Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe
-
Size
454KB
-
MD5
537259eef678b74f5196e3621a6e4e3e
-
SHA1
6715cffb0d83c948e90d9d85028869e9c8a908a1
-
SHA256
ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb
-
SHA512
c98dbc71dfa75be4acb7233cdcf0c7555e9fac66d6ce0852493bbcc6d8f8748630f441b9f7b9b83c48f72a270bdc9d58aa07070e387603e98b53693e18645068
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2776-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-194-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1132-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-215-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-272-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2292-276-0x0000000077220000-0x000000007733F000-memory.dmp family_blackmoon behavioral1/memory/1588-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-394-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1484-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-529-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1932-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-754-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1584-786-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3044-923-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2776 vjjvj.exe 2828 c800062.exe 2976 fxrrxxf.exe 2944 hbhhnt.exe 2800 20224.exe 2644 606682.exe 1956 2648002.exe 2476 2084606.exe 1504 8688888.exe 1664 080280.exe 2176 xlrxfrf.exe 2692 frfllfr.exe 2968 4428008.exe 2032 pjdpp.exe 3052 826280.exe 2604 hbthbn.exe 320 pjvvv.exe 2616 i600446.exe 2100 208428.exe 760 208822.exe 840 7vjvj.exe 1132 m2068.exe 784 1llrllx.exe 2600 nhttbt.exe 1048 4828624.exe 2524 jpjjv.exe 1844 c828046.exe 1676 q64422.exe 880 0040846.exe 2292 482806.exe 2844 ffxfxxr.exe 2832 3pdpv.exe 2640 44842.exe 2772 886208.exe 2928 pjddp.exe 2684 0460280.exe 3032 rrfxflr.exe 836 86000.exe 1544 pvvdv.exe 2428 0466426.exe 2468 60024.exe 2068 xxxfrxr.exe 2904 s8286.exe 2736 nbbhhb.exe 3004 44626.exe 3024 42440.exe 1920 k46846.exe 856 9dvdj.exe 1484 o046408.exe 1248 48620.exe 2276 jvdjv.exe 2616 824462.exe 1600 7htttt.exe 1296 rlxxllx.exe 2096 1jdjd.exe 1056 o046286.exe 2088 5pjpd.exe 2332 666882.exe 1148 a0880.exe 1360 1xrrrxf.exe 2412 86464.exe 1284 042284.exe 2148 xxrfllr.exe 2168 djjvd.exe -
resource yara_rule behavioral1/memory/2776-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-718-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/548-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-902-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o022624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w28840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrfl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2776 2380 ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe 31 PID 2380 wrote to memory of 2776 2380 ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe 31 PID 2380 wrote to memory of 2776 2380 ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe 31 PID 2380 wrote to memory of 2776 2380 ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe 31 PID 2776 wrote to memory of 2828 2776 vjjvj.exe 32 PID 2776 wrote to memory of 2828 2776 vjjvj.exe 32 PID 2776 wrote to memory of 2828 2776 vjjvj.exe 32 PID 2776 wrote to memory of 2828 2776 vjjvj.exe 32 PID 2828 wrote to memory of 2976 2828 c800062.exe 33 PID 2828 wrote to memory