Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/12/2024, 08:34
Behavioral task
behavioral1
Sample
2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe
-
Size
3.7MB
-
MD5
e03763091b6d1399381027a081994736
-
SHA1
04b4cdf7141cdd3c287fa601d58eeabf81cf4582
-
SHA256
2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400
-
SHA512
bbd7207889c3a0c4fb4f0143dc51101e3a92d1fe26ed858f6b763d3ec6902ff709ef01ba805114fd9ed55c13984c12bab38e04b8c41dc1fdb26ba2403bec08ca
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98H:U6XLq/qPPslzKx/dJg1ErmNi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2188-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2376-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/896-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2552-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2196-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1488-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1736-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1632-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/680-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/536-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1696-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2296-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2484-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2936-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2840-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2560-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1484-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1264-544-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2172-563-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-611-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1732-649-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/600-687-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2652-700-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2964-733-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/884-776-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-789-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2396-802-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/352-827-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2440-962-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1244-975-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2520-1063-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1784-1175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1312-1374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2376 dvvpj.exe 2836 thnhtb.exe 2772 a0448.exe 896 vvjpd.exe 2552 282462.exe 2676 bbnthn.exe 2196 9nbhbn.exe 1488 6046068.exe 2932 nhnbnt.exe 1736 i820286.exe 2828 dvpdd.exe 1632 8268684.exe 1164 482402.exe 680 1bbbnt.exe 2832 042022.exe 536 bbttnb.exe 2812 pjdjp.exe 2168 xxllrrf.exe 2252 llxfrxf.exe 1160 tnbbhn.exe 408 g4408.exe 2176 pjvjv.exe 984 a6468.exe 2520 1nnbth.exe 1696 606246.exe 1824 3vdpv.exe 2340 82608.exe 1864 tbnbnn.exe 2296 06040.exe 2484 rlfllrx.exe 2512 48668.exe 2492 djvpj.exe 2936 7dvvd.exe 2288 w44608.exe 1592 20468.exe 2704 vvppv.exe 2840 q60840.exe 2560 0868886.exe 2772 2002064.exe 2588 ppdvp.exe 2796 6006846.exe 3032 262402.exe 1036 ppvpd.exe 576 vpppd.exe 2912 426628.exe 2924 tthhtt.exe 2648 2042408.exe 2352 048406.exe 2444 tttthn.exe 2620 ttnbhh.exe 1524 bthtnt.exe 1164 4422884.exe 1012 dddjv.exe 2824 48008.exe 1484 hhthnb.exe 2968 pddjv.exe 2736 9tntbh.exe 2448 260284.exe 1156 tthntb.exe 2036 5thntn.exe 1944 rxrxrrx.exe 2164 60846.exe 1608 nnhntt.exe 984 9xlxrxl.exe -
