Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 02:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a0c76e7dbb5d2bcf0b384ff196631a72c113e3e5d6a9869be81054f0c1a5fce9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a0c76e7dbb5d2bcf0b384ff196631a72c113e3e5d6a9869be81054f0c1a5fce9.exe
-
Size
454KB
-
MD5
45d651c469cf77ff4c500e16a4493c42
-
SHA1
b13205bd401a67ff2a98dc83538732f4379180af
-
SHA256
a0c76e7dbb5d2bcf0b384ff196631a72c113e3e5d6a9869be81054f0c1a5fce9
-
SHA512
ab90b90d019fbbbcea42eb6af8fc44b5f45d01f5af967bb61a2b33f6aec8cdebcdda75cdbb36f3cb9318c8a335d154c2525518ee925db0b0e9680adb773f0d83
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2748-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-1228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-1418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2748 dvddj.exe 4268 jdvpj.exe 4536 2060442.exe 3600 hthnnn.exe 852 xlllxff.exe 3696 xrrrrrl.exe 3024 5vdvd.exe 4788 8626226.exe 4412 6466000.exe 3920 lfrxxlx.exe 3608 242048.exe 876 nbtthn.exe 1988 466004.exe 3508 4444084.exe 4860 5jjdj.exe 4148 frrlffx.exe 3648 862688.exe 1168 4248604.exe 4540 o402666.exe 552 jvddp.exe 3680 jjppj.exe 3312 84048.exe 4792 hnnnhn.exe 2292 tthbhb.exe 2908 vvjjj.exe 3040 8600448.exe 2204 nbhttb.exe 4628 0666044.exe 2412 08804.exe 3148 rflfrrr.exe 320 u282600.exe 3784 0404006.exe 4668 222666.exe 4284 6282004.exe 2444 rrxrrrx.exe 2856 5nnntb.exe 5112 08048.exe 1516 thhbnn.exe 1816 3rlfxxr.exe 3736 tnnnht.exe 1744 0488266.exe 4380 6482282.exe 2072 1ntnnh.exe 1080 bhhbtt.exe 1160 g0204.exe 4140 hbbbtn.exe 4520 4442042.exe 3120 pjpjj.exe 4364 vvdpd.exe 1972 000004.exe 4656 w06666.exe 4932 rffffxx.exe 4772 bttnbb.exe 5072 4282262.exe 4536 26442.exe 5068 ppvvp.exe 208 28826.exe 1248 64482.exe 1572 40660.exe 3868 jdddv.exe 1076 xllrflx.exe 5056 668048.exe 4788 tntnnn.exe 2500 4680442.exe -
resource yara_rule behavioral2/memory/2748-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-845-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8248086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2626486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8004464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8406006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8266004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i826486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c660448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4656 wrote to memory of 2748 4656 a0c76e7dbb5d2bcf0b384ff196631a72c113e3e5d6a9869be81054f0c1a5fce9.exe 83 PID 4656 wrote to memory of 2748 4656 a0c76e7dbb5d2bcf0b384ff196631a72c113e3e5d6a9869be81054f0c1a5fce9.exe 83 PID 4656 wrote to memory of 2748 4656 a0c76e7dbb5d2bcf0b384ff196631a72c113e3e5d6a9869be81054f0c1a5fce9.exe 83 PID 2748 wrote to memory of 4268 2748 dvddj.exe 84 PID 2748 wrote to memory of 4268 2748 dvddj.exe 84 PID 2748 wrote to memory of 4268 2748 dvddj.exe 84 PID 4268 wrote to memory of 4536 4268 jdvpj.exe 85 PID 4268 wrote to memory of 4536 4268 jdvpj.exe 85 PID 4268 wrote to memory of 4536 4268 jdvpj.exe 85 PID 4536 wrote to memory of 3600 4536 2060442.exe 86 PID 4536 wrote to memory of 3600 4536 2060442.exe 86 PID 4536 wrote to memory of 3600 4536 2060442.exe 86 PID 3600 wrote to memory of 852 3600 hthnnn.exe 87 PID 3600 wrote to memory of 852 3600 hthnnn.exe 87 PID 3600 wrote to memory