Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 00:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
42a3a1c119a9e76b54456c8b3723c266da425a1ea8c0da60a3072e535a8cb533N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
42a3a1c119a9e76b54456c8b3723c266da425a1ea8c0da60a3072e535a8cb533N.exe
-
Size
454KB
-
MD5
1bef86bb1228f09000b1e4a925edb640
-
SHA1
813e1725579fe90c6d51256cef30e1c17361389a
-
SHA256
42a3a1c119a9e76b54456c8b3723c266da425a1ea8c0da60a3072e535a8cb533
-
SHA512
a33a0af877fae583f6e1b5fefafe3c1e5e3c51eef8d09d3aa95a98fc278914195c6fc5a87e885536f0ef5d9345f33798d9cc6d92a263f984cac8369f2e5ae06b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1H:q7Tc2NYHUrAwfMp3CD1H
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1312-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/472-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/596-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-1152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-1226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-1522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3004 thhbhb.exe 4544 vddvp.exe 2040 44020.exe 4488 600204.exe 4976 pddpv.exe 2028 frxrffx.exe 3892 djpjd.exe 3540 s4848.exe 752 8804882.exe 1948 hnttnn.exe 3944 0888822.exe 772 o882222.exe 2412 088604.exe 440 c822604.exe 3232 pddvj.exe 3840 4608646.exe 2788 flxflrf.exe 472 btnbnh.exe 2984 6408426.exe 3992 rfffxfx.exe 3188 02608.exe 3592 42260.exe 2064 5lfxrxr.exe 4540 c688226.exe 1756 dvddd.exe 4160 2808264.exe 4832 3pjdv.exe 4512 22866.exe 2780 2882604.exe 3224 9dvpj.exe 4156 1dddd.exe 1468 hntttb.exe 2020 tbbthh.exe 1832 1htnhh.exe 4936 4808660.exe 2744 86488.exe 3400 m2488.exe 4000 frrfxrl.exe 2816 444204.exe 4508 220826.exe 1640 8260826.exe 1260 s8826.exe 2296 pjjjp.exe 4780 m8444.exe 1740 8026000.exe 3228 djjvd.exe 672 02822.exe 4700 1ppjv.exe 4408 htbnnt.exe 1312 nhhbtn.exe 4440 httbbn.exe 3632 28086.exe 2344 llfrllf.exe 4192 jdddd.exe 4824 606088.exe 1672 2628248.exe 4556 flflxxl.exe 4284 42000.exe 3584 bnbtbb.exe 2672 4262604.exe 1084 1nnhbb.exe 3040 tbnbtn.exe 4372 bhthbb.exe 2356 488264.exe -
resource yara_rule behavioral2/memory/1312-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/472-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/596-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-1152-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k06044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8442082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u408604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8260826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0066222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k62004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e84822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1312 wrote to memory of 3004 1312 42a3a1c119a9e76b54456c8b3723c266da425a1ea8c0da60a3072e535a8cb533N.exe 83 PID 1312 wrote to memory of 3004 1312 42a3a1c119a9e76b54456c8b3723c266da425a1ea8c0da60a3072e535a8cb533N.exe 83 PID 1312 wrote to memory of 3004 1312 42a3a1c119a9e76b54456c8b3723c266da425a1ea8c0da60a3072e535a8cb533N.exe 83 PID 3004 wrote to memory of 4544 3004 thhbhb.exe 84 PID 3004 wrote to memory of 4544 3004 thhbhb.exe 84 PID 3004 wrote to memory of 4544 3004 thhbhb.exe 84 PID 4544 wrote to memory of 2040 4544 vddvp.exe 85 PID 4544 wrote to memory of 2040 4544 vddvp.exe 85 PID 4544 wrote to memory of 2040 4544 vddvp.exe 85 PID 2040 