Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 08:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0133713d9204f84a60a659f38475bacdb7065b044b3761abb7d3454ff525d25aN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0133713d9204f84a60a659f38475bacdb7065b044b3761abb7d3454ff525d25aN.exe
-
Size
454KB
-
MD5
629defa4bcf66356e793625c7d722560
-
SHA1
9df3013825736b9dd22cbf9a201b5978bcb881d3
-
SHA256
0133713d9204f84a60a659f38475bacdb7065b044b3761abb7d3454ff525d25a
-
SHA512
6bac988a91b5ad56f82276b8872dff0d1b9703f1a60a9896b5056a0f98519ef5f03e6e4de5230c55ba671dd6b71b4909602a8209edcc0e8e9ec4ae147b1f9544
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2440-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-70-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2968-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-90-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2572-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-119-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1684-137-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2888-148-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2888-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/792-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-178-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1708-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-251-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2388-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/740-501-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3024-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-524-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1488-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-726-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/880-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-920-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-945-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1496-955-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2884-978-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-991-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-1017-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-1343-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2120 480022.exe 1712 204022.exe 1632 86880.exe 2820 i866880.exe 2972 ppjpj.exe 2984 42002.exe 2968 pvjpv.exe 848 826222.exe 2680 xxrfrrf.exe 2356 vpvdj.exe 2572 26884.exe 3032 dpppp.exe 1180 08286.exe 1684 824428.exe 2888 xrfflrf.exe 1128 m2280.exe 792 642840.exe 2496 hhbhhn.exe 2204 vpjjp.exe 288 260244.exe 1708 4244268.exe 1976 20024.exe 2028 xxlrxfl.exe 2476 rlffrrl.exe 2484 e64400.exe 904 604022.exe 2504 btbbbh.exe 2144 02884.exe 2288 k86626.exe 2388 82884.exe 1308 42402.exe 2428 rlxfflf.exe 2292 868466.exe 2420 646640.exe 2232 bntthb.exe 1608 jvjpp.exe 2004 08628.exe 2836 862242.exe 2808 2664262.exe 2928 2066666.exe 2984 o488640.exe 2840 9jvjd.exe 2844 g8000.exe 2696 68044.exe 2684 tthhtn.exe 2800 64444.exe 2732 8004426.exe 1864 s2008.exe 2084 hbnnbb.exe 2156 w62600.exe 3064 5ntthh.exe 1684 7pddj.exe 3056 5btntb.exe 1532 7ddvp.exe 316 rlxfflf.exe 2548 1ntnhb.exe 2640 226688.exe 2776 a6400.exe 288 pdpvj.exe 2300 pvdpj.exe 2552 64228.exe 2448 jvjdv.exe 2332 602800.exe 740 4288444.exe -