of 2976 2828 c800062.exe 33 PID 2828 wrote to memory of 2976 2828 c800062.exe 33 PID 2828 wrote to memory of 2976 2828 c800062.exe 33 PID 2976 wrote to memory of 2944 2976 fxrrxxf.exe 34 PID 2976 wrote to memory of 2944 2976 fxrrxxf.exe 34 PID 2976 wrote to memory of 2944 2976 fxrrxxf.exe 34 PID 2976 wrote to memory of 2944 2976 fxrrxxf.exe 34 PID 2944 wrote to memory of 2800 2944 hbhhnt.exe 35 PID 2944 wrote to memory of 2800 2944 hbhhnt.exe 35 PID 2944 wrote to memory of 2800 2944 hbhhnt.exe 35 PID 2944 wrote to memory of 2800 2944 hbhhnt.exe 35 PID 2800 wrote to memory of 2644 2800 20224.exe 36 PID 2800 wrote to memory of 2644 2800 20224.exe 36 PID 2800 wrote to memory of 2644 2800 20224.exe 36 PID 2800 wrote to memory of 2644 2800 20224.exe 36 PID 2644 wrote to memory of 1956 2644 606682.exe 37 PID 2644 wrote to memory of 1956 2644 606682.exe 37 PID 2644 wrote to memory of 1956 2644 606682.exe 37 PID 2644 wrote to memory of 1956 2644 606682.exe 37 PID 1956 wrote to memory of 2476 1956 2648002.exe 38 PID 1956 wrote to memory of 2476 1956 2648002.exe 38 PID 1956 wrote to memory of 2476 1956 2648002.exe 38 PID 1956 wrote to memory of 2476 1956 2648002.exe 38 PID 2476 wrote to memory of 1504 2476 2084606.exe 39 PID 2476 wrote to memory of 1504 2476 2084606.exe 39 PID 2476 wrote to memory of 1504 2476 2084606.exe 39 PID 2476 wrote to memory of 1504 2476 2084606.exe 39 PID 1504 wrote to memory of 1664 1504 8688888.exe 40 PID 1504 wrote to memory of 1664 1504 8688888.exe 40 PID 1504 wrote to memory of 1664 1504 8688888.exe 40 PID 1504 wrote to memory of 1664 1504 8688888.exe 40 PID 1664 wrote to memory of 2176 1664 080280.exe 41 PID 1664 wrote to memory of 2176 1664 080280.exe 41 PID 1664 wrote to memory of 2176 1664 080280.exe 41 PID 1664 wrote to memory of 2176 1664 080280.exe 41 PID 2176 wrote to memory of 2692 2176 xlrxfrf.exe 42 PID 2176 wrote to memory of 2692 2176 xlrxfrf.exe 42 PID 2176 wrote to memory of 2692 2176 xlrxfrf.exe 42 PID 2176 wrote to memory of 2692 2176 xlrxfrf.exe 42 PID 2692 wrote to memory of 2968 2692 frfllfr.exe 43 PID 2692 wrote to memory of 2968 2692 frfllfr.exe 43 PID 2692 wrote to memory of 2968 2692 frfllfr.exe 43 PID 2692 wrote to memory of 2968 2692 frfllfr.exe 43 PID 2968 wrote to memory of 2032 2968 4428008.exe 44 PID 2968 wrote to memory of 2032 2968 4428008.exe 44 PID 2968 wrote to memory of 2032 2968 4428008.exe 44 PID 2968 wrote to memory of 2032 2968 4428008.exe 44 PID 2032 wrote to memory of 3052 2032 pjdpp.exe 45 PID 2032 wrote to memory of 3052 2032 pjdpp.exe 45 PID 2032 wrote to memory of 3052 2032 pjdpp.exe 45 PID 2032 wrote to memory of 3052 2032 pjdpp.exe 45 PID 3052 wrote to memory of 2604 3052 826280.exe 46 PID 3052 wrote to memory of 2604 3052 826280.exe 46 PID 3052 wrote to memory of 2604 3052 826280.exe 46 PID 3052 wrote to memory of 2604 3052 826280.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe"C:\Users\Admin\AppData\Local\Temp\ba1047ce7959fcf20eaf12b9cafcc2a4c1d5bd8f1bc0e6b98a5288d2186e6cfb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\vjjvj.exec:\vjjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\c800062.exec:\c800062.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\fxrrxxf.exec:\fxrrxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\hbhhnt.exec:\hbhhnt.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\20224.exec:\20224.