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a000000012280-5.dat upx behavioral1/memory/2188-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2376-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001660e-20.dat upx behavioral1/memory/2376-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016890-27.dat upx behavioral1/memory/2772-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c89-36.dat upx behavioral1/memory/896-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00340000000162e4-45.dat upx behavioral1/memory/2552-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016ca0-54.dat upx behavioral1/files/0x0007000000016cab-63.dat upx behavioral1/memory/2676-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2196-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016cf0-72.dat upx behavioral1/memory/1488-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d22-82.dat upx behavioral1/memory/2932-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1736-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000017570-91.dat upx behavioral1/files/0x00060000000175f1-100.dat upx behavioral1/memory/2828-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1632-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000175f7-109.dat upx behavioral1/files/0x000d000000018683-117.dat upx behavioral1/files/0x0005000000018697-125.dat upx behavioral1/memory/680-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2832-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018706-134.dat upx behavioral1/files/0x000500000001870c-143.dat upx behavioral1/memory/536-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001871c-152.dat upx behavioral1/files/0x0005000000018745-161.dat upx behavioral1/memory/2168-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018be7-169.dat upx behavioral1/files/0x0006000000018d7b-177.dat upx behavioral1/files/0x0006000000018d83-185.dat upx behavioral1/files/0x0006000000018fdf-195.dat upx behavioral1/memory/2176-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019056-203.dat upx behavioral1/memory/2176-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019203-212.dat upx behavioral1/files/0x0005000000019237-219.dat upx behavioral1/memory/1696-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001924f-228.dat upx behavioral1/files/0x0005000000019261-237.dat upx behavioral1/files/0x0005000000019274-244.dat upx behavioral1/files/0x000500000001927a-252.dat upx behavioral1/memory/2296-254-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019299-261.dat upx behavioral1/files/0x00050000000192a1-270.dat upx behavioral1/memory/2484-269-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019354-280.dat upx behavioral1/memory/2492-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2492-287-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2936-294-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2704-307-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2704-314-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2840-321-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2560-322-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2772-335-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2588-336-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xflfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6484002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k22406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2600224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k28680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 