wrote to memory of 4488 2040 44020.exe 86 PID 2040 wrote to memory of 4488 2040 44020.exe 86 PID 2040 wrote to memory of 4488 2040 44020.exe 86 PID 4488 wrote to memory of 4976 4488 600204.exe 87 PID 4488 wrote to memory of 4976 4488 600204.exe 87 PID 4488 wrote to memory of 4976 4488 600204.exe 87 PID 4976 wrote to memory of 2028 4976 pddpv.exe 88 PID 4976 wrote to memory of 2028 4976 pddpv.exe 88 PID 4976 wrote to memory of 2028 4976 pddpv.exe 88 PID 2028 wrote to memory of 3892 2028 frxrffx.exe 89 PID 2028 wrote to memory of 3892 2028 frxrffx.exe 89 PID 2028 wrote to memory of 3892 2028 frxrffx.exe 89 PID 3892 wrote to memory of 3540 3892 djpjd.exe 90 PID 3892 wrote to memory of 3540 3892 djpjd.exe 90 PID 3892 wrote to memory of 3540 3892 djpjd.exe 90 PID 3540 wrote to memory of 752 3540 s4848.exe 91 PID 3540 wrote to memory of 752 3540 s4848.exe 91 PID 3540 wrote to memory of 752 3540 s4848.exe 91 PID 752 wrote to memory of 1948 752 8804882.exe 92 PID 752 wrote to memory of 1948 752 8804882.exe 92 PID 752 wrote to memory of 1948 752 8804882.exe 92 PID 1948 wrote to memory of 3944 1948 hnttnn.exe 93 PID 1948 wrote to memory of 3944 1948 hnttnn.exe 93 PID 1948 wrote to memory of 3944 1948 hnttnn.exe 93 PID 3944 wrote to memory of 772 3944 0888822.exe 94 PID 3944 wrote to memory of 772 3944 0888822.exe 94 PID 3944 wrote to memory of 772 3944 0888822.exe 94 PID 772 wrote to memory of 2412 772 o882222.exe 95 PID 772 wrote to memory of 2412 772 o882222.exe 95 PID 772 wrote to memory of 2412 772 o882222.exe 95 PID 2412 wrote to memory of 440 2412 088604.exe 96 PID 2412 wrote to memory of 440 2412 088604.exe 96 PID 2412 wrote to memory of 440 2412 088604.exe 96 PID 440 wrote to memory of 3232 440 c822604.exe 97 PID 440 wrote to memory of 3232 440 c822604.exe 97 PID 440 wrote to memory of 3232 440 c822604.exe 97 PID 3232 wrote to memory of 3840 3232 pddvj.exe 98 PID 3232 wrote to memory of 3840 3232 pddvj.exe 98 PID 3232 wrote to memory of 3840 3232 pddvj.exe 98 PID 3840 wrote to memory of 2788 3840 4608646.exe 99 PID 3840 wrote to memory of 2788 3840 4608646.exe 99 PID 3840 wrote to memory of 2788 3840 4608646.exe 99 PID 2788 wrote to memory of 472 2788 flxflrf.exe 100 PID 2788 wrote to memory of 472 2788 flxflrf.exe 100 PID 2788 wrote to memory of 472 2788 flxflrf.exe 100 PID 472 wrote to memory of 2984 472 btnbnh.exe 101 PID 472 wrote to memory of 2984 472 btnbnh.exe 101 PID 472 wrote to memory of 2984 472 btnbnh.exe 101 PID 2984 wrote to memory of 3992 2984 6408426.exe 102 PID 2984 wrote to memory of 3992 2984 6408426.exe 102 PID 2984 wrote to memory of 3992 2984 6408426.exe 102 PID 3992 wrote to memory of 3188 3992 rfffxfx.exe 103 PID 3992 wrote to memory of 3188 3992 rfffxfx.exe 103 PID 3992 wrote to memory of 3188 3992 rfffxfx.exe 103 PID 3188 wrote to memory of 3592 3188 02608.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\42a3a1c119a9e76b54456c8b3723c266da425a1ea8c0da60a3072e535a8cb533N.exe"C:\Users\Admin\AppData\Local\Temp\42a3a1c119a9e76b54456c8b3723c266da425a1ea8c0da60a3072e535a8cb533N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\thhbhb.exec:\thhbhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\vddvp.exec:\vddvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\44020.exec:\44020.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\600204.exec:\600204.