of 852 3600 hthnnn.exe 87 PID 852 wrote to memory of 3696 852 xlllxff.exe 88 PID 852 wrote to memory of 3696 852 xlllxff.exe 88 PID 852 wrote to memory of 3696 852 xlllxff.exe 88 PID 3696 wrote to memory of 3024 3696 xrrrrrl.exe 89 PID 3696 wrote to memory of 3024 3696 xrrrrrl.exe 89 PID 3696 wrote to memory of 3024 3696 xrrrrrl.exe 89 PID 3024 wrote to memory of 4788 3024 5vdvd.exe 90 PID 3024 wrote to memory of 4788 3024 5vdvd.exe 90 PID 3024 wrote to memory of 4788 3024 5vdvd.exe 90 PID 4788 wrote to memory of 4412 4788 8626226.exe 91 PID 4788 wrote to memory of 4412 4788 8626226.exe 91 PID 4788 wrote to memory of 4412 4788 8626226.exe 91 PID 4412 wrote to memory of 3920 4412 6466000.exe 92 PID 4412 wrote to memory of 3920 4412 6466000.exe 92 PID 4412 wrote to memory of 3920 4412 6466000.exe 92 PID 3920 wrote to memory of 3608 3920 lfrxxlx.exe 93 PID 3920 wrote to memory of 3608 3920 lfrxxlx.exe 93 PID 3920 wrote to memory of 3608 3920 lfrxxlx.exe 93 PID 3608 wrote to memory of 876 3608 242048.exe 94 PID 3608 wrote to memory of 876 3608 242048.exe 94 PID 3608 wrote to memory of 876 3608 242048.exe 94 PID 876 wrote to memory of 1988 876 nbtthn.exe 95 PID 876 wrote to memory of 1988 876 nbtthn.exe 95 PID 876 wrote to memory of 1988 876 nbtthn.exe 95 PID 1988 wrote to memory of 3508 1988 466004.exe 96 PID 1988 wrote to memory of 3508 1988 466004.exe 96 PID 1988 wrote to memory of 3508 1988 466004.exe 96 PID 3508 wrote to memory of 4860 3508 4444084.exe 97 PID 3508 wrote to memory of 4860 3508 4444084.exe 97 PID 3508 wrote to memory of 4860 3508 4444084.exe 97 PID 4860 wrote to memory of 4148 4860 5jjdj.exe 98 PID 4860 wrote to memory of 4148 4860 5jjdj.exe 98 PID 4860 wrote to memory of 4148 4860 5jjdj.exe 98 PID 4148 wrote to memory of 3648 4148 frrlffx.exe 99 PID 4148 wrote to memory of 3648 4148 frrlffx.exe 99 PID 4148 wrote to memory of 3648 4148 frrlffx.exe 99 PID 3648 wrote to memory of 1168 3648 862688.exe 100 PID 3648 wrote to memory of 1168 3648 862688.exe 100 PID 3648 wrote to memory of 1168 3648 862688.exe 100 PID 1168 wrote to memory of 4540 1168 4248604.exe 101 PID 1168 wrote to memory of 4540 1168 4248604.exe 101 PID 1168 wrote to memory of 4540 1168 4248604.exe 101 PID 4540 wrote to memory of 552 4540 o402666.exe 102 PID 4540 wrote to memory of 552 4540 o402666.exe 102 PID 4540 wrote to memory of 552 4540 o402666.exe 102 PID 552 wrote to memory of 3680 552 jvddp.exe 103 PID 552 wrote to memory of 3680 552 jvddp.exe 103 PID 552 wrote to memory of 3680 552 jvddp.exe 103 PID 3680 wrote to memory of 3312 3680 jjppj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0c76e7dbb5d2bcf0b384ff196631a72c113e3e5d6a9869be81054f0c1a5fce9.exe"C:\Users\Admin\AppData\Local\Temp\a0c76e7dbb5d2bcf0b384ff196631a72c113e3e5d6a9869be81054f0c1a5fce9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\dvddj.exec:\dvddj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\jdvpj.exec:\jdvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\2060442.exec:\2060442.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\hthnnn.exec:\hthnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\xlllxff.exec:\xlllxff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\xrrrrrl.exec:\xrrrrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\5vdvd.exec:\5vdvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\8626226.exec:\8626226.