resource yara_rule behavioral1/memory/2440-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-251-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1308-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-839-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-920-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-965-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-991-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-1018-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-1017-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1328-1092-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-1127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-1261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-1298-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4086408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6020284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0802268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2120 2440 0133713d9204f84a60a659f38475bacdb7065b044b3761abb7d3454ff525d25aN.exe 30 PID 2440 wrote to memory of 2120 2440 0133713d9204f84a60a659f38475bacdb7065b044b3761abb7d3454ff525d25aN.exe 30 PID 2440 wrote to memory of 2120 2440 0133713d9204f84a60a659f38475bacdb7065b044b3761abb7d3454ff525d25aN.exe 30 PID 2440 wrote to memory of 2120 2440 0133713d9204f84a60a659f38475bacdb7065b044b3761abb7d3454ff525d25aN.exe 30 PID 2120 wrote to memory of 1712 2120 480022.exe 31 PID 2120 wrote to memory of 1712 2120 480022.exe 31 PID 2120 wrote to memory of 1712 2120 480022.exe 31 PID 2120 wrote to memory of 1712 2120 480022.exe 31 PID 1712 wrote to memory of 1632 1712 204022.exe 32 PID 1712 wrote to memory of 1632 1712 204022.exe 32 PID 1712 wrote to memory of 1632 1712 204022.exe 32 PID 1712 wrote to memory of 1632 1712 204022.exe 32 PID 1632 wrote to memory of 2820 1632 86880.exe 33 PID 1632 wrote to memory of 2820 1632 86880.exe 33 PID 1632 wrote to memory of 2820 1632 86880.exe 33 PID 1632 wrote to memory of 2820 1632 86880.exe 33 PID 2820 wrote to memory of 2972 2820 i866880.exe 34 PID 2820 wrote to memory of 2972 2820 i866880.exe 34 PID 2820 wrote to memory of 2972 2820 i866880.exe 34 PID 2820 wrote to memory of 2972 2820 i866880.exe 34 PID 2972 wrote to memory of 2984 2972 ppjpj.exe 35 PID 2972 wrote to memory of 2984 2972 ppjpj.exe 35 PID 2972 wrote to memory of 2984 2972 ppjpj.exe 35 PID 2972 wrote to memory of 2984 2972 ppjpj.exe 35 PID 2984 wrote to memory of 2968 2984 42002.exe 36 PID 2984 wrote to memory of 2968 2984 42002.exe 36 PID 2984 wrote to memory of 2968 2984 42002.exe 36 PID 2984 wrote to memory of 2968 2984 42002.exe 36 PID 2968 wrote to memory of 848 2968 pvjpv.exe 37 PID 2968 wrote to memory of 848 2968 pvjpv.exe 37 PID 2968 wrote to memory of 848 2968 pvjpv.exe 37 PID 2968 wrote to memory of 848 2968 pvjpv.exe 37 PID 848 wrote to memory of 2680 848 826222.exe 38 PID 848 wrote to memory of 2680 848 826222.exe 38 PID 848 wrote to memory of 2680 848 826222.exe 38 PID 848 wrote to memory of 2680 848 826222.exe 38 PID 2680 wrote to memory of 2356 2680 xxrfrrf.exe 39 PID 2680 wrote to memory of 2356 2680 xxrfrrf.exe 39 PID 2680 wrote to memory of 2356 2680 xxrfrrf.exe 39 PID 2680 wrote to memory of 2356 2680 xxrfrrf.exe 39 PID 2356 wrote to memory of 2572 2356 vpvdj.exe 40 PID 2356 wrote to memory of 2572 2356 vpvdj.exe 40 PID 2356 wrote to memory of 2572 2356 vpvdj.exe 40 PID 2356 wrote to memory of 2572 2356 vpvdj.exe 40 PID 2572 wrote to memory of 3032 2572 26884.exe 41 PID 2572 wrote to memory of 3032 2572 26884.exe 41 PID 2572 wrote to memory of 3032 2572 26884.exe 41 PID 2572 wrote to memory of 3032 2572 26884.exe 41 PID 3032 wrote to memory of 1180 3032 dpppp.exe 42 PID 3032 wrote to memory of 1180 3032 dpppp.exe 42 PID 3032 wrote to memory of 1180 3032 dpppp.exe 42 PID 3032 wrote to memory of 1180 3032 dpppp.exe 42 PID 1180 wrote to memory of 1684 1180 08286.exe 43 PID 1180 wrote to memory of 1684 1180 08286.exe 43 PID 1180 wrote to memory of 1684 1180 08286.exe 43 PID 1180 wrote to memory of 1684 1180 08286.exe 43 PID 1684 wrote to memory of 2888 1684 824428.exe 44 PID 1684 wrote to memory of 2888 1684 824428.exe 44 PID 1684 wrote to memory of 2888 1684 824428.exe 44 PID 1684 wrote to memory of 2888 1684 824428.exe 44 PID 2888 wrote to memory of 1128 2888 xrfflrf.exe 45 PID 2888 wrote to memory of 1128 2888 xrfflrf.exe 45 PID 2888 wrote to memory of 1128 2888 xrfflrf.exe 45 PID 2888 wrote to memory of 1128 2888 xrfflrf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0133713d9204f84a60a659f38475bacdb7065b044b3761abb7d3454ff525d25aN.exe"C:\Users\Admin\AppData\Local\Temp\0133713d9204f84a60a659f38475bacdb7065b044b3761abb7d3454ff525d25aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\480022.exec:\480022.