Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 07:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe
-
Size
453KB
-
MD5
0c53788155817112067cb4138c939994
-
SHA1
cfe7f043508c251d3ed88ef18cb7486eeaba31ea
-
SHA256
ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2
-
SHA512
7b8daca8f32909c6c335f8e0f270c0587e8e6eadc337b33ff73c894577f71110584ad8340526461f1e9db78b75215f9c7d980198419455bcb02e34205fe81c4f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-70-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2820-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-108-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3020-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-216-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/828-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-236-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1520-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-278-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2348-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-363-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2092-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-604-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1996-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-763-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/920-795-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/920-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-815-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1560-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-943-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3028-968-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1036-1327-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2376 48620.exe 2072 24822.exe 2328 200680.exe 2056 3vddj.exe 2164 w84406.exe 2704 nhnntt.exe 2820 02662.exe 2568 k02282.exe 2776 s8628.exe 2256 1dpvv.exe 2564 486644.exe 3020 6484002.exe 3036 pjvjp.exe 836 tbbbnn.exe 1984 5xxrlxr.exe 376 64666.exe 2860 xxrflrl.exe 816 5fflrrf.exe 2144 k60684.exe 2848 vpjvj.exe 1088 7lfxxxf.exe 1796 nhhntb.exe 1928 6608068.exe 828 82400.exe 1556 668040.exe 1520 dvpvp.exe 952 c202064.exe 1736 hbhhnt.exe 2280 6028006.exe 2216 lfrxfff.exe 2424 k64400.exe 1200 i022622.exe 2348 q06222.exe 1600 088226.exe 2072 c644040.exe 2372 7bntbh.exe 1096 jdpdp.exe 2056 886844.exe 3044 0006222.exe 2800 608800.exe 2720 xlxxxxf.exe 2692 c466662.exe 2780 7pjjp.exe 2756 rfxfllx.exe 2824 86466.exe 2560 9htttt.exe 2636 hbbhtt.exe 1976 jpdjj.exe 2092 866284.exe 2732 806800.exe 2472 lfffrrr.exe 2108 rrlfxrl.exe 1160 vdjdp.exe 2548 08000.exe 1908 26428.exe 3016 hhbhnn.exe 2240 nhbbnn.exe 2916 26406.exe 1480 202884.exe 1080 o640602.exe 1136 868860.exe 1680 642840.exe 1360 thnnbt.exe 1860 646280.exe -
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-897-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-904-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-977-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-1062-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-1105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-1124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-1167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-1216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-1229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-1242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-1327-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1520-1328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-1341-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2084002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o066666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q20028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k02282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6424624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o040668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48680.