Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 03:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe
-
Size
454KB
-
MD5
1194c8f7783166fc7c9637e2169b4e65
-
SHA1
e66e589a3e64ee01a71a517a34a96d0853b24fbb
-
SHA256
d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1
-
SHA512
2ca85b93e68ccd966e632e2b18b97acbd32409025ded5e77a4389b9a40a4179b7bbe5f7f8263cab8ba530ed45dc6353ae7d74cd92c1964b1d4d7493936f332aa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4052-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-910-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-1043-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-1417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-1559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 408 rrxxrrl.exe 4744 08040.exe 4940 dppdp.exe 5040 e62060.exe 3624 hhhbnt.exe 3036 648642.exe 1488 062426.exe 3100 4286606.exe 4696 ntthtn.exe 2328 1dvvp.exe 3628 vjjvp.exe 2860 nnthbt.exe 3868 jvpdp.exe 4952 3xfrrlr.exe 4804 1vvjp.exe 2868 60606.exe 3432 084886.exe 2396 lxrfrrf.exe 1148 9jdpd.exe 5036 nbhbbt.exe 1404 bhbhth.exe 5116 dpjvj.exe 4896 rflxlfr.exe 1792 0042026.exe 1304 vjjpd.exe 1684 080004.exe 3436 s2244.exe 2212 202008.exe 1452 6686048.exe 2576 dppdp.exe 3264 frrfrlx.exe 228 8286820.exe 4660 686424.exe 948 xxffrlx.exe 4272 q66442.exe 836 nbbtnh.exe 4528 lrxrrff.exe 1732 2886480.exe 3496 bnbnhn.exe 4228 frlxlrf.exe 5084 s2466.exe 1180 xrxrrlr.exe 2676 xffrlfr.exe 2896 w68082.exe 2784 jppjd.exe 1776 886482.exe 2040 6220042.exe 5096 ntbnbt.exe 2996 rlfffff.exe 4064 tnbhtb.exe 3092 2004266.exe 3172 q28644.exe 3920 86466.exe 4508 w44266.exe 2608 i408600.exe 4364 64460.exe 3084 lxxxrlr.exe 4052 vjjjj.exe 408 a2664.exe 2888 2222042.exe 3648 86642.exe 1772 862440.exe 772 jvvjv.exe 4268 o842048.exe -
resource yara_rule behavioral2/memory/4052-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-910-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-1272-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e24628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c286482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c660440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8682260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4842660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4052 wrote to memory of 408 4052 d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe 141 PID 4052 wrote to memory of 408 4052 d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe 141 PID 4052 wrote to memory of 408 4052 d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe 141 PID 408 wrote to memory of 4744 408 rrxxrrl.exe 84 PID 408 wrote to memory of 4744 408 rrxxrrl.exe 84 PID 408 wrote to memory of 4744 408 rrxxrrl.exe 84 PID 4744 wrote to memory of 4940 4744 08040.exe 85 PID 4744 wrote to memory of 4940 4744 08040.exe 85 PID 4744 wrote to memory of 4940 4744 08040.exe 85 PID 4940 wrote to memory of 5040 4940 dppdp.exe 86 PID 4940 wrote to memory of 5040 4940 dppdp.exe 86 PID 4940 wrote to memory of 5040 4940 dppdp.exe 86 PID 5040 wrote to memory of 3624 5040 e62060.exe 87 PID 5040 wrote to memory of 3624 5040 e62060.exe 87 PID 5040 wrote to memory of 3624 5040 e62060.exe 87 PID 3624 wrote to memory of 3036 3624 hhhbnt.exe 