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\204022.exec:\204022.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\86880.exec:\86880.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\i866880.exec:\i866880.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\ppjpj.exec:\ppjpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\42002.exec:\42002.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\pvjpv.exec:\pvjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\826222.exec:\826222.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\xxrfrrf.exec:\xxrfrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\vpvdj.exec:\vpvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\26884.exec:\26884.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\dpppp.exec:\dpppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\08286.exec:\08286.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\824428.exec:\824428.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\xrfflrf.exec:\xrfflrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\m2280.exec:\m2280.exe17⤵
- Executes dropped EXE
PID:1128 -
\??\c:\642840.exec:\642840.exe18⤵
- Executes dropped EXE
PID:792 -
\??\c:\hhbhhn.exec:\hhbhhn.exe19⤵
- Executes dropped EXE
PID:2496 -
\??\c:\vpjjp.exec:\vpjjp.exe20⤵
- Executes dropped EXE
PID:2204 -
\??\c:\260244.exec:\260244.exe21⤵
- Executes dropped EXE
PID:288 -
\??\c:\4244268.exec:\4244268.exe22⤵
- Executes dropped EXE
PID:1708 -
\??\c:\20024.exec:\20024.exe23⤵
- Executes dropped EXE
PID:1976 -
\??\c:\xxlrxfl.exec:\xxlrxfl.exe24⤵
- Executes dropped EXE
PID:2028 -
\??\c:\rlffrrl.exec:\rlffrrl.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
\??\c:\e64400.exec:\e64400.exe26⤵
- Executes dropped EXE
PID:2484 -
\??\c:\604022.exec:\604022.exe27⤵
- Executes dropped EXE
PID:904 -
\??\c:\btbbbh.exec:\btbbbh.exe28⤵
- Executes dropped EXE
PID:2504 -
\??\c:\02884.exec:\02884.exe29⤵
- Executes dropped EXE
PID:2144 -
\??\c:\k86626.exec:\k86626.exe30⤵
- Executes dropped EXE
PID:2288 -
\??\c:\82884.exec:\82884.exe31⤵
- Executes dropped EXE
PID:2388 -
\??\c:\42402.exec:\42402.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308 -
\??\c:\rlxfflf.exec:\rlxfflf.exe33⤵
- Executes dropped EXE
PID:2428 -
\??\c:\868466.exec:\868466.exe34⤵
- Executes dropped EXE
PID:2292 -
\??\c:\646640.exec:\646640.exe35⤵
- Executes dropped EXE
PID:2420 -
\??\c:\bntthb.exec:\bntthb.exe36⤵
- Executes dropped EXE
PID:2232 -
\??\c:\jvjpp.exec:\jvjpp.exe37⤵
- Executes dropped EXE
PID:1608 -
\??\c:\08628.exec:\08628.exe38⤵
- Executes dropped EXE
PID:2004 -
\??\c:\862242.exec:\862242.exe39⤵
- Executes dropped EXE
PID:2836 -
\??\c:\2664262.exec:\2664262.exe40⤵
- Executes dropped EXE
PID:2808 -
\??\c:\2066666.exec:\2066666.exe41⤵
- Executes dropped EXE
PID:2928 -
\??\c:\o488640.exec:\o488640.exe42⤵
- Executes dropped EXE
PID:2984 -
\??\c:\9jvjd.exec:\9jvjd.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\g8000.exec:\g8000.exe44⤵
- Executes dropped EXE
PID:2844 -
\??\c:\68044.exec:\68044.exe45⤵
- Executes dropped EXE
PID:2696 -
\??\c:\tthhtn.exec:\tthhtn.exe46⤵
- Executes dropped EXE
PID:2684 -
\??\c:\64444.exec:\64444.exe47⤵
- Executes dropped EXE
PID:2800 -
\??\c:\8004426.exec:\8004426.exe48⤵
- Executes dropped EXE
PID:2732 -