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2376 2476 ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe 30 PID 2476 wrote to memory of 2376 2476 ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe 30 PID 2476 wrote to memory of 2376 2476 ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe 30 PID 2476 wrote to memory of 2376 2476 ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe 30 PID 2376 wrote to memory of 2072 2376 48620.exe 31 PID 2376 wrote to memory of 2072 2376 48620.exe 31 PID 2376 wrote to memory of 2072 2376 48620.exe 31 PID 2376 wrote to memory of 2072 2376 48620.exe 31 PID 2072 wrote to memory of 2328 2072 24822.exe 32 PID 2072 wrote to memory of 2328 2072 24822.exe 32 PID 2072 wrote to memory of 2328 2072 24822.exe 32 PID 2072 wrote to memory of 2328 2072 24822.exe 32 PID 2328 wrote to memory of 2056 2328 200680.exe 33 PID 2328 wrote to memory of 2056 2328 200680.exe 33 PID 2328 wrote to memory of 2056 2328 200680.exe 33 PID 2328 wrote to memory of 2056 2328 200680.exe 33 PID 2056 wrote to memory of 2164 2056 3vddj.exe 34 PID 2056 wrote to memory of 2164 2056 3vddj.exe 34 PID 2056 wrote to memory of 2164 2056 3vddj.exe 34 PID 2056 wrote to memory of 2164 2056 3vddj.exe 34 PID 2164 wrote to memory of 2704 2164 w84406.exe 35 PID 2164 wrote to memory of 2704 2164 w84406.exe 35 PID 2164 wrote to memory of 2704 2164 w84406.exe 35 PID 2164 wrote to memory of 2704 2164 w84406.exe 35 PID 2704 wrote to memory of 2820 2704 nhnntt.exe 36 PID 2704 wrote to memory of 2820 2704 nhnntt.exe 36 PID 2704 wrote to memory of 2820 2704 nhnntt.exe 36 PID 2704 wrote to memory of 2820 2704 nhnntt.exe 36 PID 2820 wrote to memory of 2568 2820 02662.exe 37 PID 2820 wrote to memory of 2568 2820 02662.exe 37 PID 2820 wrote to memory of 2568 2820 02662.exe 37 PID 2820 wrote to memory of 2568 2820 02662.exe 37 PID 2568 wrote to memory of 2776 2568 k02282.exe 38 PID 2568 wrote to memory of 2776 2568 k02282.exe 38 PID 2568 wrote to memory of 2776 2568 k02282.exe 38 PID 2568 wrote to memory of 2776 2568 k02282.exe 38 PID 2776 wrote to memory of 2256 2776 s8628.exe 39 PID 2776 wrote to memory of 2256 2776 s8628.exe 39 PID 2776 wrote to memory of 2256 2776 s8628.exe 39 PID 2776 wrote to memory of 2256 2776 s8628.exe 39 PID 2256 wrote to memory of 2564 2256 1dpvv.exe 40 PID 2256 wrote to memory of 2564 2256 1dpvv.exe 40 PID 2256 wrote to memory of 2564 2256 1dpvv.exe 40 PID 2256 wrote to memory of 2564 2256 1dpvv.exe 40 PID 2564 wrote to memory of 3020 2564 486644.exe 41 PID 2564 wrote to memory of 3020 2564 486644.exe 41 PID 2564 wrote to memory of 3020 2564 486644.exe 41 PID 2564 wrote to memory of 3020 2564 486644.exe 41 PID 3020 wrote to memory of 3036 3020 6484002.exe 42 PID 3020 wrote to memory of 3036 3020 6484002.exe 42 PID 3020 wrote to memory of 3036 3020 6484002.exe 42 PID 3020 wrote to memory of 3036 3020 6484002.exe 42 PID 3036 wrote to memory of 836 3036 pjvjp.exe 43 PID 3036 wrote to memory of 836 3036 pjvjp.exe 43 PID 3036 wrote to memory of 836 3036 pjvjp.exe 43 PID 3036 wrote to memory of 836 3036 pjvjp.exe 43 PID 836 wrote to memory of 1984 836 tbbbnn.exe 44 PID 836 wrote to memory of 1984 836 tbbbnn.exe 44 PID 836 wrote to memory of 1984 836 tbbbnn.exe 44 PID 836 wrote to memory of 1984 836 tbbbnn.exe 44 PID 1984 wrote to memory of 376 1984 5xxrlxr.exe 45 PID 1984 wrote to memory of 376 1984 5xxrlxr.exe 45 PID 1984 wrote to memory of 376 1984 5xxrlxr.exe 45 PID 1984 wrote to memory of 376 1984 5xxrlxr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe"C:\Users\Admin\AppData\Local\Temp\ac63aaed33061df59d1d63b7c7d5e23f819c32317d97a76f07e43560bb9276d2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\48620.exec:\48620.