Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 06:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a21273f8d02387e2a58c1b9527c8c77c3538e088b0cae78962246faa45b71fd9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a21273f8d02387e2a58c1b9527c8c77c3538e088b0cae78962246faa45b71fd9.exe
-
Size
453KB
-
MD5
a6e33c979be27c236a3acea127d7dba1
-
SHA1
005441a31345b1970fcd94deb4eec64d701570af
-
SHA256
a21273f8d02387e2a58c1b9527c8c77c3538e088b0cae78962246faa45b71fd9
-
SHA512
ca15634c85f0214185a89c4a3b832d2e02334041b81a9511c6e1504bcee598f96087fd881871bbb92de30a34168f9247e46c9527757764cc4c5a63f4bdefd748
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1448-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-936-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-1141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1664 dpdpd.exe 3896 lrxrrxr.exe 3688 5dpjp.exe 2576 xlrffxx.exe 4140 tnnbhb.exe 4816 fffrlxr.exe 932 nnbnhb.exe 5088 xrfrlfx.exe 3628 hbbnbn.exe 4808 3pvjd.exe 3876 lfxfxff.exe 3088 dvjdv.exe 5100 9hnbtn.exe 640 jjvjv.exe 2556 fffxfxx.exe 4836 thhbhb.exe 1764 pdjvp.exe 3556 1xrrlfx.exe 2760 1pvvj.exe 956 ffxlxrr.exe 816 ddppd.exe 5020 1djvd.exe 2032 lffrlfr.exe 3408 nhbtnn.exe 1772 xrxllfr.exe 4220 thbthh.exe 4548 rlfxlfx.exe 464 bttnbb.exe 1532 5djvp.exe 1212 rlxflfl.exe 3584 fxffxrl.exe 4496 xrlxlfr.exe 760 pdvjd.exe 3652 frxrfxf.exe 400 xfrlxxx.exe 896 vpjjd.exe 4252 dvpdp.exe 2084 rxxlxxl.exe 2540 5pppp.exe 2240 tbttnh.exe 4436 vvvdp.exe 2964 lxfxllf.exe 4484 vjvpj.exe 2832 9rrlxxx.exe 4912 ffrfxlf.exe 3024 9vdvp.exe 4116 pddjd.exe 3688 xxxxrrr.exe 4000 ttbbnh.exe 1992 dvppd.exe 4140 jvpjv.exe 2324 rllxrrf.exe 3528 hhnhbh.exe 404 pdjvv.exe 3056 ppjdp.exe 4948 9flfxff.exe 4420 1hhnbn.exe 4968 vpjdv.exe 3980 llfrfxr.exe 3052 xlfrlfx.exe 2684 7tnnhh.exe 1440 dvvpj.exe 5100 ffxllrr.exe 1556 tbnnbn.exe -
resource yara_rule behavioral2/memory/1448-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-712-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1448 wrote to memory of 1664 1448 a21273f8d02387e2a58c1b9527c8c77c3538e088b0cae78962246faa45b71fd9.exe 82 PID 1448 wrote to memory of 1664 1448 a21273f8d02387e2a58c1b9527c8c77c3538e088b0cae78962246faa45b71fd9.exe 82 PID 1448 wrote to memory of 1664 1448 a21273f8d02387e2a58c1b9527c8c77c3538e088b0cae78962246faa45b71fd9.exe 82 PID 1664 wrote to memory of 3896 1664 dpdpd.exe 83 PID 1664 wrote to memory of 3896 1664 dpdpd.exe 83 PID 1664 wrote to memory of 3896 1664 dpdpd.exe 83 PID 3896 wrote to memory of 3688 3896 lrxrrxr.exe 84 PID 3896 wrote to memory