Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 07:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f6f81b207472b34ff03b0053fa0cfffb8e2833a9b8b2f8ad75b36c8421cef10c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f6f81b207472b34ff03b0053fa0cfffb8e2833a9b8b2f8ad75b36c8421cef10c.exe
-
Size
454KB
-
MD5
929a6af4011a6d9fcc527866d52247f6
-
SHA1
f6679015b38dae5af380b4a4daf4a896388f0d3f
-
SHA256
f6f81b207472b34ff03b0053fa0cfffb8e2833a9b8b2f8ad75b36c8421cef10c
-
SHA512
026301d44b3901b6b8ddc65a5a61184661d071b438cb14a612a13b5dcf44bce63c0ff6bec8505c70de8df06857e90eefbed55cbe3c6918963bacc5378ca20346
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2084-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-899-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-1081-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-1139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-1730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4888 djjdd.exe 792 dddvd.exe 2204 24202.exe 2732 06808.exe 4484 pjjvd.exe 1896 hbbnhb.exe 3248 06444.exe 4020 080422.exe 1664 nbnnhh.exe 1684 4284000.exe 2868 6806662.exe 4084 vjddp.exe 3832 4624866.exe 4196 jvjjd.exe 2400 844240.exe 1964 bhhhbb.exe 3548 0884444.exe 1224 nhntnt.exe 4476 4484888.exe 4648 080606.exe 2880 20882.exe 4644 djppj.exe 3740 6666444.exe 1032 vjvvp.exe 1000 846000.exe 2016 m4666.exe 920 20800.exe 4976 62042.exe 4432 80482.exe 2184 4804668.exe 2096 4422226.exe 3464 842082.exe 4868 bbhthh.exe 4240 842482.exe 3440 484466.exe 3200 0060482.exe 936 2408222.exe 4172 08680.exe 624 q66666.exe 4516 bnnnnb.exe 1380 lxllxxl.exe 1616 vdjjj.exe 5048 206086.exe 3500 420466.exe 4448 thhbbb.exe 540 9xfllxx.exe 1704 xxlfflr.exe 4052 rxffllr.exe 1724 rxrrrxl.exe 4904 5ddpj.exe 1604 rxxflfr.exe 4348 484068.exe 4772 ntbbbb.exe 4412 a2204.exe 4800 0048084.exe 4724 bntthh.exe 2220 ppvvv.exe 1428 848082.exe 3916 i244888.exe 4768 vdvpj.exe 4120 6640808.exe 3268 68000.exe 5000 bbbnth.exe 948 0848204.exe -
resource yara_rule behavioral2/memory/2084-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-899-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-957-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2688428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6608668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0868048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2428888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i424260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0820820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6022440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 4888 2084 f6f81b207472b34ff03b0053fa0cfffb8e2833a9b8b2f8ad75b36c8421cef10c.exe 83 PID 2084 wrote to memory of 4888 2084 f6f81b207472b34ff03b0053fa0cfffb8e2833a9b8b2f8ad75b36c8421cef10c.exe 83 PID 2084 wrote to memory of 4888 2084 f6f81b207472b34ff03b0053fa0cfffb8e2833a9b8b2f8ad75b36c8421cef10c.exe 83 PID 4888 wrote to memory of 792 4888 djjdd.exe 84 PID 4888 wrote to memory of 792 4888 djjdd.exe 84 PID 4888 wrote to memory of 792 4888 djjdd.exe 84 PID 792 wrote to memory of 2204 792 dddvd.exe 85 PID 792 wrote to memory of 2204 792 dddvd.exe 85 PID 792 wrote to memory of 2204 792 dddvd.exe 85 PID 2204 wrote to memory of 2732 2204 24202.exe 86 PID 2204 wrote to memory of 2732 2204 24202.exe 86 PID 2204 wrote to memory of 2732 2204 24202.exe 86 PID 2732 wrote