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\24822.exec:\24822.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\200680.exec:\200680.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\3vddj.exec:\3vddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\w84406.exec:\w84406.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\nhnntt.exec:\nhnntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\02662.exec:\02662.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\k02282.exec:\k02282.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\s8628.exec:\s8628.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\1dpvv.exec:\1dpvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\486644.exec:\486644.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\6484002.exec:\6484002.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\pjvjp.exec:\pjvjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\tbbbnn.exec:\tbbbnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\5xxrlxr.exec:\5xxrlxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\64666.exec:\64666.exe17⤵
- Executes dropped EXE
PID:376 -
\??\c:\xxrflrl.exec:\xxrflrl.exe18⤵
- Executes dropped EXE
PID:2860 -
\??\c:\5fflrrf.exec:\5fflrrf.exe19⤵
- Executes dropped EXE
PID:816 -
\??\c:\k60684.exec:\k60684.exe20⤵
- Executes dropped EXE
PID:2144 -
\??\c:\vpjvj.exec:\vpjvj.exe21⤵
- Executes dropped EXE
PID:2848 -
\??\c:\7lfxxxf.exec:\7lfxxxf.exe22⤵
- Executes dropped EXE
PID:1088 -
\??\c:\nhhntb.exec:\nhhntb.exe23⤵
- Executes dropped EXE
PID:1796 -
\??\c:\6608068.exec:\6608068.exe24⤵
- Executes dropped EXE
PID:1928 -
\??\c:\82400.exec:\82400.exe25⤵
- Executes dropped EXE
PID:828 -
\??\c:\668040.exec:\668040.exe26⤵
- Executes dropped EXE
PID:1556 -
\??\c:\dvpvp.exec:\dvpvp.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520 -
\??\c:\c202064.exec:\c202064.exe28⤵
- Executes dropped EXE
PID:952 -
\??\c:\hbhhnt.exec:\hbhhnt.exe29⤵
- Executes dropped EXE
PID:1736 -
\??\c:\6028006.exec:\6028006.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\lfrxfff.exec:\lfrxfff.exe31⤵
- Executes dropped EXE
PID:2216 -
\??\c:\k64400.exec:\k64400.exe32⤵
- Executes dropped EXE
PID:2424 -
\??\c:\i022622.exec:\i022622.exe33⤵
- Executes dropped EXE
PID:1200 -
\??\c:\q06222.exec:\q06222.exe34⤵
- Executes dropped EXE
PID:2348 -
\??\c:\088226.exec:\088226.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\c644040.exec:\c644040.exe36⤵
- Executes dropped EXE
PID:2072 -
\??\c:\7bntbh.exec:\7bntbh.exe37⤵
- Executes dropped EXE
PID:2372 -
\??\c:\jdpdp.exec:\jdpdp.exe38⤵
- Executes dropped EXE
PID:1096 -
\??\c:\886844.exec:\886844.exe39⤵
- Executes dropped EXE
PID:2056 -
\??\c:\0006222.exec:\0006222.exe40⤵
- Executes dropped EXE
PID:3044 -
\??\c:\608800.exec:\608800.exe41⤵
- Executes dropped EXE
PID:2800 -
\??\c:\xlxxxxf.exec:\xlxxxxf.exe42⤵
- Executes dropped EXE
PID:2720 -
\??\c:\c466662.exec:\c466662.exe43⤵
- Executes dropped EXE
PID:2692 -
\??\c:\7pjjp.exec:\7pjjp.exe44⤵
- Executes dropped EXE
PID:2780 -
\??\c:\rfxfllx.exec:\rfxfllx.exe45⤵
- Executes dropped EXE
PID:2756 -
\??\c:\86466.exec:\86466.exe46⤵
- Executes dropped EXE
PID:2824 -
\??\c:\9htttt.exec:\9htttt.exe47⤵
- Executes dropped EXE
PID:2560 -
\??\c:\hbbhtt.exec:\hbbhtt.exe48⤵
- Executes dropped EXE
PID:2636 -
\??\c:\jpdjj.exec:\jpdjj.exe49⤵
- Executes dropped EXE
PID:1976 -
\??\c:\866284.exec:\866284.exe50⤵