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\606682.exec:\606682.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\2648002.exec:\2648002.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\2084606.exec:\2084606.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\8688888.exec:\8688888.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\080280.exec:\080280.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\xlrxfrf.exec:\xlrxfrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\frfllfr.exec:\frfllfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\4428008.exec:\4428008.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\pjdpp.exec:\pjdpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\826280.exec:\826280.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\hbthbn.exec:\hbthbn.exe17⤵
- Executes dropped EXE
PID:2604 -
\??\c:\pjvvv.exec:\pjvvv.exe18⤵
- Executes dropped EXE
PID:320 -
\??\c:\i600446.exec:\i600446.exe19⤵
- Executes dropped EXE
PID:2616 -
\??\c:\208428.exec:\208428.exe20⤵
- Executes dropped EXE
PID:2100 -
\??\c:\208822.exec:\208822.exe21⤵
- Executes dropped EXE
PID:760 -
\??\c:\7vjvj.exec:\7vjvj.exe22⤵
- Executes dropped EXE
PID:840 -
\??\c:\m2068.exec:\m2068.exe23⤵
- Executes dropped EXE
PID:1132 -
\??\c:\1llrllx.exec:\1llrllx.exe24⤵
- Executes dropped EXE
PID:784 -
\??\c:\nhttbt.exec:\nhttbt.exe25⤵
- Executes dropped EXE
PID:2600 -
\??\c:\4828624.exec:\4828624.exe26⤵
- Executes dropped EXE
PID:1048 -
\??\c:\jpjjv.exec:\jpjjv.exe27⤵
- Executes dropped EXE
PID:2524 -
\??\c:\c828046.exec:\c828046.exe28⤵
- Executes dropped EXE
PID:1844 -
\??\c:\q64422.exec:\q64422.exe29⤵
- Executes dropped EXE
PID:1676 -
\??\c:\0040846.exec:\0040846.exe30⤵
- Executes dropped EXE
PID:880 -
\??\c:\482806.exec:\482806.exe31⤵
- Executes dropped EXE
PID:2292 -
\??\c:\jjdpj.exec:\jjdpj.exe32⤵PID:1588
-
\??\c:\ffxfxxr.exec:\ffxfxxr.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
\??\c:\3pdpv.exec:\3pdpv.exe34⤵
- Executes dropped EXE
PID:2832 -
\??\c:\44842.exec:\44842.exe35⤵
- Executes dropped EXE
PID:2640 -
\??\c:\886208.exec:\886208.exe36⤵
- Executes dropped EXE
PID:2772 -
\??\c:\pjddp.exec:\pjddp.exe37⤵
- Executes dropped EXE
PID:2928 -
\??\c:\0460280.exec:\0460280.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\rrfxflr.exec:\rrfxflr.exe39⤵
- Executes dropped EXE
PID:3032 -
\??\c:\86000.exec:\86000.exe40⤵
- Executes dropped EXE
PID:836 -
\??\c:\pvvdv.exec:\pvvdv.exe41⤵
- Executes dropped EXE
PID:1544 -
\??\c:\0466426.exec:\0466426.exe42⤵
- Executes dropped EXE
PID:2428 -
\??\c:\60024.exec:\60024.exe43⤵
- Executes dropped EXE
PID:2468 -
\??\c:\xxxfrxr.exec:\xxxfrxr.exe44⤵
- Executes dropped EXE
PID:2068 -
\??\c:\s8286.exec:\s8286.exe45⤵
- Executes dropped EXE
PID:2904 -
\??\c:\nbbhhb.exec:\nbbhhb.exe46⤵
- Executes dropped EXE
PID:2736 -
\??\c:\44626.exec:\44626.exe47⤵
- Executes dropped EXE
PID:3004 -
\??\c:\42440.exec:\42440.exe48⤵
- Executes dropped EXE
PID:3024 -
\??\c:\k46846.exec:\k46846.exe49⤵
- Executes dropped EXE
PID:1920 -
\??\c:\9dvdj.exec:\9dvdj.exe50⤵
- Executes dropped EXE
PID:856 -
\??\c:\o046408.exec:\o046408.exe51⤵
- Executes dropped EXE
PID:1484 -
\??\c:\48620.exec:\48620.exe52⤵
- Executes dropped EXE
PID:1248 -
\??\c:\jvdjv.exec:\jvdjv.exe53⤵
- Executes dropped EXE
PID:2276 -
\??\c:\824462.exec:\824462.exe54⤵
- Executes dropped EXE
PID:2616 -