to memory of 4484 2732 06808.exe 87 PID 2732 wrote to memory of 4484 2732 06808.exe 87 PID 2732 wrote to memory of 4484 2732 06808.exe 87 PID 4484 wrote to memory of 1896 4484 pjjvd.exe 88 PID 4484 wrote to memory of 1896 4484 pjjvd.exe 88 PID 4484 wrote to memory of 1896 4484 pjjvd.exe 88 PID 1896 wrote to memory of 3248 1896 hbbnhb.exe 89 PID 1896 wrote to memory of 3248 1896 hbbnhb.exe 89 PID 1896 wrote to memory of 3248 1896 hbbnhb.exe 89 PID 3248 wrote to memory of 4020 3248 06444.exe 90 PID 3248 wrote to memory of 4020 3248 06444.exe 90 PID 3248 wrote to memory of 4020 3248 06444.exe 90 PID 4020 wrote to memory of 1664 4020 080422.exe 91 PID 4020 wrote to memory of 1664 4020 080422.exe 91 PID 4020 wrote to memory of 1664 4020 080422.exe 91 PID 1664 wrote to memory of 1684 1664 nbnnhh.exe 92 PID 1664 wrote to memory of 1684 1664 nbnnhh.exe 92 PID 1664 wrote to memory of 1684 1664 nbnnhh.exe 92 PID 1684 wrote to memory of 2868 1684 4284000.exe 93 PID 1684 wrote to memory of 2868 1684 4284000.exe 93 PID 1684 wrote to memory of 2868 1684 4284000.exe 93 PID 2868 wrote to memory of 4084 2868 6806662.exe 94 PID 2868 wrote to memory of 4084 2868 6806662.exe 94 PID 2868 wrote to memory of 4084 2868 6806662.exe 94 PID 4084 wrote to memory of 3832 4084 vjddp.exe 95 PID 4084 wrote to memory of 3832 4084 vjddp.exe 95 PID 4084 wrote to memory of 3832 4084 vjddp.exe 95 PID 3832 wrote to memory of 4196 3832 4624866.exe 96 PID 3832 wrote to memory of 4196 3832 4624866.exe 96 PID 3832 wrote to memory of 4196 3832 4624866.exe 96 PID 4196 wrote to memory of 2400 4196 jvjjd.exe 97 PID 4196 wrote to memory of 2400 4196 jvjjd.exe 97 PID 4196 wrote to memory of 2400 4196 jvjjd.exe 97 PID 2400 wrote to memory of 1964 2400 844240.exe 98 PID 2400 wrote to memory of 1964 2400 844240.exe 98 PID 2400 wrote to memory of 1964 2400 844240.exe 98 PID 1964 wrote to memory of 3548 1964 bhhhbb.exe 99 PID 1964 wrote to memory of 3548 1964 bhhhbb.exe 99 PID 1964 wrote to memory of 3548 1964 bhhhbb.exe 99 PID 3548 wrote to memory of 1224 3548 0884444.exe 100 PID 3548 wrote to memory of 1224 3548 0884444.exe 100 PID 3548 wrote to memory of 1224 3548 0884444.exe 100 PID 1224 wrote to memory of 4476 1224 nhntnt.exe 101 PID 1224 wrote to memory of 4476 1224 nhntnt.exe 101 PID 1224 wrote to memory of 4476 1224 nhntnt.exe 101 PID 4476 wrote to memory of 4648 4476 4484888.exe 102 PID 4476 wrote to memory of 4648 4476 4484888.exe 102 PID 4476 wrote to memory of 4648 4476 4484888.exe 102 PID 4648 wrote to memory of 2880 4648 080606.exe 103 PID 4648 wrote to memory of 2880 4648 080606.exe 103 PID 4648 wrote to memory of 2880 4648 080606.exe 103 PID 2880 wrote to memory of 4644 2880 20882.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6f81b207472b34ff03b0053fa0cfffb8e2833a9b8b2f8ad75b36c8421cef10c.exe"C:\Users\Admin\AppData\Local\Temp\f6f81b207472b34ff03b0053fa0cfffb8e2833a9b8b2f8ad75b36c8421cef10c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\djjdd.exec:\djjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\dddvd.exec:\dddvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\24202.exec:\24202.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\06808.exec:\06808.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\pjjvd.exec:\pjjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\hbbnhb.exec:\hbbnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\06444.exec:\06444.