456 wrote to memory of 2088 1456 3djdd.exe 40 PID 1456 wrote to memory of 2088 1456 3djdd.exe 40 PID 1456 wrote to memory of 2088 1456 3djdd.exe 40 PID 2088 wrote to memory of 1088 2088 pdpvd.exe 41 PID 2088 wrote to memory of 1088 2088 pdpvd.exe 41 PID 2088 wrote to memory of 1088 2088 pdpvd.exe 41 PID 2088 wrote to memory of 1088 2088 pdpvd.exe 41 PID 1088 wrote to memory of 2092 1088 68488.exe 42 PID 1088 wrote to memory of 2092 1088 68488.exe 42 PID 1088 wrote to memory of 2092 1088 68488.exe 42 PID 1088 wrote to memory of 2092 1088 68488.exe 42 PID 2092 wrote to memory of 860 2092 86602.exe 43 PID 2092 wrote to memory of 860 2092 86602.exe 43 PID 2092 wrote to memory of 860 2092 86602.exe 43 PID 2092 wrote to memory of 860 2092 86602.exe 43 PID 860 wrote to memory of 536 860 xrxfrll.exe 44 PID 860 wrote to memory of 536 860 xrxfrll.exe 44 PID 860 wrote to memory of 536 860 xrxfrll.exe 44 PID 860 wrote to memory of 536 860 xrxfrll.exe 44 PID 536 wrote to memory of 2348 536 0646660.exe 45 PID 536 wrote to memory of 2348 536 0646660.exe 45 PID 536 wrote to memory of 2348 536 0646660.exe 45 PID 536 wrote to memory of 2348 536 0646660.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe"C:\Users\Admin\AppData\Local\Temp\4378643caada1b3b62b3c15edf644ff3c8870a2ea0c122caecc639e8553a48e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\224626.exec:\224626.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\hthnnh.exec:\hthnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\0288484.exec:\0288484.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\bntttn.exec:\bntttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\thnntn.exec:\thnntn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\7bnhhh.exec:\7bnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\8684044.exec:\8684044.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\864448.exec:\864448.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\82446.exec:\82446.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\3djdd.exec:\3djdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\pdpvd.exec:\pdpvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\68488.exec:\68488.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\86602.exec:\86602.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\xrxfrll.exec:\xrxfrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\0646660.exec:\0646660.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\xfrxxrf.exec:\xfrxxrf.exe17⤵
- Executes dropped EXE
PID:2348 -
\??\c:\5pdjd.exec:\5pdjd.exe18⤵
- Executes dropped EXE
PID:2164 -
\??\c:\6022840.exec:\6022840.exe19⤵
- Executes dropped EXE
PID:1936 -
\??\c:\86866.exec:\86866.exe20⤵
- Executes dropped EXE
PID:2924 -
\??\c:\0422880.exec:\0422880.exe21⤵
- Executes dropped EXE