88 PID 3624 wrote to memory of 3036 3624 hhhbnt.exe 88 PID 3624 wrote to memory of 3036 3624 hhhbnt.exe 88 PID 3036 wrote to memory of 1488 3036 648642.exe 89 PID 3036 wrote to memory of 1488 3036 648642.exe 89 PID 3036 wrote to memory of 1488 3036 648642.exe 89 PID 1488 wrote to memory of 3100 1488 062426.exe 90 PID 1488 wrote to memory of 3100 1488 062426.exe 90 PID 1488 wrote to memory of 3100 1488 062426.exe 90 PID 3100 wrote to memory of 4696 3100 4286606.exe 91 PID 3100 wrote to memory of 4696 3100 4286606.exe 91 PID 3100 wrote to memory of 4696 3100 4286606.exe 91 PID 4696 wrote to memory of 2328 4696 ntthtn.exe 92 PID 4696 wrote to memory of 2328 4696 ntthtn.exe 92 PID 4696 wrote to memory of 2328 4696 ntthtn.exe 92 PID 2328 wrote to memory of 3628 2328 1dvvp.exe 93 PID 2328 wrote to memory of 3628 2328 1dvvp.exe 93 PID 2328 wrote to memory of 3628 2328 1dvvp.exe 93 PID 3628 wrote to memory of 2860 3628 vjjvp.exe 94 PID 3628 wrote to memory of 2860 3628 vjjvp.exe 94 PID 3628 wrote to memory of 2860 3628 vjjvp.exe 94 PID 2860 wrote to memory of 3868 2860 nnthbt.exe 95 PID 2860 wrote to memory of 3868 2860 nnthbt.exe 95 PID 2860 wrote to memory of 3868 2860 nnthbt.exe 95 PID 3868 wrote to memory of 4952 3868 jvpdp.exe 96 PID 3868 wrote to memory of 4952 3868 jvpdp.exe 96 PID 3868 wrote to memory of 4952 3868 jvpdp.exe 96 PID 4952 wrote to memory of 4804 4952 3xfrrlr.exe 97 PID 4952 wrote to memory of 4804 4952 3xfrrlr.exe 97 PID 4952 wrote to memory of 4804 4952 3xfrrlr.exe 97 PID 4804 wrote to memory of 2868 4804 1vvjp.exe 98 PID 4804 wrote to memory of 2868 4804 1vvjp.exe 98 PID 4804 wrote to memory of 2868 4804 1vvjp.exe 98 PID 2868 wrote to memory of 3432 2868 60606.exe 99 PID 2868 wrote to memory of 3432 2868 60606.exe 99 PID 2868 wrote to memory of 3432 2868 60606.exe 99 PID 3432 wrote to memory of 2396 3432 084886.exe 100 PID 3432 wrote to memory of 2396 3432 084886.exe 100 PID 3432 wrote to memory of 2396 3432 084886.exe 100 PID 2396 wrote to memory of 1148 2396 lxrfrrf.exe 101 PID 2396 wrote to memory of 1148 2396 lxrfrrf.exe 101 PID 2396 wrote to memory of 1148 2396 lxrfrrf.exe 101 PID 1148 wrote to memory of 5036 1148 9jdpd.exe 102 PID 1148 wrote to memory of 5036 1148 9jdpd.exe 102 PID 1148 wrote to memory of 5036 1148 9jdpd.exe 102 PID 5036 wrote to memory of 1404 5036 nbhbbt.exe 103 PID 5036 wrote to memory of 1404 5036 nbhbbt.exe 103 PID 5036 wrote to memory of 1404 5036 nbhbbt.exe 103 PID 1404 wrote to memory of 5116 1404 bhbhth.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe"C:\Users\Admin\AppData\Local\Temp\d124405736d89bc8e58bdf58e0becfb28d5fa3784e2b55c73cdaebc4d8cebad1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\rrxxrrl.exec:\rrxxrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\08040.exec:\08040.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\dppdp.exec:\dppdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\e62060.exec:\e62060.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\hhhbnt.exec:\hhhbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\648642.exec:\648642.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\062426.exec:\062426.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\4286606.exec:\4286606.