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\080422.exec:\080422.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\nbnnhh.exec:\nbnnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\4284000.exec:\4284000.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\6806662.exec:\6806662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\vjddp.exec:\vjddp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\4624866.exec:\4624866.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\jvjjd.exec:\jvjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\844240.exec:\844240.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\bhhhbb.exec:\bhhhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\0884444.exec:\0884444.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\nhntnt.exec:\nhntnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\4484888.exec:\4484888.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\080606.exec:\080606.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\20882.exec:\20882.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\djppj.exec:\djppj.exe23⤵
- Executes dropped EXE
PID:4644 -
\??\c:\6666444.exec:\6666444.exe24⤵
- Executes dropped EXE
PID:3740 -
\??\c:\vjvvp.exec:\vjvvp.exe25⤵
- Executes dropped EXE
PID:1032 -
\??\c:\846000.exec:\846000.exe26⤵
- Executes dropped EXE
PID:1000 -
\??\c:\m4666.exec:\m4666.exe27⤵
- Executes dropped EXE
PID:2016 -
\??\c:\20800.exec:\20800.exe28⤵
- Executes dropped EXE
PID:920 -
\??\c:\62042.exec:\62042.exe29⤵
- Executes dropped EXE
PID:4976 -
\??\c:\80482.exec:\80482.exe30⤵
- Executes dropped EXE
PID:4432 -
\??\c:\4804668.exec:\4804668.exe31⤵
- Executes dropped EXE
PID:2184 -
\??\c:\4422226.exec:\4422226.exe32⤵
- Executes dropped EXE
PID:2096 -
\??\c:\842082.exec:\842082.exe33⤵
- Executes dropped EXE
PID:3464 -
\??\c:\bbhthh.exec:\bbhthh.exe34⤵
- Executes dropped EXE
PID:4868 -
\??\c:\842482.exec:\842482.exe35⤵
- Executes dropped EXE
PID:4240 -
\??\c:\484466.exec:\484466.exe36⤵
- Executes dropped EXE
PID:3440 -
\??\c:\0060482.exec:\0060482.exe37⤵
- Executes dropped EXE
PID:3200 -
\??\c:\2408222.exec:\2408222.exe38⤵
- Executes dropped EXE
PID:936 -
\??\c:\08680.exec:\08680.exe39⤵
- Executes dropped EXE
PID:4172 -
\??\c:\q66666.exec:\q66666.exe40⤵
- Executes dropped EXE
PID:624 -
\??\c:\bnnnnb.exec:\bnnnnb.exe41⤵
- Executes dropped EXE
PID:4516 -
\??\c:\lxllxxl.exec:\lxllxxl.exe42⤵
- Executes dropped EXE
PID:1380 -
\??\c:\vdjjj.exec:\vdjjj.exe43⤵
- Executes dropped EXE
PID:1616 -
\??\c:\206086.exec:\206086.exe44⤵
- Executes dropped EXE
PID:5048 -
\??\c:\420466.exec:\420466.exe45⤵
- Executes dropped EXE
PID:3500 -
\??\c:\thhbbb.exec:\thhbbb.exe46⤵
- Executes dropped EXE
PID:4448 -
\??\c:\9xfllxx.exec:\9xfllxx.exe47⤵
- Executes dropped EXE
PID:540 -
\??\c:\xxlfflr.exec:\xxlfflr.exe48⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rxffllr.exec:\rxffllr.exe49⤵
- Executes dropped EXE
PID:4052 -
\??\c:\rxrrrxl.exec:\rxrrrxl.exe50⤵
- Executes dropped EXE
PID:1724 -
\??\c:\5ddpj.exec:\5ddpj.exe51⤵
- Executes dropped EXE
PID:4904 -
\??\c:\rxxflfr.exec:\rxxflfr.exe52⤵
- Executes dropped EXE
PID:1604 -
\??\c:\484068.exec:\484068.exe53⤵
- Executes dropped EXE
PID:4348 -
\??\c:\ntbbbb.exec:\ntbbbb.exe54⤵
- Executes dropped EXE
PID:4772 -
\??\c:\a2204.exec:\a2204.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4412 -