of 3688 3896 lrxrrxr.exe 84 PID 3896 wrote to memory of 3688 3896 lrxrrxr.exe 84 PID 3688 wrote to memory of 2576 3688 5dpjp.exe 85 PID 3688 wrote to memory of 2576 3688 5dpjp.exe 85 PID 3688 wrote to memory of 2576 3688 5dpjp.exe 85 PID 2576 wrote to memory of 4140 2576 xlrffxx.exe 86 PID 2576 wrote to memory of 4140 2576 xlrffxx.exe 86 PID 2576 wrote to memory of 4140 2576 xlrffxx.exe 86 PID 4140 wrote to memory of 4816 4140 tnnbhb.exe 87 PID 4140 wrote to memory of 4816 4140 tnnbhb.exe 87 PID 4140 wrote to memory of 4816 4140 tnnbhb.exe 87 PID 4816 wrote to memory of 932 4816 fffrlxr.exe 88 PID 4816 wrote to memory of 932 4816 fffrlxr.exe 88 PID 4816 wrote to memory of 932 4816 fffrlxr.exe 88 PID 932 wrote to memory of 5088 932 nnbnhb.exe 89 PID 932 wrote to memory of 5088 932 nnbnhb.exe 89 PID 932 wrote to memory of 5088 932 nnbnhb.exe 89 PID 5088 wrote to memory of 3628 5088 xrfrlfx.exe 90 PID 5088 wrote to memory of 3628 5088 xrfrlfx.exe 90 PID 5088 wrote to memory of 3628 5088 xrfrlfx.exe 90 PID 3628 wrote to memory of 4808 3628 hbbnbn.exe 91 PID 3628 wrote to memory of 4808 3628 hbbnbn.exe 91 PID 3628 wrote to memory of 4808 3628 hbbnbn.exe 91 PID 4808 wrote to memory of 3876 4808 3pvjd.exe 92 PID 4808 wrote to memory of 3876 4808 3pvjd.exe 92 PID 4808 wrote to memory of 3876 4808 3pvjd.exe 92 PID 3876 wrote to memory of 3088 3876 lfxfxff.exe 93 PID 3876 wrote to memory of 3088 3876 lfxfxff.exe 93 PID 3876 wrote to memory of 3088 3876 lfxfxff.exe 93 PID 3088 wrote to memory of 5100 3088 dvjdv.exe 94 PID 3088 wrote to memory of 5100 3088 dvjdv.exe 94 PID 3088 wrote to memory of 5100 3088 dvjdv.exe 94 PID 5100 wrote to memory of 640 5100 9hnbtn.exe 95 PID 5100 wrote to memory of 640 5100 9hnbtn.exe 95 PID 5100 wrote to memory of 640 5100 9hnbtn.exe 95 PID 640 wrote to memory of 2556 640 jjvjv.exe 96 PID 640 wrote to memory of 2556 640 jjvjv.exe 96 PID 640 wrote to memory of 2556 640 jjvjv.exe 96 PID 2556 wrote to memory of 4836 2556 fffxfxx.exe 97 PID 2556 wrote to memory of 4836 2556 fffxfxx.exe 97 PID 2556 wrote to memory of 4836 2556 fffxfxx.exe 97 PID 4836 wrote to memory of 1764 4836 thhbhb.exe 98 PID 4836 wrote to memory of 1764 4836 thhbhb.exe 98 PID 4836 wrote to memory of 1764 4836 thhbhb.exe 98 PID 1764 wrote to memory of 3556 1764 pdjvp.exe 99 PID 1764 wrote to memory of 3556 1764 pdjvp.exe 99 PID 1764 wrote to memory of 3556 1764 pdjvp.exe 99 PID 3556 wrote to memory of 2760 3556 1xrrlfx.exe 100 PID 3556 wrote to memory of 2760 3556 1xrrlfx.exe 100 PID 3556 wrote to memory of 2760 3556 1xrrlfx.exe 