088080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2624202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w64062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxfrf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2376 2188 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 30 PID 2188 wrote to memory of 2376 2188 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 30 PID 2188 wrote to memory of 2376 2188 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 30 PID 2188 wrote to memory of 2376 2188 2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe 30 PID 2376 wrote to memory of 2836 2376 dvvpj.exe 31 PID 2376 wrote to memory of 2836 2376 dvvpj.exe 31 PID 2376 wrote to memory of 2836 2376 dvvpj.exe 31 PID 2376 wrote to memory of 2836 2376 dvvpj.exe 31 PID 2836 wrote to memory of 2772 2836 thnhtb.exe 32 PID 2836 wrote to memory of 2772 2836 thnhtb.exe 32 PID 2836 wrote to memory of 2772 2836 thnhtb.exe 32 PID 2836 wrote to memory of 2772 2836 thnhtb.exe 32 PID 2772 wrote to memory of 896 2772 a0448.exe 33 PID 2772 wrote to memory of 896 2772 a0448.exe 33 PID 2772 wrote to memory of 896 2772 a0448.exe 33 PID 2772 wrote to memory of 896 2772 a0448.exe 33 PID 896 wrote to memory of 2552 896 vvjpd.exe 34 PID 896 wrote to memory of 2552 896 vvjpd.exe 34 PID 896 wrote to memory of 2552 896 vvjpd.exe 34 PID 896 wrote to memory of 2552 896 vvjpd.exe 34 PID 2552 wrote to memory of 2676 2552 282462.exe 35 PID 2552 wrote to memory of 2676 2552 282462.exe 35 PID 2552 wrote to memory of 2676 2552 282462.exe 35 PID 2552 wrote to memory of 2676 2552 282462.exe 35 PID 2676 wrote to memory of 2196 2676 bbnthn.exe 36 PID 2676 wrote to memory of 2196 2676 bbnthn.exe 36 PID 2676 wrote to memory of 2196 2676 bbnthn.exe 36 PID 2676 wrote to memory of 2196 2676 bbnthn.exe 36 PID 2196 wrote to memory of 1488 2196 9nbhbn.exe 37 PID 2196 wrote to memory of 1488 2196 9nbhbn.exe 37 PID 2196 wrote to memory of 1488 2196 9nbhbn.exe 37 PID 2196 wrote to memory of 1488 2196 9nbhbn.exe 37 PID 1488 wrote to memory of 2932 1488 6046068.exe 38 PID 1488 wrote to memory of 2932 1488 6046068.exe 38 PID 1488 wrote to memory of 2932 1488 6046068.exe 38 PID 1488 wrote to memory of 2932 1488 6046068.exe 38 PID 2932 wrote to memory of 1736 2932 nhnbnt.exe 39 PID 2932 wrote to memory of 1736 2932 nhnbnt.exe 39 PID 2932 wrote to memory of 1736 2932 nhnbnt.exe 39 PID 2932 wrote to memory of 1736 2932 nhnbnt.exe 39 PID 1736 wrote to memory of 2828 1736 i820286.exe 40 PID 1736 wrote to memory of 2828 1736 i820286.exe 40 PID 1736 wrote to memory of 2828 1736 i820286.exe 40 PID 1736 wrote to memory of 2828 1736 i820286.exe 40 PID 2828 wrote to memory of 1632 2828 dvpdd.exe 41 PID 2828 wrote to memory of 1632 2828 dvpdd.exe 41 PID 2828 wrote to memory of 1632 2828 dvpdd.exe 41 PID 2828 wrote to memory of 1632 2828 dvpdd.exe 41 PID 1632 wrote to memory of 1164 1632 8268684.exe 42 PID 1632 wrote to memory of 1164 1632 8268684.exe 42 PID 1632 wrote to memory of 1164 1632 8268684.exe 42 PID 1632 wrote to memory of 1164 1632 8268684.exe 42 PID 1164 wrote to memory of 680 1164 482402.exe 43 PID 1164 wrote to memory of 680 1164 482402.exe 43 PID 1164 wrote to memory of 680 1164 482402.exe 43 PID 1164 wrote to memory of 680 1164 482402.exe 43 PID 680 wrote to memory of 2832 680 1bbbnt.exe 44 PID 680 wrote to memory of 2832 680 1bbbnt.exe 44 PID 680 wrote to memory of 2832 680 1bbbnt.exe 44 PID 680 wrote to memory of 2832 680 1bbbnt.exe 44 PID 2832 wrote to memory of 536 2832 042022.exe 45 PID 2832 wrote to memory of 536 2832 042022.exe 45 PID 2832 wrote to memory of 536 2832 042022.exe 45 PID 2832 wrote to memory of 536 2832 042022.