PID:1988 -
\??\c:\206622.exec:\206622.exe22⤵
- Executes dropped EXE
PID:2320 -
\??\c:\lrffffx.exec:\lrffffx.exe23⤵
- Executes dropped EXE
PID:2140 -
\??\c:\pjpvv.exec:\pjpvv.exe24⤵
- Executes dropped EXE
PID:908 -
\??\c:\bhthbn.exec:\bhthbn.exe25⤵
- Executes dropped EXE
PID:1580 -
\??\c:\202444.exec:\202444.exe26⤵
- Executes dropped EXE
PID:1660 -
\??\c:\868400.exec:\868400.exe27⤵
- Executes dropped EXE
PID:2008 -
\??\c:\864888.exec:\864888.exe28⤵
- Executes dropped EXE
PID:1748 -
\??\c:\w62626.exec:\w62626.exe29⤵
- Executes dropped EXE
PID:2572 -
\??\c:\2640280.exec:\2640280.exe30⤵
- Executes dropped EXE
PID:1072 -
\??\c:\bnbnbb.exec:\bnbnbb.exe31⤵
- Executes dropped EXE
PID:2368 -
\??\c:\k86628.exec:\k86628.exe32⤵
- Executes dropped EXE
PID:1812 -
\??\c:\3dpvv.exec:\3dpvv.exe33⤵
- Executes dropped EXE
PID:584 -
\??\c:\nbnnnh.exec:\nbnnnh.exe34⤵
- Executes dropped EXE
PID:2672 -
\??\c:\e06464.exec:\e06464.exe35⤵
- Executes dropped EXE
PID:2660 -
\??\c:\flxxfff.exec:\flxxfff.exe36⤵
- Executes dropped EXE
PID:2684 -
\??\c:\tbhhnh.exec:\tbhhnh.exe37⤵
- Executes dropped EXE
PID:2780 -
\??\c:\1nhhbh.exec:\1nhhbh.exe38⤵
- Executes dropped EXE
PID:2740 -
\??\c:\pdjdv.exec:\pdjdv.exe39⤵
- Executes dropped EXE
PID:2620 -
\??\c:\bthbbb.exec:\bthbbb.exe40⤵
- Executes dropped EXE
PID:2848 -
\??\c:\q86620.exec:\q86620.exe41⤵
- Executes dropped EXE
PID:2264 -
\??\c:\xlrfxlx.exec:\xlrfxlx.exe42⤵
- Executes dropped EXE
PID:2552 -
\??\c:\5jddd.exec:\5jddd.exe43⤵
- Executes dropped EXE
PID:2576 -
\??\c:\w08844.exec:\w08844.exe44⤵
- Executes dropped EXE
PID:1156 -
\??\c:\42402.exec:\42402.exe45⤵
- Executes dropped EXE
PID:2508 -
\??\c:\824084.exec:\824084.exe46⤵
- Executes dropped EXE
PID:2444 -
\??\c:\bhtnnb.exec:\bhtnnb.exe47⤵
- Executes dropped EXE
PID:1484 -
\??\c:\680660.exec:\680660.exe48⤵
- Executes dropped EXE
PID:1456 -
\??\c:\9thnhn.exec:\9thnhn.exe49⤵
- Executes dropped EXE
PID:2088 -
\??\c:\s2488.exec:\s2488.exe50⤵
- Executes dropped EXE
PID:2172 -
\??\c:\7xrffxx.exec:\7xrffxx.exe51⤵
- Executes dropped EXE
PID:1516 -
\??\c:\vpjpv.exec:\vpjpv.exe52⤵
- Executes dropped EXE
PID:2092 -
\??\c:\42844.exec:\42844.exe53⤵
- Executes dropped EXE
PID:860 -
\??\c:\pjppp.exec:\pjppp.exe54⤵
- Executes dropped EXE
PID:2152 -
\??\c:\46866.exec:\46866.exe55⤵
- Executes dropped EXE
PID:2356 -
\??\c:\lxfrxxl.exec:\lxfrxxl.exe56⤵
- Executes dropped EXE
PID:2460 -
\??\c:\468262.exec:\468262.exe57⤵
- Executes dropped EXE
PID:1740 -
\??\c:\tnbbbt.exec:\tnbbbt.exe58⤵
- Executes dropped EXE
PID:1972 -
\??\c:\pvpjj.exec:\pvpjj.exe59⤵
- Executes dropped EXE
PID:1912 -
\??\c:\pdjdd.exec:\pdjdd.exe60⤵
- Executes dropped EXE
PID:3060 -
\??\c:\c428068.exec:\c428068.exe61⤵
- Executes dropped EXE
PID:1340 -
\??\c:\7jvvd.exec:\7jvvd.exe62⤵
- Executes dropped EXE