\??\c:\0048084.exec:\0048084.exe56⤵
- Executes dropped EXE
PID:4800 -
\??\c:\bntthh.exec:\bntthh.exe57⤵
- Executes dropped EXE
PID:4724 -
\??\c:\ppvvv.exec:\ppvvv.exe58⤵
- Executes dropped EXE
PID:2220 -
\??\c:\848082.exec:\848082.exe59⤵
- Executes dropped EXE
PID:1428 -
\??\c:\i244888.exec:\i244888.exe60⤵
- Executes dropped EXE
PID:3916 -
\??\c:\vdvpj.exec:\vdvpj.exe61⤵
- Executes dropped EXE
PID:4768 -
\??\c:\6640808.exec:\6640808.exe62⤵
- Executes dropped EXE
PID:4120 -
\??\c:\68000.exec:\68000.exe63⤵
- Executes dropped EXE
PID:3268 -
\??\c:\bbbnth.exec:\bbbnth.exe64⤵
- Executes dropped EXE
PID:5000 -
\??\c:\0848204.exec:\0848204.exe65⤵
- Executes dropped EXE
PID:948 -
\??\c:\7bbtnn.exec:\7bbtnn.exe66⤵
- System Location Discovery: System Language Discovery
PID:4116 -
\??\c:\0624444.exec:\0624444.exe67⤵PID:1412
-
\??\c:\vjjdp.exec:\vjjdp.exe68⤵PID:1684
-
\??\c:\vdpjj.exec:\vdpjj.exe69⤵PID:1132
-
\??\c:\86446.exec:\86446.exe70⤵PID:3872
-
\??\c:\vvvpp.exec:\vvvpp.exe71⤵PID:3436
-
\??\c:\224444.exec:\224444.exe72⤵PID:2904
-
\??\c:\2860460.exec:\2860460.exe73⤵PID:2496
-
\??\c:\6446204.exec:\6446204.exe74⤵PID:3208
-
\??\c:\hnbhbt.exec:\hnbhbt.exe75⤵PID:2736
-
\??\c:\llfrxrl.exec:\llfrxrl.exe76⤵PID:3468
-
\??\c:\llxffrf.exec:\llxffrf.exe77⤵PID:1964
-
\??\c:\642086.exec:\642086.exe78⤵PID:3564
-
\??\c:\nbthbb.exec:\nbthbb.exe79⤵PID:1644
-
\??\c:\028228.exec:\028228.exe80⤵PID:3636
-
\??\c:\flfrrfr.exec:\flfrrfr.exe81⤵PID:2636
-
\??\c:\246662.exec:\246662.exe82⤵PID:2720
-
\??\c:\ppppj.exec:\ppppj.exe83⤵PID:4676
-
\??\c:\48860.exec:\48860.exe84⤵PID:1636
-
\??\c:\ddjpd.exec:\ddjpd.exe85⤵PID:1216
-
\??\c:\q22684.exec:\q22684.exe86⤵PID:4524
-
\??\c:\pvddj.exec:\pvddj.exe87⤵PID:4460
-
\??\c:\8846066.exec:\8846066.exe88⤵PID:3332
-
\??\c:\dpvvv.exec:\dpvvv.exe89⤵PID:3172
-
\??\c:\680848.exec:\680848.exe90⤵PID:368
-
\??\c:\q08228.exec:\q08228.exe91⤵PID:4796
-
\??\c:\022482.exec:\022482.exe92⤵PID:4944
-
\??\c:\jdjjj.exec:\jdjjj.exe93⤵PID:3384
-
\??\c:\vpvdp.exec:\vpvdp.exe94⤵PID:2776
-
\??\c:\jvdjd.exec:\jvdjd.exe95⤵PID:1356
-
\??\c:\ffffffl.exec:\ffffffl.exe96⤵PID:4172
-
\??\c:\0084286.exec:\0084286.exe97⤵PID:3624
-
\??\c:\q24882.exec:\q24882.exe98⤵PID:1124
-
\??\c:\ddjjd.exec:\ddjjd.exe99⤵PID:1136
-
\??\c:\frxxrrl.exec:\frxxrrl.exe100⤵PID:4004
-
\??\c:\84482.exec:\84482.exe101⤵PID:3608
-
\??\c:\rlrrrff.exec:\rlrrrff.exe102⤵PID:5048
-
\??\c:\68088.exec:\68088.exe103⤵PID:3500
-
\??\c:\262666.exec:\262666.exe104⤵PID:4060
-
\??\c:\fxfxfxl.exec:\fxfxfxl.exe105⤵PID:3028
-
\??\c:\ntttbb.exec:\ntttbb.exe106⤵PID:996
-
\??\c:\404246.exec:\404246.exe107⤵PID:3176
-
\??\c:\lxrfxrx.exec:\lxrfxrx.exe108⤵PID:3032
-
\??\c:\vvpjv.exec:\vvpjv.exe109⤵PID:2772
-
\??\c:\608602.exec:\608602.exe110⤵PID:4496
-
\??\c:\tthnth.exec:\tthnth.exe111⤵PID:2216
-
\??\c:\lrxrlrr.exec:\lrxrlrr.exe112⤵PID:1612
-
\??\c:\djvdv.exec:\djvdv.exe113⤵PID:3204
-
\??\c:\hnhnth.exec:\hnhnth.exe114⤵PID:4372
-
\??\c:\008406.exec:\008406.exe115⤵PID:2268
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe116⤵PID:3364
-
\??\c:\8400060.exec:\8400060.exe117⤵PID:4456
-
\??\c:\hhhhhh.exec:\hhhhhh.exe118⤵PID:3236
-
\??\c:\bbtnth.exec:\bbtnth.exe119⤵PID:2756
-
\??\c:\0868048.exec:\0868048.exe120⤵
- System Location Discovery: System Language Discovery
PID:2276 -
\??\c:\8466662.exec:\8466662.exe121⤵PID:4156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-