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe"C:\Users\Admin\AppData\Local\Temp\2cd60b3130d4a62af3777945dbd434050ca2a3244286fd729dbca07e49a67400.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\dvvpj.exec:\dvvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\thnhtb.exec:\thnhtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\a0448.exec:\a0448.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\vvjpd.exec:\vvjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\282462.exec:\282462.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\bbnthn.exec:\bbnthn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\9nbhbn.exec:\9nbhbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\6046068.exec:\6046068.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\nhnbnt.exec:\nhnbnt.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\i820286.exec:\i820286.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\dvpdd.exec:\dvpdd.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\8268684.exec:\8268684.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\482402.exec:\482402.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\1bbbnt.exec:\1bbbnt.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\042022.exec:\042022.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\bbttnb.exec:\bbttnb.exe17⤵
- Executes dropped EXE
PID:536 -
\??\c:\pjdjp.exec:\pjdjp.exe18⤵
- Executes dropped EXE
PID:2812 -
\??\c:\xxllrrf.exec:\xxllrrf.exe19⤵
- Executes dropped EXE
PID:2168 -
\??\c:\llxfrxf.exec:\llxfrxf.exe20⤵
- Executes dropped EXE
PID:2252 -
\??\c:\tnbbhn.exec:\tnbbhn.exe21⤵
- Executes dropped EXE
PID:1160 -
\??\c:\g4408.exec:\g4408.exe22⤵
- Executes dropped EXE
PID:408 -
\??\c:\pjvjv.exec:\pjvjv.exe23⤵
- Executes dropped EXE
PID:2176 -
\??\c:\a6468.exec:\a6468.exe24⤵
- Executes dropped EXE
PID:984 -
\??\c:\1nnbth.exec:\1nnbth.exe25⤵
- Executes dropped EXE
PID:2520 -
\??\c:\606246.exec:\606246.exe26⤵
- Executes dropped EXE
PID:1696 -
\??\c:\3vdpv.exec:\3vdpv.exe27⤵
- Executes dropped EXE
PID:1824 -
\??\c:\82608.exec:\82608.exe28⤵
- Executes dropped EXE
PID:2340 -
\??\c:\tbnbnn.exec:\tbnbnn.exe29⤵
- Executes dropped EXE
PID:1864 -
\??\c:\06040.exec:\06040.exe30⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rlfllrx.exec:\rlfllrx.exe31⤵
- Executes dropped EXE
PID:2484 -
\??\c:\48668.exec:\48668.exe32⤵
- Executes dropped EXE
PID:2512 -
\??\c:\djvpj.exec:\djvpj.exe33⤵
- Executes dropped EXE
PID:2492 -
\??\c:\7dvvd.exec:\7dvvd.exe34⤵
- Executes dropped EXE
PID:2936 -
\??\c:\w44608.exec:\w44608.exe35⤵
- Executes dropped EXE
PID:2288 -
\??\c:\20468.exec:\20468.exe36⤵
- Executes dropped EXE
PID:1592 -
\??\c:\vvppv.exec:\vvppv.exe37⤵
- Executes dropped EXE
PID:2704 -
\??\c:\q60840.exec:\q60840.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\0868886.exec:\0868886.exe39⤵
- Executes dropped EXE
PID:2560 -
\??\c:\2002064.exec:\2002064.exe40⤵
- Executes dropped EXE
PID:2772 -
\??\c:\ppdvp.exec:\ppdvp.exe41⤵
- Executes dropped EXE
PID:2588 -
\??\c:\6006846.exec:\6006846.exe42⤵
- Executes dropped EXE
PID:2796 -
\??\c:\262402.exec:\262402.exe43⤵
- Executes dropped EXE
PID:3032 -
\??\c:\ppvpd.exec:\ppvpd.exe44⤵
- Executes dropped EXE
PID:1036 -
\??\c:\vpppd.exec:\vpppd.exe45⤵
- Executes dropped EXE
PID:576 -
\??\c:\426628.exec:\426628.exe46⤵
- Executes dropped EXE
PID:2912 -
\??\c:\tthhtt.exec:\tthhtt.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
\??\c:\2042408.exec:\2042408.exe48⤵
- Executes dropped EXE
PID:2648 -
\??\c:\048406.exec:\048406.exe49⤵
- Executes dropped EXE
PID:2352 -
\??\c:\tttthn.exec:\tttthn.exe50⤵
- Executes dropped EXE
PID:2444 -
\??\c:\ttnbhh.exec:\ttnbhh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