PID:2320 -
\??\c:\202844.exec:\202844.exe63⤵
- Executes dropped EXE
PID:2384 -
\??\c:\c244064.exec:\c244064.exe64⤵
- Executes dropped EXE
PID:760 -
\??\c:\642840.exec:\642840.exe65⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hththn.exec:\hththn.exe66⤵PID:1768
-
\??\c:\7xffflx.exec:\7xffflx.exe67⤵PID:1728
-
\??\c:\5bnbhh.exec:\5bnbhh.exe68⤵PID:2008
-
\??\c:\nhtbbt.exec:\nhtbbt.exe69⤵PID:1308
-
\??\c:\0468606.exec:\0468606.exe70⤵PID:600
-
\??\c:\1thhnt.exec:\1thhnt.exe71⤵PID:2468
-
\??\c:\60824.exec:\60824.exe72⤵PID:988
-
\??\c:\424062.exec:\424062.exe73⤵PID:2260
-
\??\c:\042466.exec:\042466.exe74⤵PID:1672
-
\??\c:\u240662.exec:\u240662.exe75⤵PID:1800
-
\??\c:\nnhbhn.exec:\nnhbhn.exe76⤵PID:2816
-
\??\c:\lxllxfr.exec:\lxllxfr.exe77⤵PID:2776
-
\??\c:\frllrrf.exec:\frllrrf.exe78⤵PID:2768
-
\??\c:\s4286.exec:\s4286.exe79⤵PID:2804
-
\??\c:\3bhhhh.exec:\3bhhhh.exe80⤵PID:2856
-
\??\c:\9jvvv.exec:\9jvvv.exe81⤵PID:2556
-
\??\c:\24288.exec:\24288.exe82⤵PID:2668
-
\??\c:\608406.exec:\608406.exe83⤵PID:2716
-
\??\c:\e02822.exec:\e02822.exe84⤵PID:2608
-
\??\c:\8688828.exec:\8688828.exe85⤵PID:2968
-
\??\c:\46884.exec:\46884.exe86⤵PID:2204
-
\??\c:\6804020.exec:\6804020.exe87⤵PID:820
-
\??\c:\djppj.exec:\djppj.exe88⤵PID:408
-
\??\c:\9xfllrr.exec:\9xfllrr.exe89⤵PID:112
-
\??\c:\lxlrflr.exec:\lxlrflr.exe90⤵PID:2236
-
\??\c:\9fllrff.exec:\9fllrff.exe91⤵PID:1456
-
\??\c:\464404.exec:\464404.exe92⤵PID:2088
-
\??\c:\4240224.exec:\4240224.exe93⤵PID:836
-
\??\c:\nthbtt.exec:\nthbtt.exe94⤵PID:1496
-
\??\c:\9fffxxx.exec:\9fffxxx.exe95⤵PID:1136
-
\??\c:\lxlrxrx.exec:\lxlrxrx.exe96⤵PID:1440
-
\??\c:\xrrxllf.exec:\xrrxllf.exe97⤵PID:1200
-
\??\c:\264462.exec:\264462.exe98⤵PID:1252
-
\??\c:\s6060.exec:\s6060.exe99⤵PID:1524
-
\??\c:\464448.exec:\464448.exe100⤵PID:2492
-
\??\c:\2084602.exec:\2084602.exe101⤵PID:1972
-
\??\c:\9nhnhn.exec:\9nhnhn.exe102⤵PID:2976
-
\??\c:\htttnn.exec:\htttnn.exe103⤵PID:1360
-
\??\c:\7hnnhh.exec:\7hnnhh.exe104⤵PID:960
-
\??\c:\jdjvp.exec:\jdjvp.exe105⤵PID:1956
-
\??\c:\7rfflrr.exec:\7rfflrr.exe106⤵PID:496
-
\??\c:\nhhbnn.exec:\nhhbnn.exe107⤵PID:908
-
\??\c:\s6884.exec:\s6884.exe108⤵PID:1580
-
\??\c:\8644000.exec:\8644000.exe109⤵PID:2032
-
\??\c:\42222.exec:\42222.exe110⤵PID:2484
-
\??\c:\5rxxxxf.exec:\5rxxxxf.exe111⤵PID:1728
-
\??\c:\4806228.exec:\4806228.exe112⤵PID:568
-
\??\c:\dvjpv.exec:\dvjpv.exe113⤵PID:2212
-
\??\c:\e68808.exec:\e68808.exe114⤵PID:600
-
\??\c:\xlrrrrx.exec:\xlrrrrx.exe115⤵PID:1612
-
\??\c:\q84482.exec:\q84482.exe116⤵PID:1916
-
\??\c:\486240.exec:\486240.exe117⤵PID:2368
-
\??\c:\424444.exec:\424444.exe118⤵PID:876
-
\??\c:\4644446.exec:\4644446.exe119⤵PID:2240
-
\??\c:\04840.exec:\04840.exe120⤵PID:1708
-
\??\c:\a8284.exec:\a8284.exe121⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-