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\6466000.exec:\6466000.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\lfrxxlx.exec:\lfrxxlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\242048.exec:\242048.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\nbtthn.exec:\nbtthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\466004.exec:\466004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\4444084.exec:\4444084.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\5jjdj.exec:\5jjdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\frrlffx.exec:\frrlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\862688.exec:\862688.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\4248604.exec:\4248604.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\o402666.exec:\o402666.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\jvddp.exec:\jvddp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\jjppj.exec:\jjppj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\84048.exec:\84048.exe23⤵
- Executes dropped EXE
PID:3312 -
\??\c:\hnnnhn.exec:\hnnnhn.exe24⤵
- Executes dropped EXE
PID:4792 -
\??\c:\tthbhb.exec:\tthbhb.exe25⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vvjjj.exec:\vvjjj.exe26⤵
- Executes dropped EXE
PID:2908 -
\??\c:\8600448.exec:\8600448.exe27⤵
- Executes dropped EXE
PID:3040 -
\??\c:\nbhttb.exec:\nbhttb.exe28⤵
- Executes dropped EXE
PID:2204 -
\??\c:\0666044.exec:\0666044.exe29⤵
- Executes dropped EXE
PID:4628 -
\??\c:\08804.exec:\08804.exe30⤵
- Executes dropped EXE
PID:2412 -
\??\c:\rflfrrr.exec:\rflfrrr.exe31⤵
- Executes dropped EXE
PID:3148 -
\??\c:\u282600.exec:\u282600.exe32⤵
- Executes dropped EXE
PID:320 -
\??\c:\0404006.exec:\0404006.exe33⤵
- Executes dropped EXE
PID:3784 -
\??\c:\222666.exec:\222666.exe34⤵
- Executes dropped EXE
PID:4668 -
\??\c:\6282004.exec:\6282004.exe35⤵
- Executes dropped EXE
PID:4284 -
\??\c:\rrxrrrx.exec:\rrxrrrx.exe36⤵
- Executes dropped EXE
PID:2444 -
\??\c:\5nnntb.exec:\5nnntb.exe37⤵
- Executes dropped EXE
PID:2856 -
\??\c:\08048.exec:\08048.exe38⤵
- Executes dropped EXE
PID:5112 -
\??\c:\thhbnn.exec:\thhbnn.exe39⤵
- Executes dropped EXE
PID:1516 -
\??\c:\3rlfxxr.exec:\3rlfxxr.exe40⤵
- Executes dropped EXE
PID:1816 -
\??\c:\tnnnht.exec:\tnnnht.exe41⤵
- Executes dropped EXE
PID:3736 -
\??\c:\0488266.exec:\0488266.exe42⤵
- Executes dropped EXE
PID:1744 -
\??\c:\6482282.exec:\6482282.exe43⤵
- Executes dropped EXE
PID:4380 -
\??\c:\1ntnnh.exec:\1ntnnh.exe44⤵
- Executes dropped EXE
PID:2072 -
\??\c:\bhhbtt.exec:\bhhbtt.exe45⤵
- Executes dropped EXE
PID:1080 -
\??\c:\g0204.exec:\g0204.exe46⤵
- Executes dropped EXE
PID:1160 -
\??\c:\hbbbtn.exec:\hbbbtn.exe47⤵
- Executes dropped EXE
PID:4140 -
\??\c:\4442042.exec:\4442042.exe48⤵
- Executes dropped EXE
PID:4520 -
\??\c:\pjpjj.exec:\pjpjj.exe49⤵
- Executes dropped EXE
PID:3120 -
\??\c:\vvdpd.exec:\vvdpd.exe50⤵
- Executes dropped EXE
PID:4364 -
\??\c:\000004.exec:\000004.exe51⤵
- Executes dropped EXE
PID:1972 -
\??\c:\w06666.exec:\w06666.exe52⤵
- Executes dropped EXE
PID:4656 -
\??\c:\rffffxx.exec:\rffffxx.exe53⤵
- Executes dropped EXE
PID:4932 -
\??\c:\bttnbb.exec:\bttnbb.exe54⤵
- Executes dropped EXE
PID:4772 -
\??\c:\4282262.exec:\4282262.exe55⤵
- Executes dropped EXE
PID:5072 -
\??\c:\26442.exec:\26442.exe56⤵
- Executes dropped EXE
PID:4536 -