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\pddpv.exec:\pddpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\frxrffx.exec:\frxrffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\djpjd.exec:\djpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\s4848.exec:\s4848.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\8804882.exec:\8804882.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\hnttnn.exec:\hnttnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\0888822.exec:\0888822.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\o882222.exec:\o882222.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\088604.exec:\088604.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\c822604.exec:\c822604.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\pddvj.exec:\pddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\4608646.exec:\4608646.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\flxflrf.exec:\flxflrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\btnbnh.exec:\btnbnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:472 -
\??\c:\6408426.exec:\6408426.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\rfffxfx.exec:\rfffxfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\02608.exec:\02608.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\42260.exec:\42260.exe23⤵
- Executes dropped EXE
PID:3592 -
\??\c:\5lfxrxr.exec:\5lfxrxr.exe24⤵
- Executes dropped EXE
PID:2064 -
\??\c:\c688226.exec:\c688226.exe25⤵
- Executes dropped EXE
PID:4540 -
\??\c:\dvddd.exec:\dvddd.exe26⤵
- Executes dropped EXE
PID:1756 -
\??\c:\2808264.exec:\2808264.exe27⤵
- Executes dropped EXE
PID:4160 -
\??\c:\3pjdv.exec:\3pjdv.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832 -
\??\c:\22866.exec:\22866.exe29⤵
- Executes dropped EXE
PID:4512 -
\??\c:\2882604.exec:\2882604.exe30⤵
- Executes dropped EXE
PID:2780 -
\??\c:\9dvpj.exec:\9dvpj.exe31⤵
- Executes dropped EXE
PID:3224 -
\??\c:\1dddd.exec:\1dddd.exe32⤵
- Executes dropped EXE
PID:4156 -
\??\c:\hntttb.exec:\hntttb.exe33⤵
- Executes dropped EXE
PID:1468 -
\??\c:\tbbthh.exec:\tbbthh.exe34⤵
- Executes dropped EXE
PID:2020 -
\??\c:\1htnhh.exec:\1htnhh.exe35⤵
- Executes dropped EXE
PID:1832 -
\??\c:\4808660.exec:\4808660.exe36⤵
- Executes dropped EXE
PID:4936 -
\??\c:\86488.exec:\86488.exe37⤵
- Executes dropped EXE
PID:2744 -
\??\c:\m2488.exec:\m2488.exe38⤵
- Executes dropped EXE
PID:3400 -
\??\c:\frrfxrl.exec:\frrfxrl.exe39⤵
- Executes dropped EXE
PID:4000 -
\??\c:\444204.exec:\444204.exe40⤵
- Executes dropped EXE
PID:2816 -
\??\c:\220826.exec:\220826.exe41⤵
- Executes dropped EXE
PID:4508 -
\??\c:\8260826.exec:\8260826.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1640 -
\??\c:\s8826.exec:\s8826.exe43⤵
- Executes dropped EXE
PID:1260 -
\??\c:\pjjjp.exec:\pjjjp.exe44⤵
- Executes dropped EXE
PID:2296 -
\??\c:\m8444.exec:\m8444.exe45⤵
- Executes dropped EXE
PID:4780 -
\??\c:\8026000.exec:\8026000.exe46⤵
- Executes dropped EXE
PID:1740 -
\??\c:\djjvd.exec:\djjvd.exe47⤵
- Executes dropped EXE
PID:3228 -
\??\c:\02822.exec:\02822.exe48⤵
- Executes dropped EXE
PID:672 -
\??\c:\1ppjv.exec:\1ppjv.exe49⤵
- Executes dropped EXE
PID:4700 -
\??\c:\htbnnt.exec:\htbnnt.exe50⤵
- Executes dropped EXE
PID:4408 -
\??\c:\nhhbtn.exec:\nhhbtn.exe51⤵
- Executes dropped EXE
PID:1312 -
\??\c:\httbbn.exec:\httbbn.exe52⤵
- Executes dropped EXE
PID:4440 -
\??\c:\28086.exec:\28086.exe53⤵
- Executes dropped EXE
PID:3632 -
\??\c:\llfrllf.exec:\llfrllf.exe54⤵
- Executes dropped EXE
PID:2344 -
\??\c:\jdddd.exec:\jdddd.exe55⤵