\??\c:\s2008.exec:\s2008.exe49⤵
- Executes dropped EXE
PID:1864 -
\??\c:\hbnnbb.exec:\hbnnbb.exe50⤵
- Executes dropped EXE
PID:2084 -
\??\c:\w62600.exec:\w62600.exe51⤵
- Executes dropped EXE
PID:2156 -
\??\c:\5ntthh.exec:\5ntthh.exe52⤵
- Executes dropped EXE
PID:3064 -
\??\c:\7pddj.exec:\7pddj.exe53⤵
- Executes dropped EXE
PID:1684 -
\??\c:\5btntb.exec:\5btntb.exe54⤵
- Executes dropped EXE
PID:3056 -
\??\c:\7ddvp.exec:\7ddvp.exe55⤵
- Executes dropped EXE
PID:1532 -
\??\c:\rlxfflf.exec:\rlxfflf.exe56⤵
- Executes dropped EXE
PID:316 -
\??\c:\1ntnhb.exec:\1ntnhb.exe57⤵
- Executes dropped EXE
PID:2548 -
\??\c:\226688.exec:\226688.exe58⤵
- Executes dropped EXE
PID:2640 -
\??\c:\a6400.exec:\a6400.exe59⤵
- Executes dropped EXE
PID:2776 -
\??\c:\pdpvj.exec:\pdpvj.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:288 -
\??\c:\pvdpj.exec:\pvdpj.exe61⤵
- Executes dropped EXE
PID:2300 -
\??\c:\64228.exec:\64228.exe62⤵
- Executes dropped EXE
PID:2552 -
\??\c:\jvjdv.exec:\jvjdv.exe63⤵
- Executes dropped EXE
PID:2448 -
\??\c:\602800.exec:\602800.exe64⤵
- Executes dropped EXE
PID:2332 -
\??\c:\4288444.exec:\4288444.exe65⤵
- Executes dropped EXE
PID:740 -
\??\c:\5jvvv.exec:\5jvvv.exe66⤵PID:3024
-
\??\c:\nhbttn.exec:\nhbttn.exe67⤵PID:1548
-
\??\c:\nhtntb.exec:\nhtntb.exe68⤵PID:924
-
\??\c:\rlxfrlr.exec:\rlxfrlr.exe69⤵PID:2020
-
\??\c:\nbnhhh.exec:\nbnhhh.exe70⤵PID:1520
-
\??\c:\602882.exec:\602882.exe71⤵PID:1488
-
\??\c:\pppdp.exec:\pppdp.exe72⤵PID:2252
-
\??\c:\lxlffxx.exec:\lxlffxx.exe73⤵PID:1276
-
\??\c:\0240668.exec:\0240668.exe74⤵PID:1788
-
\??\c:\0848482.exec:\0848482.exe75⤵PID:2616
-
\??\c:\m4668.exec:\m4668.exe76⤵PID:1820
-
\??\c:\dpvpd.exec:\dpvpd.exe77⤵PID:2628
-
\??\c:\08446.exec:\08446.exe78⤵PID:1712
-
\??\c:\vpdpj.exec:\vpdpj.exe79⤵
- System Location Discovery: System Language Discovery
PID:2648 -
\??\c:\204422.exec:\204422.exe80⤵PID:1448
-
\??\c:\020888.exec:\020888.exe81⤵PID:2192
-
\??\c:\pdvvd.exec:\pdvvd.exe82⤵PID:2004
-
\??\c:\5fxxxrf.exec:\5fxxxrf.exe83⤵PID:2952
-
\??\c:\608200.exec:\608200.exe84⤵PID:2808
-
\??\c:\rflxllx.exec:\rflxllx.exe85⤵PID:2928
-
\??\c:\btnnbn.exec:\btnnbn.exe86⤵PID:2948
-
\??\c:\tnbtbn.exec:\tnbtbn.exe87⤵PID:2220
-
\??\c:\0422084.exec:\0422084.exe88⤵PID:2852
-
\??\c:\xrflfff.exec:\xrflfff.exe89⤵PID:2696
-
\??\c:\vpppd.exec:\vpppd.exe90⤵PID:2684
-
\??\c:\s4668.exec:\s4668.exe91⤵PID:2572
-
\??\c:\a8484.exec:\a8484.exe92⤵PID:1792
-
\??\c:\nbbbhb.exec:\nbbbhb.exe93⤵PID:1864
-
\??\c:\g8622.exec:\g8622.exe94⤵PID:2084
-
\??\c:\3jvvd.exec:\3jvvd.exe95⤵PID:2992
-
\??\c:\ttnthn.exec:\ttnthn.exe96⤵PID:3064
-
\??\c:\jdjjd.exec:\jdjjd.exe97⤵PID:2884
-
\??\c:\5lrfrxx.exec:\5lrfrxx.exe98⤵PID:3056
-
\??\c:\ddvdp.exec:\ddvdp.exe99⤵PID:1196
-
\??\c:\vvvdv.exec:\vvvdv.exe100⤵PID:2520
-
\??\c:\1nthnb.exec:\1nthnb.exe101⤵PID:2560
-
\??\c:\a0828.exec:\a0828.exe102⤵PID:824
-
\??\c:\64840.exec:\64840.exe103⤵PID:808
-
\??\c:\m6846.exec:\m6846.exe104⤵PID:288
-
\??\c:\5vpvv.exec:\5vpvv.exe105⤵PID:1404
-
\??\c:\i640622.exec:\i640622.exe106⤵PID:2552
-
\??\c:\64628.exec:\64628.exe107⤵PID:1628
-
\??\c:\644028.exec:\644028.exe108⤵PID:2332
-
\??\c:\3bbhhh.exec:\3bbhhh.exe109⤵PID:2024
-
\??\c:\djdjd.exec:\djdjd.exe110⤵PID:2476
-
\??\c:\1hhbbb.exec:\1hhbbb.exe111⤵PID:888
-
\??\c:\602208.exec:\602208.exe112⤵PID:532
-
\??\c:\602200.exec:\602200.exe113⤵
- System Location Discovery: System Language Discovery
PID:1656 -
\??\c:\424088.exec:\424088.exe114⤵PID:2148
-
\??\c:\a8000.exec:\a8000.exe115⤵PID:2432
-
\??\c:\3rlxrrr.exec:\3rlxrrr.exe116⤵PID:572
-
\??\c:\c428040.exec:\c428040.exe117⤵PID:880
-
\??\c:\9vvvd.exec:\9vvvd.exe118⤵PID:2128
-
\??\c:\8640280.exec:\8640280.exe119⤵PID:1040
-
\??\c:\hbhbbb.exec:\hbhbbb.exe120⤵PID:2468
-
\??\c:\7bttbb.exec:\7bttbb.exe121⤵PID:2628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-