\??\c:\ppvvp.exec:\ppvvp.exe57⤵
- Executes dropped EXE
PID:5068 -
\??\c:\28826.exec:\28826.exe58⤵
- Executes dropped EXE
PID:208 -
\??\c:\64482.exec:\64482.exe59⤵
- Executes dropped EXE
PID:1248 -
\??\c:\40660.exec:\40660.exe60⤵
- Executes dropped EXE
PID:1572 -
\??\c:\jdddv.exec:\jdddv.exe61⤵
- Executes dropped EXE
PID:3868 -
\??\c:\xllrflx.exec:\xllrflx.exe62⤵
- Executes dropped EXE
PID:1076 -
\??\c:\668048.exec:\668048.exe63⤵
- Executes dropped EXE
PID:5056 -
\??\c:\tntnnn.exec:\tntnnn.exe64⤵
- Executes dropped EXE
PID:4788 -
\??\c:\4680442.exec:\4680442.exe65⤵
- Executes dropped EXE
PID:2500 -
\??\c:\nbhhhh.exec:\nbhhhh.exe66⤵PID:3316
-
\??\c:\lrfxrrl.exec:\lrfxrrl.exe67⤵PID:2860
-
\??\c:\844882.exec:\844882.exe68⤵PID:1672
-
\??\c:\280822.exec:\280822.exe69⤵PID:876
-
\??\c:\jjppv.exec:\jjppv.exe70⤵PID:1016
-
\??\c:\tnnnhh.exec:\tnnnhh.exe71⤵PID:2568
-
\??\c:\g8826.exec:\g8826.exe72⤵PID:3228
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe73⤵PID:244
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe74⤵PID:4760
-
\??\c:\6620484.exec:\6620484.exe75⤵PID:1072
-
\??\c:\08460.exec:\08460.exe76⤵PID:1828
-
\??\c:\fxfxllf.exec:\fxfxllf.exe77⤵PID:4252
-
\??\c:\tbbttn.exec:\tbbttn.exe78⤵
- System Location Discovery: System Language Discovery
PID:3132 -
\??\c:\2626062.exec:\2626062.exe79⤵PID:4936
-
\??\c:\q68600.exec:\q68600.exe80⤵PID:2608
-
\??\c:\1xfxxfx.exec:\1xfxxfx.exe81⤵PID:1048
-
\??\c:\88488.exec:\88488.exe82⤵PID:5084
-
\??\c:\pvvpj.exec:\pvvpj.exe83⤵PID:380
-
\??\c:\3xxxrrl.exec:\3xxxrrl.exe84⤵PID:4556
-
\??\c:\vjdvd.exec:\vjdvd.exe85⤵PID:5108
-
\??\c:\48480.exec:\48480.exe86⤵PID:1768
-
\??\c:\84620.exec:\84620.exe87⤵PID:4940
-
\??\c:\8426044.exec:\8426044.exe88⤵PID:1132
-
\??\c:\4648222.exec:\4648222.exe89⤵PID:2092
-
\??\c:\3nnhbt.exec:\3nnhbt.exe90⤵PID:4660
-
\??\c:\040000.exec:\040000.exe91⤵PID:1008
-
\??\c:\8440604.exec:\8440604.exe92⤵PID:1244
-
\??\c:\4800448.exec:\4800448.exe93⤵PID:3136
-
\??\c:\s8006.exec:\s8006.exe94⤵PID:3148
-
\??\c:\80604.exec:\80604.exe95⤵
- System Location Discovery: System Language Discovery
PID:320 -
\??\c:\fxxrlll.exec:\fxxrlll.exe96⤵PID:3916
-
\??\c:\9flflrr.exec:\9flflrr.exe97⤵PID:4572
-
\??\c:\i822884.exec:\i822884.exe98⤵PID:1544
-
\??\c:\24626.exec:\24626.exe99⤵PID:3556
-
\??\c:\thnhhn.exec:\thnhhn.exe100⤵PID:460
-
\??\c:\u620866.exec:\u620866.exe101⤵PID:2852
-
\??\c:\jddvp.exec:\jddvp.exe102⤵PID:4552
-
\??\c:\vpppd.exec:\vpppd.exe103⤵PID:3952
-
\??\c:\9xrfxrl.exec:\9xrfxrl.exe104⤵PID:5048
-
\??\c:\jvdpj.exec:\jvdpj.exe105⤵PID:1628
-
\??\c:\3bnbhb.exec:\3bnbhb.exe106⤵PID:3756
-
\??\c:\4660488.exec:\4660488.exe107⤵PID:4568
-
\??\c:\8282828.exec:\8282828.exe108⤵PID:2072
-
\??\c:\a8622.exec:\a8622.exe109⤵PID:1464
-
\??\c:\jvpdp.exec:\jvpdp.exe110⤵PID:4516
-
\??\c:\llrlrlr.exec:\llrlrlr.exe111⤵PID:4140
-
\??\c:\w26448.exec:\w26448.exe112⤵PID:4340
-
\??\c:\28204.exec:\28204.exe113⤵PID:4508
-
\??\c:\rffxfrf.exec:\rffxfrf.exe114⤵PID:532
-
\??\c:\4226048.exec:\4226048.exe115⤵PID:2252
-
\??\c:\24020.exec:\24020.exe116⤵PID:1780
-
\??\c:\284266.exec:\284266.exe117⤵PID:4932
-
\??\c:\68604.exec:\68604.exe118⤵PID:3580
-
\??\c:\8004464.exec:\8004464.exe119⤵
- System Location Discovery: System Language Discovery
PID:1176 -
\??\c:\bthbhh.exec:\bthbhh.exe120⤵PID:4700
-
\??\c:\nntnnn.exec:\nntnnn.exe121⤵PID:4484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-