\??\c:\7htttt.exec:\7htttt.exe55⤵
- Executes dropped EXE
PID:1600 -
\??\c:\rlxxllx.exec:\rlxxllx.exe56⤵
- Executes dropped EXE
PID:1296 -
\??\c:\1jdjd.exec:\1jdjd.exe57⤵
- Executes dropped EXE
PID:2096 -
\??\c:\o046286.exec:\o046286.exe58⤵
- Executes dropped EXE
PID:1056 -
\??\c:\5pjpd.exec:\5pjpd.exe59⤵
- Executes dropped EXE
PID:2088 -
\??\c:\666882.exec:\666882.exe60⤵
- Executes dropped EXE
PID:2332 -
\??\c:\a0880.exec:\a0880.exe61⤵
- Executes dropped EXE
PID:1148 -
\??\c:\1xrrrxf.exec:\1xrrrxf.exe62⤵
- Executes dropped EXE
PID:1360 -
\??\c:\86464.exec:\86464.exe63⤵
- Executes dropped EXE
PID:2412 -
\??\c:\042284.exec:\042284.exe64⤵
- Executes dropped EXE
PID:1284 -
\??\c:\xxrfllr.exec:\xxrfllr.exe65⤵
- Executes dropped EXE
PID:2148 -
\??\c:\djjvd.exec:\djjvd.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
\??\c:\60284.exec:\60284.exe67⤵PID:1668
-
\??\c:\006442.exec:\006442.exe68⤵PID:2092
-
\??\c:\9rrrxfl.exec:\9rrrxfl.exe69⤵PID:2384
-
\??\c:\408088.exec:\408088.exe70⤵PID:1700
-
\??\c:\5jvvd.exec:\5jvvd.exe71⤵PID:2776
-
\??\c:\jpjpp.exec:\jpjpp.exe72⤵PID:2788
-
\??\c:\4862440.exec:\4862440.exe73⤵PID:2796
-
\??\c:\5nhhnn.exec:\5nhhnn.exe74⤵PID:2840
-
\??\c:\rlflffr.exec:\rlflffr.exe75⤵PID:2944
-
\??\c:\7rlrxfl.exec:\7rlrxfl.exe76⤵PID:2772
-
\??\c:\42668.exec:\42668.exe77⤵PID:2636
-
\??\c:\w82424.exec:\w82424.exe78⤵PID:2696
-
\??\c:\lfxfxfl.exec:\lfxfxfl.exe79⤵PID:2628
-
\??\c:\66440.exec:\66440.exe80⤵PID:2704
-
\??\c:\pjdpd.exec:\pjdpd.exe81⤵PID:2256
-
\??\c:\22680.exec:\22680.exe82⤵PID:2272
-
\??\c:\ntbnbb.exec:\ntbnbb.exe83⤵PID:2468
-
\??\c:\w08084.exec:\w08084.exe84⤵PID:2176
-
\??\c:\nhttbb.exec:\nhttbb.exe85⤵PID:2904
-
\??\c:\864042.exec:\864042.exe86⤵PID:2736
-
\??\c:\fxllrxr.exec:\fxllrxr.exe87⤵PID:1276
-
\??\c:\04280.exec:\04280.exe88⤵PID:3028
-
\??\c:\866806.exec:\866806.exe89⤵PID:1920
-
\??\c:\3frrxlx.exec:\3frrxlx.exe90⤵PID:1932
-
\??\c:\0462046.exec:\0462046.exe91⤵PID:3000
-
\??\c:\nnhhtt.exec:\nnhhtt.exe92⤵PID:2152
-
\??\c:\lfxxlrr.exec:\lfxxlrr.exe93⤵PID:2172
-
\??\c:\264026.exec:\264026.exe94⤵PID:1052
-
\??\c:\xffxxfx.exec:\xffxxfx.exe95⤵PID:2064
-
\??\c:\1tbbbt.exec:\1tbbbt.exe96⤵PID:2512
-
\??\c:\s0024.exec:\s0024.exe97⤵PID:1696
-
\??\c:\o440224.exec:\o440224.exe98⤵PID:2072
-
\??\c:\882806.exec:\882806.exe99⤵PID:1916
-
\??\c:\hthnbt.exec:\hthnbt.exe100⤵PID:1628
-
\??\c:\o642000.exec:\o642000.exe101⤵PID:1376
-
\??\c:\0468400.exec:\0468400.exe102⤵PID:2396
-
\??\c:\g8628.exec:\g8628.exe103⤵PID:548
-
\??\c:\3thhbt.exec:\3thhbt.exe104⤵PID:1584
-
\??\c:\tnbhnb.exec:\tnbhnb.exe105⤵PID:2148
-
\??\c:\9btnbt.exec:\9btnbt.exe106⤵PID:1672
-
\??\c:\vpddj.exec:\vpddj.exe107⤵PID:1632
-
\??\c:\420026.exec:\420026.exe108⤵PID:2492
-
\??\c:\w28840.exec:\w28840.exe109⤵
- System Location Discovery: System Language Discovery
PID:1564 -
\??\c:\5xxrxll.exec:\5xxrxll.exe110⤵PID:1588
-
\??\c:\btnthh.exec:\btnthh.exe111⤵PID:2156
-
\??\c:\0866886.exec:\0866886.exe112⤵PID:2788
-
\??\c:\602022.exec:\602022.exe113⤵PID:2796
-
\??\c:\frrrrll.exec:\frrrrll.exe114⤵PID:2840
-
\??\c:\g4622.exec:\g4622.exe115⤵PID:2664
-
\??\c:\08006.exec:\08006.exe116⤵PID:2772
-
\??\c:\o860602.exec:\o860602.exe117⤵PID:396
-
\??\c:\nnbbtn.exec:\nnbbtn.exe118⤵PID:2484
-
\??\c:\08068.exec:\08068.exe119⤵PID:2472
-
\??\c:\3vjdd.exec:\3vjdd.exe120⤵PID:2868
-
\??\c:\480066.exec:\480066.exe121⤵PID:2256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-