100 PID 2760 wrote to memory of 956 2760 1pvvj.exe 101 PID 2760 wrote to memory of 956 2760 1pvvj.exe 101 PID 2760 wrote to memory of 956 2760 1pvvj.exe 101 PID 956 wrote to memory of 816 956 ffxlxrr.exe 102 PID 956 wrote to memory of 816 956 ffxlxrr.exe 102 PID 956 wrote to memory of 816 956 ffxlxrr.exe 102 PID 816 wrote to memory of 5020 816 ddppd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a21273f8d02387e2a58c1b9527c8c77c3538e088b0cae78962246faa45b71fd9.exe"C:\Users\Admin\AppData\Local\Temp\a21273f8d02387e2a58c1b9527c8c77c3538e088b0cae78962246faa45b71fd9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\dpdpd.exec:\dpdpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\lrxrrxr.exec:\lrxrrxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\5dpjp.exec:\5dpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\xlrffxx.exec:\xlrffxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\tnnbhb.exec:\tnnbhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\fffrlxr.exec:\fffrlxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\nnbnhb.exec:\nnbnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\xrfrlfx.exec:\xrfrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\hbbnbn.exec:\hbbnbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\3pvjd.exec:\3pvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\lfxfxff.exec:\lfxfxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\dvjdv.exec:\dvjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\9hnbtn.exec:\9hnbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\jjvjv.exec:\jjvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\fffxfxx.exec:\fffxfxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\thhbhb.exec:\thhbhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\pdjvp.exec:\pdjvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\1xrrlfx.exec:\1xrrlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\1pvvj.exec:\1pvvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\ffxlxrr.exec:\ffxlxrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\ddppd.exec:\ddppd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\1djvd.exec:\1djvd.exe23⤵
- Executes dropped EXE
PID:5020 -
\??\c:\lffrlfr.exec:\lffrlfr.exe24⤵
- Executes dropped EXE
PID:2032 -
\??\c:\nhbtnn.exec:\nhbtnn.exe25⤵
- Executes dropped EXE
PID:3408 -
\??\c:\xrxllfr.exec:\xrxllfr.exe26⤵
- Executes dropped EXE
PID:1772 -
\??\c:\thbthh.exec:\thbthh.exe27⤵
- Executes dropped EXE
PID:4220 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe28⤵
- Executes dropped EXE
PID:4548 -