- Executes dropped EXE
PID:4192 -
\??\c:\606088.exec:\606088.exe56⤵
- Executes dropped EXE
PID:4824 -
\??\c:\2628248.exec:\2628248.exe57⤵
- Executes dropped EXE
PID:1672 -
\??\c:\flflxxl.exec:\flflxxl.exe58⤵
- Executes dropped EXE
PID:4556 -
\??\c:\42000.exec:\42000.exe59⤵
- Executes dropped EXE
PID:4284 -
\??\c:\bnbtbb.exec:\bnbtbb.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3584 -
\??\c:\4262604.exec:\4262604.exe61⤵
- Executes dropped EXE
PID:2672 -
\??\c:\1nnhbb.exec:\1nnhbb.exe62⤵
- Executes dropped EXE
PID:1084 -
\??\c:\tbnbtn.exec:\tbnbtn.exe63⤵
- Executes dropped EXE
PID:3040 -
\??\c:\bhthbb.exec:\bhthbb.exe64⤵
- Executes dropped EXE
PID:4372 -
\??\c:\488264.exec:\488264.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\m6604.exec:\m6604.exe66⤵PID:384
-
\??\c:\080466.exec:\080466.exe67⤵PID:1340
-
\??\c:\6068086.exec:\6068086.exe68⤵PID:2476
-
\??\c:\xrrrllx.exec:\xrrrllx.exe69⤵PID:2524
-
\??\c:\nbhtnn.exec:\nbhtnn.exe70⤵PID:4280
-
\??\c:\266088.exec:\266088.exe71⤵PID:1904
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe72⤵PID:5032
-
\??\c:\8620448.exec:\8620448.exe73⤵PID:3652
-
\??\c:\hnttnn.exec:\hnttnn.exe74⤵PID:2032
-
\??\c:\2626600.exec:\2626600.exe75⤵PID:4024
-
\??\c:\dpvpp.exec:\dpvpp.exe76⤵PID:1932
-
\??\c:\pddvj.exec:\pddvj.exe77⤵PID:816
-
\??\c:\vpvpd.exec:\vpvpd.exe78⤵PID:1428
-
\??\c:\thnhbt.exec:\thnhbt.exe79⤵PID:3992
-
\??\c:\xllfxrr.exec:\xllfxrr.exe80⤵PID:3132
-
\??\c:\002606.exec:\002606.exe81⤵PID:1944
-
\??\c:\66048.exec:\66048.exe82⤵PID:4396
-
\??\c:\260684.exec:\260684.exe83⤵PID:2480
-
\??\c:\jvppd.exec:\jvppd.exe84⤵PID:3896
-
\??\c:\k06044.exec:\k06044.exe85⤵
- System Location Discovery: System Language Discovery
PID:3364 -
\??\c:\jpdpd.exec:\jpdpd.exe86⤵PID:4528
-
\??\c:\jjjpv.exec:\jjjpv.exe87⤵PID:4584
-
\??\c:\4068642.exec:\4068642.exe88⤵PID:3664
-
\??\c:\rlxrrrx.exec:\rlxrrrx.exe89⤵PID:2652
-
\??\c:\2804826.exec:\2804826.exe90⤵PID:4348
-
\??\c:\xllxrxr.exec:\xllxrxr.exe91⤵PID:3636
-
\??\c:\vvdpd.exec:\vvdpd.exe92⤵PID:1592
-
\??\c:\5ppdv.exec:\5ppdv.exe93⤵PID:3128
-
\??\c:\8820486.exec:\8820486.exe94⤵PID:460
-
\??\c:\hbhtnh.exec:\hbhtnh.exe95⤵PID:2112
-
\??\c:\644422.exec:\644422.exe96⤵PID:1048
-
\??\c:\pdvjj.exec:\pdvjj.exe97⤵PID:1792
-
\??\c:\1llfxrl.exec:\1llfxrl.exe98⤵PID:1208
-
\??\c:\fxfrfxl.exec:\fxfrfxl.exe99⤵PID:5084
-
\??\c:\bbtnht.exec:\bbtnht.exe100⤵PID:4292
-
\??\c:\q44208.exec:\q44208.exe101⤵PID:1688
-
\??\c:\lfrlrlr.exec:\lfrlrlr.exe102⤵PID:408
-
\??\c:\6442260.exec:\6442260.exe103⤵PID:884
-
\??\c:\fllrrlf.exec:\fllrrlf.exe104⤵PID:4552
-
\??\c:\i888282.exec:\i888282.exe105⤵PID:4444
-
\??\c:\282660.exec:\282660.exe106⤵PID:1132
-
\??\c:\bhntnn.exec:\bhntnn.exe107⤵PID:4112
-
\??\c:\ttbtnh.exec:\ttbtnh.exe108⤵PID:1936
-
\??\c:\i860826.exec:\i860826.exe109⤵PID:2148
-
\??\c:\5ffrfxr.exec:\5ffrfxr.exe110⤵PID:3108
-
\??\c:\1lfrlfr.exec:\1lfrlfr.exe111⤵PID:1212
-
\??\c:\824844.exec:\824844.exe112⤵PID:4420
-
\??\c:\2068408.exec:\2068408.exe113⤵PID:4268
-
\??\c:\nbbntn.exec:\nbbntn.exe114⤵PID:4748
-
\??\c:\thhtnb.exec:\thhtnb.exe115⤵PID:632
-
\??\c:\o842648.exec:\o842648.exe116⤵PID:2304
-
\??\c:\nbbnhb.exec:\nbbnhb.exe117⤵
- System Location Discovery: System Language Discovery
PID:3428 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe118⤵PID:2040
-
\??\c:\thhhhb.exec:\thhhhb.exe119⤵PID:4176
-
\??\c:\68482.exec:\68482.exe120⤵PID:2700
-
\??\c:\thnbtn.exec:\thnbtn.exe121⤵PID:1424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-