- Executes dropped EXE
PID:2092 -
\??\c:\806800.exec:\806800.exe51⤵
- Executes dropped EXE
PID:2732 -
\??\c:\lfffrrr.exec:\lfffrrr.exe52⤵
- Executes dropped EXE
PID:2472 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe53⤵
- Executes dropped EXE
PID:2108 -
\??\c:\vdjdp.exec:\vdjdp.exe54⤵
- Executes dropped EXE
PID:1160 -
\??\c:\08000.exec:\08000.exe55⤵
- Executes dropped EXE
PID:2548 -
\??\c:\26428.exec:\26428.exe56⤵
- Executes dropped EXE
PID:1908 -
\??\c:\hhbhnn.exec:\hhbhnn.exe57⤵
- Executes dropped EXE
PID:3016 -
\??\c:\nhbbnn.exec:\nhbbnn.exe58⤵
- Executes dropped EXE
PID:2240 -
\??\c:\26406.exec:\26406.exe59⤵
- Executes dropped EXE
PID:2916 -
\??\c:\202884.exec:\202884.exe60⤵
- Executes dropped EXE
PID:1480 -
\??\c:\o640602.exec:\o640602.exe61⤵
- Executes dropped EXE
PID:1080 -
\??\c:\868860.exec:\868860.exe62⤵
- Executes dropped EXE
PID:1136 -
\??\c:\642840.exec:\642840.exe63⤵
- Executes dropped EXE
PID:1680 -
\??\c:\thnnbt.exec:\thnnbt.exe64⤵
- Executes dropped EXE
PID:1360 -
\??\c:\646280.exec:\646280.exe65⤵
- Executes dropped EXE
PID:1860 -
\??\c:\htbbnt.exec:\htbbnt.exe66⤵PID:2088
-
\??\c:\rrffxrx.exec:\rrffxrx.exe67⤵
- System Location Discovery: System Language Discovery
PID:1036 -
\??\c:\w46682.exec:\w46682.exe68⤵PID:916
-
\??\c:\08446.exec:\08446.exe69⤵PID:2236
-
\??\c:\w82240.exec:\w82240.exe70⤵PID:952
-
\??\c:\46600.exec:\46600.exe71⤵PID:1736
-
\??\c:\fxlflfl.exec:\fxlflfl.exe72⤵PID:2448
-
\??\c:\42682.exec:\42682.exe73⤵PID:2188
-
\??\c:\208006.exec:\208006.exe74⤵PID:992
-
\??\c:\1vppv.exec:\1vppv.exe75⤵PID:2296
-
\??\c:\m8006.exec:\m8006.exe76⤵PID:2524
-
\??\c:\pdpvp.exec:\pdpvp.exe77⤵PID:2324
-
\??\c:\0266484.exec:\0266484.exe78⤵PID:1604
-
\??\c:\5rllxlr.exec:\5rllxlr.exe79⤵PID:2196
-
\??\c:\q40640.exec:\q40640.exe80⤵PID:2008
-
\??\c:\u040062.exec:\u040062.exe81⤵PID:1996
-
\??\c:\0848880.exec:\0848880.exe82⤵PID:2456
-
\??\c:\486244.exec:\486244.exe83⤵PID:2688
-
\??\c:\02286.exec:\02286.exe84⤵PID:1748
-
\??\c:\1nbttt.exec:\1nbttt.exe85⤵PID:2796
-
\??\c:\lrflrrx.exec:\lrflrrx.exe86⤵PID:2808
-
\??\c:\o640224.exec:\o640224.exe87⤵PID:2908
-
\??\c:\nhbnhh.exec:\nhbnhh.exe88⤵PID:2568
-
\??\c:\htntbt.exec:\htntbt.exe89⤵PID:2756
-
\??\c:\xxxrxxx.exec:\xxxrxxx.exe90⤵PID:2824
-
\??\c:\240400.exec:\240400.exe91⤵PID:2592
-
\??\c:\xrllrxl.exec:\xrllrxl.exe92⤵PID:1312
-
\??\c:\20628.exec:\20628.exe93⤵PID:1976
-
\??\c:\ttnnbh.exec:\ttnnbh.exe94⤵PID:1152
-
\??\c:\6422006.exec:\6422006.exe95⤵PID:580
-
\??\c:\nbnnnt.exec:\nbnnnt.exe96⤵PID:1484
-
\??\c:\e08466.exec:\e08466.exe97⤵PID:1488
-
\??\c:\dvpjp.exec:\dvpjp.exe98⤵PID:2740
-
\??\c:\pdvvd.exec:\pdvvd.exe99⤵PID:1764
-
\??\c:\o828066.exec:\o828066.exe100⤵PID:2996
-
\??\c:\268662.exec:\268662.exe101⤵PID:2452
-
\??\c:\bbttbb.exec:\bbttbb.exe102⤵PID:2152
-
\??\c:\thbbhh.exec:\thbbhh.exe103⤵PID:1740
-
\??\c:\864066.exec:\864066.exe104⤵PID:2364
-
\??\c:\jdpdj.exec:\jdpdj.exe105⤵PID:1660
-
\??\c:\jvpvd.exec:\jvpvd.exe106⤵PID:1772
-
\??\c:\2424280.exec:\2424280.exe107⤵PID:1616
-
\??\c:\4822880.exec:\4822880.exe108⤵PID:2460
-
\??\c:\nbhhnh.exec:\nbhhnh.exe109⤵PID:1860
-
\??\c:\862226.exec:\862226.exe110⤵PID:1532
-
\??\c:\20666.exec:\20666.exe111⤵PID:920
-
\??\c:\fxlrllr.exec:\fxlrllr.exe112⤵PID:1564
-
\??\c:\080228.exec:\080228.exe113⤵PID:2420
-
\??\c:\hthhnn.exec:\hthhnn.exe114⤵PID:1648
-
\??\c:\0822886.exec:\0822886.exe115⤵PID:2280
-
\??\c:\nnthnt.exec:\nnthnt.exe116⤵PID:2976
-
\??\c:\486480.exec:\486480.exe117⤵PID:1560
-
\??\c:\bbtbhb.exec:\bbtbhb.exe118⤵PID:2296
-
\??\c:\xrfflfr.exec:\xrfflfr.exe119⤵PID:1612
-
\??\c:\4228286.exec:\4228286.exe120⤵PID:3048
-
\??\c:\6084620.exec:\6084620.exe121⤵PID:2512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-