\??\c:\bttnbb.exec:\bttnbb.exe29⤵
- Executes dropped EXE
PID:464 -
\??\c:\5djvp.exec:\5djvp.exe30⤵
- Executes dropped EXE
PID:1532 -
\??\c:\rlxflfl.exec:\rlxflfl.exe31⤵
- Executes dropped EXE
PID:1212 -
\??\c:\fxffxrl.exec:\fxffxrl.exe32⤵
- Executes dropped EXE
PID:3584 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe33⤵
- Executes dropped EXE
PID:4496 -
\??\c:\pdvjd.exec:\pdvjd.exe34⤵
- Executes dropped EXE
PID:760 -
\??\c:\frxrfxf.exec:\frxrfxf.exe35⤵
- Executes dropped EXE
PID:3652 -
\??\c:\xfrlxxx.exec:\xfrlxxx.exe36⤵
- Executes dropped EXE
PID:400 -
\??\c:\vpjjd.exec:\vpjjd.exe37⤵
- Executes dropped EXE
PID:896 -
\??\c:\dvpdp.exec:\dvpdp.exe38⤵
- Executes dropped EXE
PID:4252 -
\??\c:\rxxlxxl.exec:\rxxlxxl.exe39⤵
- Executes dropped EXE
PID:2084 -
\??\c:\5pppp.exec:\5pppp.exe40⤵
- Executes dropped EXE
PID:2540 -
\??\c:\tbttnh.exec:\tbttnh.exe41⤵
- Executes dropped EXE
PID:2240 -
\??\c:\vvvdp.exec:\vvvdp.exe42⤵
- Executes dropped EXE
PID:4436 -
\??\c:\lxfxllf.exec:\lxfxllf.exe43⤵
- Executes dropped EXE
PID:2964 -
\??\c:\vjvpj.exec:\vjvpj.exe44⤵
- Executes dropped EXE
PID:4484 -
\??\c:\9rrlxxx.exec:\9rrlxxx.exe45⤵
- Executes dropped EXE
PID:2832 -
\??\c:\ffrfxlf.exec:\ffrfxlf.exe46⤵
- Executes dropped EXE
PID:4912 -
\??\c:\9vdvp.exec:\9vdvp.exe47⤵
- Executes dropped EXE
PID:3024 -
\??\c:\pddjd.exec:\pddjd.exe48⤵
- Executes dropped EXE
PID:4116 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe49⤵
- Executes dropped EXE
PID:3688 -
\??\c:\ttbbnh.exec:\ttbbnh.exe50⤵
- Executes dropped EXE
PID:4000 -
\??\c:\dvppd.exec:\dvppd.exe51⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jvpjv.exec:\jvpjv.exe52⤵
- Executes dropped EXE
PID:4140 -
\??\c:\rllxrrf.exec:\rllxrrf.exe53⤵
- Executes dropped EXE
PID:2324 -
\??\c:\hhnhbh.exec:\hhnhbh.exe54⤵
- Executes dropped EXE
PID:3528 -
\??\c:\pdjvv.exec:\pdjvv.exe55⤵
- Executes dropped EXE
PID:404 -
\??\c:\ppjdp.exec:\ppjdp.exe56⤵
- Executes dropped EXE
PID:3056 -
\??\c:\9flfxff.exec:\9flfxff.exe57⤵
- Executes dropped EXE
PID:4948 -
\??\c:\1hhnbn.exec:\1hhnbn.exe58⤵
- Executes dropped EXE
PID:4420 -
\??\c:\vpjdv.exec:\vpjdv.exe59⤵
- Executes dropped EXE
PID:4968 -
\??\c:\llfrfxr.exec:\llfrfxr.exe60⤵
- Executes dropped EXE
PID:3980 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe61⤵
- Executes dropped EXE
PID:3052 -
\??\c:\7tnnhh.exec:\7tnnhh.exe62⤵
- Executes dropped EXE
PID:2684 -
\??\c:\dvvpj.exec:\dvvpj.exe63⤵
- Executes dropped EXE
PID:1440 -
\??\c:\ffxllrr.exec:\ffxllrr.exe64⤵
- Executes dropped EXE
PID:5100 -
\??\c:\tbnnbn.exec:\tbnnbn.exe65⤵
- Executes dropped EXE