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\ntthtn.exec:\ntthtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\1dvvp.exec:\1dvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\vjjvp.exec:\vjjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\nnthbt.exec:\nnthbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\jvpdp.exec:\jvpdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\3xfrrlr.exec:\3xfrrlr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\1vvjp.exec:\1vvjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\60606.exec:\60606.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\084886.exec:\084886.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\lxrfrrf.exec:\lxrfrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\9jdpd.exec:\9jdpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\nbhbbt.exec:\nbhbbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\bhbhth.exec:\bhbhth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\dpjvj.exec:\dpjvj.exe23⤵
- Executes dropped EXE
PID:5116 -
\??\c:\rflxlfr.exec:\rflxlfr.exe24⤵
- Executes dropped EXE
PID:4896 -
\??\c:\0042026.exec:\0042026.exe25⤵
- Executes dropped EXE
PID:1792 -
\??\c:\vjjpd.exec:\vjjpd.exe26⤵
- Executes dropped EXE
PID:1304 -
\??\c:\080004.exec:\080004.exe27⤵
- Executes dropped EXE
PID:1684 -
\??\c:\s2244.exec:\s2244.exe28⤵
- Executes dropped EXE
PID:3436 -
\??\c:\202008.exec:\202008.exe29⤵
- Executes dropped EXE
PID:2212 -
\??\c:\6686048.exec:\6686048.exe30⤵
- Executes dropped EXE
PID:1452 -
\??\c:\dppdp.exec:\dppdp.exe31⤵
- Executes dropped EXE
PID:2576 -
\??\c:\frrfrlx.exec:\frrfrlx.exe32⤵
- Executes dropped EXE
PID:3264 -
\??\c:\8286820.exec:\8286820.exe33⤵
- Executes dropped EXE
PID:228 -
\??\c:\686424.exec:\686424.exe34⤵
- Executes dropped EXE
PID:4660 -
\??\c:\xxffrlx.exec:\xxffrlx.exe35⤵
- Executes dropped EXE
PID:948 -
\??\c:\q66442.exec:\q66442.exe36⤵
- Executes dropped EXE
PID:4272 -
\??\c:\nbbtnh.exec:\nbbtnh.exe37⤵
- Executes dropped EXE
PID:836 -
\??\c:\lrxrrff.exec:\lrxrrff.exe38⤵
- Executes dropped EXE
PID:4528 -
\??\c:\2886480.exec:\2886480.exe39⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bnbnhn.exec:\bnbnhn.exe40⤵
- Executes dropped EXE
PID:3496 -
\??\c:\frlxlrf.exec:\frlxlrf.exe41⤵
- Executes dropped EXE
PID:4228 -
\??\c:\s2466.exec:\s2466.exe42⤵
- Executes dropped EXE
PID:5084 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe43⤵
- Executes dropped EXE
PID:1180 -
\??\c:\xffrlfr.exec:\xffrlfr.exe44⤵
- Executes dropped EXE
PID:2676 -
\??\c:\w68082.exec:\w68082.exe45⤵
- Executes dropped EXE
PID:2896 -
\??\c:\jppjd.exec:\jppjd.exe46⤵
- Executes dropped EXE
PID:2784 -
\??\c:\886482.exec:\886482.exe47⤵
- Executes dropped EXE
PID:1776 -
\??\c:\6220042.exec:\6220042.exe48⤵
- Executes dropped EXE
PID:2040 -
\??\c:\ntbnbt.exec:\ntbnbt.exe49⤵
- Executes dropped EXE
PID:5096 -
\??\c:\rlfffff.exec:\rlfffff.exe50⤵
- Executes dropped EXE
PID:2996 -
\??\c:\tnbhtb.exec:\tnbhtb.exe51⤵
- Executes dropped EXE
PID:4064 -
\??\c:\2004266.exec:\2004266.exe52⤵
- Executes dropped EXE
PID:3092 -
\??\c:\q28644.exec:\q28644.exe53⤵
- Executes dropped EXE
PID:3172 -
\??\c:\86466.exec:\86466.exe54⤵
- Executes dropped EXE
PID:3920 -
\??\c:\w44266.exec:\w44266.exe55⤵
- Executes dropped EXE