\??\c:\bthtnt.exec:\bthtnt.exe52⤵
- Executes dropped EXE
PID:1524 -
\??\c:\4422884.exec:\4422884.exe53⤵
- Executes dropped EXE
PID:1164 -
\??\c:\dddjv.exec:\dddjv.exe54⤵
- Executes dropped EXE
PID:1012 -
\??\c:\48008.exec:\48008.exe55⤵
- Executes dropped EXE
PID:2824 -
\??\c:\hhthnb.exec:\hhthnb.exe56⤵
- Executes dropped EXE
PID:1484 -
\??\c:\pddjv.exec:\pddjv.exe57⤵
- Executes dropped EXE
PID:2968 -
\??\c:\9tntbh.exec:\9tntbh.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
\??\c:\260284.exec:\260284.exe59⤵
- Executes dropped EXE
PID:2448 -
\??\c:\tthntb.exec:\tthntb.exe60⤵
- Executes dropped EXE
PID:1156 -
\??\c:\5thntn.exec:\5thntn.exe61⤵
- Executes dropped EXE
PID:2036 -
\??\c:\rxrxrrx.exec:\rxrxrrx.exe62⤵
- Executes dropped EXE
PID:1944 -
\??\c:\60846.exec:\60846.exe63⤵
- Executes dropped EXE
PID:2164 -
\??\c:\nnhntt.exec:\nnhntt.exe64⤵
- Executes dropped EXE
PID:1608 -
\??\c:\9xlxrxl.exec:\9xlxrxl.exe65⤵
- Executes dropped EXE
PID:984 -
\??\c:\vpjpd.exec:\vpjpd.exe66⤵PID:2520
-
\??\c:\u862446.exec:\u862446.exe67⤵PID:2160
-
\??\c:\vvpvj.exec:\vvpvj.exe68⤵PID:2020
-
\??\c:\46488.exec:\46488.exe69⤵PID:1552
-
\??\c:\08402.exec:\08402.exe70⤵PID:1312
-
\??\c:\xlflrrf.exec:\xlflrrf.exe71⤵PID:616
-
\??\c:\0488406.exec:\0488406.exe72⤵PID:2152
-
\??\c:\5httnt.exec:\5httnt.exe73⤵PID:1264
-
\??\c:\ffxlxff.exec:\ffxlxff.exe74⤵PID:1996
-
\??\c:\224066.exec:\224066.exe75⤵PID:2484
-
\??\c:\4846268.exec:\4846268.exe76⤵PID:2336
-
\??\c:\dvdjp.exec:\dvdjp.exe77⤵PID:2172
-
\??\c:\g0060.exec:\g0060.exe78⤵
- System Location Discovery: System Language Discovery
PID:1968 -
\??\c:\2680284.exec:\2680284.exe79⤵PID:2452
-
\??\c:\2668002.exec:\2668002.exe80⤵PID:1716
-
\??\c:\e42244.exec:\e42244.exe81⤵PID:2700
-
\??\c:\9nbbnt.exec:\9nbbnt.exe82⤵PID:2784
-
\??\c:\26024.exec:\26024.exe83⤵PID:2756
-
\??\c:\vpjdj.exec:\vpjdj.exe84⤵PID:2804
-
\??\c:\5bttbh.exec:\5bttbh.exe85⤵PID:2896
-
\??\c:\rrflxxl.exec:\rrflxxl.exe86⤵
- System Location Discovery: System Language Discovery
PID:2564 -
\??\c:\s8288.exec:\s8288.exe87⤵PID:1912
-
\??\c:\1hbnbh.exec:\1hbnbh.exe88⤵PID:2768
-
\??\c:\o428006.exec:\o428006.exe89⤵PID:1532
-
\??\c:\044600.exec:\044600.exe90⤵PID:2196
-
\??\c:\9thnbh.exec:\9thnbh.exe91⤵PID:1732
-
\??\c:\m4228.exec:\m4228.exe92⤵PID:1704
-
\??\c:\066420.exec:\066420.exe93⤵PID:2916
-
\??\c:\486684.exec:\486684.exe94⤵PID:1796
-
\??\c:\268862.exec:\268862.exe95⤵PID:2944
-
\??\c:\q02840.exec:\q02840.exe96⤵PID:2280
-
\??\c:\24806.exec:\24806.exe97⤵PID:600
-
\??\c:\g2688.exec:\g2688.exe98⤵PID:2652
-
\??\c:\2244006.exec:\2244006.exe99⤵PID:872
-
\??\c:\1lxffrf.exec:\1lxffrf.exe100⤵PID:960
-
\??\c:\60402.exec:\60402.exe101⤵PID:264
-
\??\c:\btnbtt.exec:\btnbtt.exe102⤵PID:708
-
\??\c:\66884.exec:\66884.exe103⤵PID:2964
-
\??\c:\nhtbbh.exec:\nhtbbh.exe104⤵PID:2024
-
\??\c:\820022.exec:\820022.exe105⤵PID:2448
-
\??\c:\ffxlflf.exec:\ffxlflf.exe106⤵PID:2252
-
\??\c:\26062.exec:\26062.exe107⤵PID:2036
-
\??\c:\8644006.exec:\8644006.exe108⤵PID:1932
-
\??\c:\48804.exec:\48804.exe109⤵PID:2164
-
\??\c:\42628.exec:\42628.exe110⤵PID:1608
-
\??\c:\4202024.exec:\4202024.exe111⤵PID:884
-
\??\c:\tnntnt.exec:\tnntnt.exe112⤵PID:1812
-
\??\c:\i480280.exec:\i480280.exe113⤵PID:2092
-
\??\c:\rfxlrlr.exec:\rfxlrlr.exe114⤵PID:1752
-
\??\c:\lrlrfxr.exec:\lrlrfxr.exe115⤵PID:2396
-
\??\c:\dvpjp.exec:\dvpjp.exe116⤵PID:1864
-
\??\c:\202282.exec:\202282.exe117⤵PID:3068
-
\??\c:\e08066.exec:\e08066.exe118⤵PID:2204
-
\??\c:\082244.exec:\082244.exe119⤵PID:352
-
\??\c:\8602002.exec:\8602002.exe120⤵PID:2104
-
\??\c:\xrlxrxl.exec:\xrlxrxl.exe121⤵PID:2320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-