PID:1556 -
\??\c:\pppjj.exec:\pppjj.exe66⤵PID:4972
-
\??\c:\xrxxrxr.exec:\xrxxrxr.exe67⤵PID:1780
-
\??\c:\7tttnh.exec:\7tttnh.exe68⤵PID:4304
-
\??\c:\nhtntt.exec:\nhtntt.exe69⤵PID:1488
-
\??\c:\ddjdd.exec:\ddjdd.exe70⤵PID:2008
-
\??\c:\lxlfxrr.exec:\lxlfxrr.exe71⤵PID:3556
-
\??\c:\3ntnhn.exec:\3ntnhn.exe72⤵PID:2760
-
\??\c:\9ddpj.exec:\9ddpj.exe73⤵PID:2612
-
\??\c:\lrrfrrf.exec:\lrrfrrf.exe74⤵PID:5016
-
\??\c:\tbbtnb.exec:\tbbtnb.exe75⤵PID:816
-
\??\c:\jddvj.exec:\jddvj.exe76⤵PID:4520
-
\??\c:\fxrfrlx.exec:\fxrfrlx.exe77⤵PID:512
-
\??\c:\rlfrlfx.exec:\rlfrlfx.exe78⤵PID:2032
-
\??\c:\hnhtbh.exec:\hnhtbh.exe79⤵PID:1584
-
\??\c:\jjpdp.exec:\jjpdp.exe80⤵PID:1652
-
\??\c:\lrrlxxr.exec:\lrrlxxr.exe81⤵PID:516
-
\??\c:\hhttbb.exec:\hhttbb.exe82⤵PID:3084
-
\??\c:\ntbbbt.exec:\ntbbbt.exe83⤵PID:316
-
\??\c:\jjdvj.exec:\jjdvj.exe84⤵PID:2308
-
\??\c:\ffllffl.exec:\ffllffl.exe85⤵PID:2880
-
\??\c:\nntnbn.exec:\nntnbn.exe86⤵PID:3048
-
\??\c:\9ntbnt.exec:\9ntbnt.exe87⤵PID:3160
-
\??\c:\pdvpd.exec:\pdvpd.exe88⤵PID:3720
-
\??\c:\xlrrxfl.exec:\xlrrxfl.exe89⤵PID:3008
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe90⤵PID:5008
-
\??\c:\5hbttt.exec:\5hbttt.exe91⤵PID:924
-
\??\c:\3djdj.exec:\3djdj.exe92⤵PID:1384
-
\??\c:\rrfrfrf.exec:\rrfrfrf.exe93⤵PID:536
-
\??\c:\nbnbnn.exec:\nbnbnn.exe94⤵PID:2044
-
\??\c:\7pjjd.exec:\7pjjd.exe95⤵PID:2928
-
\??\c:\xxllrfl.exec:\xxllrfl.exe96⤵PID:3708
-
\??\c:\xrfxrfx.exec:\xrfxrfx.exe97⤵PID:3972
-
\??\c:\bhbbtn.exec:\bhbbtn.exe98⤵PID:1616
-
\??\c:\3vdjp.exec:\3vdjp.exe99⤵PID:216
-
\??\c:\fxrffxx.exec:\fxrffxx.exe100⤵PID:4356
-
\??\c:\xxxfxrl.exec:\xxxfxrl.exe101⤵PID:2964
-
\??\c:\nbhhhh.exec:\nbhhhh.exe102⤵PID:1448
-
\??\c:\ppddd.exec:\ppddd.exe103⤵PID:232
-
\??\c:\rlfxllf.exec:\rlfxllf.exe104⤵PID:2484
-
\??\c:\tnnnht.exec:\tnnnht.exe105⤵PID:2748
-
\??\c:\jdjjj.exec:\jdjjj.exe106⤵PID:4644
-
\??\c:\1lfxxxx.exec:\1lfxxxx.exe107⤵PID:4456
-
\??\c:\rxllfxx.exec:\rxllfxx.exe108⤵PID:2380
-
\??\c:\5nnhbb.exec:\5nnhbb.exe109⤵PID:3620
-
\??\c:\1vddv.exec:\1vddv.exe110⤵PID:2860
-
\??\c:\9dpvj.exec:\9dpvj.exe111⤵PID:3288
-
\??\c:\9fffffl.exec:\9fffffl.exe112⤵PID:1692
-
\??\c:\bbhtnb.exec:\bbhtnb.exe113⤵PID:3532
-
\??\c:\jpvpj.exec:\jpvpj.exe114⤵PID:3432
-
\??\c:\3ffxxfx.exec:\3ffxxfx.exe115⤵PID:4048
-
\??\c:\hhnbtt.exec:\hhnbtt.exe116⤵PID:2724
-
\??\c:\3tbnbb.exec:\3tbnbb.exe117⤵PID:3756
-
\??\c:\5pjdp.exec:\5pjdp.exe118⤵PID:2932
-
\??\c:\rlllffx.exec:\rlllffx.exe119⤵PID:3304
-
\??\c:\1tbbnn.exec:\1tbbnn.exe120⤵PID:1436
-
\??\c:\vjddp.exec:\vjddp.exe121⤵PID:3632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-