PID:4508 -
\??\c:\i408600.exec:\i408600.exe56⤵
- Executes dropped EXE
PID:2608 -
\??\c:\64460.exec:\64460.exe57⤵
- Executes dropped EXE
PID:4364 -
\??\c:\lxxxrlr.exec:\lxxxrlr.exe58⤵
- Executes dropped EXE
PID:3084 -
\??\c:\vjjjj.exec:\vjjjj.exe59⤵
- Executes dropped EXE
PID:4052 -
\??\c:\a2664.exec:\a2664.exe60⤵
- Executes dropped EXE
PID:408 -
\??\c:\2222042.exec:\2222042.exe61⤵
- Executes dropped EXE
PID:2888 -
\??\c:\86642.exec:\86642.exe62⤵
- Executes dropped EXE
PID:3648 -
\??\c:\862440.exec:\862440.exe63⤵
- Executes dropped EXE
PID:1772 -
\??\c:\jvvjv.exec:\jvvjv.exe64⤵
- Executes dropped EXE
PID:772 -
\??\c:\o842048.exec:\o842048.exe65⤵
- Executes dropped EXE
PID:4268 -
\??\c:\442088.exec:\442088.exe66⤵PID:4484
-
\??\c:\hbhbht.exec:\hbhbht.exe67⤵PID:1488
-
\??\c:\86866.exec:\86866.exe68⤵PID:5020
-
\??\c:\9dpjd.exec:\9dpjd.exe69⤵PID:1356
-
\??\c:\dddvd.exec:\dddvd.exe70⤵PID:3408
-
\??\c:\vvjjj.exec:\vvjjj.exe71⤵PID:1748
-
\??\c:\44066.exec:\44066.exe72⤵PID:2860
-
\??\c:\644204.exec:\644204.exe73⤵PID:3492
-
\??\c:\2082020.exec:\2082020.exe74⤵PID:3564
-
\??\c:\08822.exec:\08822.exe75⤵PID:1628
-
\??\c:\2008448.exec:\2008448.exe76⤵PID:2868
-
\??\c:\rrfflxx.exec:\rrfflxx.exe77⤵PID:3232
-
\??\c:\i060062.exec:\i060062.exe78⤵PID:1144
-
\??\c:\440804.exec:\440804.exe79⤵PID:4204
-
\??\c:\0864824.exec:\0864824.exe80⤵PID:3860
-
\??\c:\42206.exec:\42206.exe81⤵PID:1552
-
\??\c:\2020824.exec:\2020824.exe82⤵PID:4664
-
\??\c:\644844.exec:\644844.exe83⤵PID:4144
-
\??\c:\2624024.exec:\2624024.exe84⤵PID:2440
-
\??\c:\244024.exec:\244024.exe85⤵PID:2212
-
\??\c:\pjdvp.exec:\pjdvp.exe86⤵PID:2448
-
\??\c:\02460.exec:\02460.exe87⤵PID:2404
-
\??\c:\4264242.exec:\4264242.exe88⤵PID:3312
-
\??\c:\xrxrllf.exec:\xrxrllf.exe89⤵PID:2324
-
\??\c:\xfflrfr.exec:\xfflrfr.exe90⤵PID:4840
-
\??\c:\224860.exec:\224860.exe91⤵PID:3560
-
\??\c:\280826.exec:\280826.exe92⤵PID:836
-
\??\c:\pdpjd.exec:\pdpjd.exe93⤵PID:4692
-
\??\c:\6804224.exec:\6804224.exe94⤵PID:3928
-
\??\c:\8620640.exec:\8620640.exe95⤵PID:2936
-
\??\c:\284864.exec:\284864.exe96⤵PID:1984
-
\??\c:\080882.exec:\080882.exe97⤵PID:1524
-
\??\c:\5hhhhh.exec:\5hhhhh.exe98⤵PID:2796
-
\??\c:\bbbthb.exec:\bbbthb.exe99⤵PID:2024
-
\??\c:\82864.exec:\82864.exe100⤵PID:4316
-
\??\c:\628204.exec:\628204.exe101⤵PID:1776
-
\??\c:\8066482.exec:\8066482.exe102⤵PID:4564
-
\??\c:\440086.exec:\440086.exe103⤵PID:400
-
\??\c:\pddpj.exec:\pddpj.exe104⤵PID:2388
-
\??\c:\08422.exec:\08422.exe105⤵PID:4408
-
\??\c:\c846086.exec:\c846086.exe106⤵PID:4936
-
\??\c:\28426.exec:\28426.exe107⤵PID:2840
-
\??\c:\7bbnht.exec:\7bbnht.exe108⤵PID:2608
-
\??\c:\vjpdj.exec:\vjpdj.exe109⤵PID:4212
-
\??\c:\rxxllxr.exec:\rxxllxr.exe110⤵PID:2012
-
\??\c:\424264.exec:\424264.exe111⤵PID:4052
-
\??\c:\frlxrrl.exec:\frlxrrl.exe112⤵PID:2192
-
\??\c:\626266.exec:\626266.exe113⤵PID:5060
-
\??\c:\3pdpj.exec:\3pdpj.exe114⤵PID:3120
-
\??\c:\9vvjv.exec:\9vvjv.exe115⤵PID:5052
-
\??\c:\2662040.exec:\2662040.exe116⤵PID:4504
-
\??\c:\024226.exec:\024226.exe117⤵PID:5032
-
\??\c:\0008642.exec:\0008642.exe118⤵PID:3036
-
\??\c:\rfxrlfr.exec:\rfxrlfr.exe119⤵PID:1040
-
\??\c:\o008604.exec:\o008604.exe120⤵PID:4600
-
\??\c:\nntnnh.exec:\nntnnh.exe121⤵PID:1448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-