Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 11:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
946746ddfedd9d72bbc7f32577611fb39f62f27fd0d95a4fcaf22683e69baf7b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
946746ddfedd9d72bbc7f32577611fb39f62f27fd0d95a4fcaf22683e69baf7b.exe
-
Size
456KB
-
MD5
044668876e12d7f363d79c7140dfefb9
-
SHA1
0c097638e6ab05e6eec80e4a1459a2d077cb705e
-
SHA256
946746ddfedd9d72bbc7f32577611fb39f62f27fd0d95a4fcaf22683e69baf7b
-
SHA512
6951a635a483bfc9b5fd25febcd3a1301797f78bee219fa90cdafa0b09f3d58ddbc6279ddf320d161834095430d85ad3ac8b53ed7df146cbc80ae8299887c091
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3484-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-1014-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-1454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2924 1jdpp.exe 4792 frfrxlx.exe 3556 9rlfrxl.exe 3876 pvvjd.exe 4480 bnhtnt.exe 2824 pppdd.exe 3228 3llxrll.exe 3264 jppjv.exe 456 3bnbnh.exe 3316 1jdpd.exe 2996 5frfrlx.exe 2064 9rllxlx.exe 832 1jvpp.exe 1316 llrfxrl.exe 4444 lllrrlr.exe 5104 tttnbt.exe 3704 bhhtnh.exe 2676 dpjdp.exe 2536 jvdpp.exe 4300 xfxlfxl.exe 3012 1nhtnh.exe 2808 dvddd.exe 4872 rxrflfr.exe 1700 nnnbtn.exe 2788 rrfxlxx.exe 408 btnhhb.exe 4936 5ddvp.exe 4176 ntbnbh.exe 3452 7nbtbt.exe 3300 jppdp.exe 2104 hnbthb.exe 4912 frlxllf.exe 4868 djpdp.exe 3572 jdvjp.exe 3468 tnnhtt.exe 3076 vddvj.exe 1696 rxfrxrl.exe 4184 thhhbn.exe 2712 hhbthb.exe 1860 pvdpv.exe 1756 xfxlxrl.exe 2076 btnhbt.exe 4508 jvdpd.exe 3124 xrllxxr.exe 2864 vjjdv.exe 2700 pvvpj.exe 4816 rlrllff.exe 3868 1tbtnt.exe 5080 9dvjp.exe 4860 jvjjd.exe 460 lxfxrrl.exe 3384 hnbtnh.exe 4400 vpdvd.exe 3484 vpdvj.exe 4364 frlflll.exe 2276 1nnbnh.exe 4804 vddpd.exe 3556 vpvpd.exe 1824 xllfllx.exe 2452 nnnhtb.exe 4628 thhbnh.exe 2824 pppdp.exe 876 vjdvj.exe 4800 rxxlfxf.exe -
resource yara_rule behavioral2/memory/3484-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-586-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 2924 3484 946746ddfedd9d72bbc7f32577611fb39f62f27fd0d95a4fcaf22683e69baf7b.exe 82 PID 3484 wrote to memory of 2924 3484 946746ddfedd9d72bbc7f32577611fb39f62f27fd0d95a4fcaf22683e69baf7b.exe 82 PID 3484 wrote to memory of 2924 3484 946746ddfedd9d72bbc7f32577611fb39f62f27fd0d95a4fcaf22683e69baf7b.exe 82 PID 2924 wrote to memory of 4792 2924 1jdpp.exe 83 PID 2924 wrote to memory of 4792 2924 1jdpp.exe 83 PID 2924 wrote to memory of 4792 2924 1jdpp.exe 83 PID 4792 wrote to memory of 3556 4792 frfrxlx.exe 84 PID 4792 wrote to memory of 3556 4792 frfrxlx.exe 84 PID 4792 wrote to memory of 3556 4792 frfrxlx.exe 84 PID 3556 wrote to memory of 3876 3556 9rlfrxl.exe 85 PID 3556 wrote to memory of 3876 3556 9rlfrxl.exe 85 PID 3556 wrote to memory of 3876 3556 9rlfrxl.exe 85 PID 3876 wrote to memory of 4480 3876 pvvjd.exe 86 PID 3876 wrote to memory of 4480 3876 pvvjd.exe 86 PID 3876 wrote to memory of 4480 3876 pvvjd.exe 86 PID 4480 wrote to memory of 2824 4480 bnhtnt.exe 87 PID 4480 wrote to memory of 2824 4480 bnhtnt.exe 87 PID 4480 wrote to memory of 2824 4480 bnhtnt.exe 87 PID 2824 wrote to memory of 3228 2824 pppdd.exe 88 PID 2824 wrote to memory of 3228 2824 pppdd.exe 88 PID 2824 wrote to memory of 3228 2824 pppdd.exe 88 PID 3228 wrote to memory of 3264 3228 3llxrll.exe 89 PID 3228 wrote to memory of 3264 3228 3llxrll.exe 89 PID 3228 wrote to memory of 3264 3228 3llxrll.exe 89 PID 3264 wrote to memory of 456 3264 jppjv.exe 90 PID 3264 wrote to memory of 456 3264 jppjv.exe 90 PID 3264 wrote to memory of 456 3264 jppjv.exe 90 PID 456 wrote to memory of 3316 456 3bnbnh.exe 91 PID 456 wrote to memory of 3316 456 3bnbnh.exe 91 PID 456 wrote to memory of 3316 456 3bnbnh.exe 91 PID 3316 wrote to memory of 2996 3316 1jdpd.exe 92 PID 3316 wrote to memory of 2996 3316 1jdpd.exe 92 PID 3316 wrote to memory of 2996 3316 1jdpd.exe 92 PID 2996 wrote to memory of 2064 2996 5frfrlx.exe 93 PID 2996 wrote to memory of 2064 2996 5frfrlx.exe 93 PID 2996 wrote to memory of 2064 2996 5frfrlx.exe 93 PID 2064 wrote to memory of 832 2064 9rllxlx.exe 94 PID 2064 wrote to memory of 832 2064 9rllxlx.exe 94 PID 2064 wrote to memory of 832 2064 9rllxlx.exe 94 PID 832 wrote to memory of 1316 832 1jvpp.exe 95 PID 832 wrote to memory of 1316 832 1jvpp.exe 95 PID 832 wrote to memory of 1316 832 1jvpp.exe 95 PID 1316 wrote to memory of 4444 1316 llrfxrl.exe 96 PID 1316 wrote to memory of 4444 1316 llrfxrl.exe 96 PID 1316 wrote to memory of 4444 1316 llrfxrl.exe 96 PID 4444 wrote to memory of 5104 4444 lllrrlr.exe 97 PID 4444 wrote to memory of 5104 4444 lllrrlr.exe 97 PID 4444 wrote to memory of 5104 4444 lllrrlr.exe 97 PID 5104 wrote to memory of 3704 5104 tttnbt.exe 98 PID 5104 wrote to memory of 3704 5104 tttnbt.exe 98 PID 5104 wrote to memory of 3704 5104 tttnbt.exe 98 PID 3704 wrote to memory of 2676 3704 bhhtnh.exe 99 PID 3704 wrote to memory of 2676 3704 bhhtnh.exe 99 PID 3704 wrote to memory of 2676 3704 bhhtnh.exe 99 PID 2676 wrote to memory of 2536 2676 dpjdp.exe 100 PID 2676 wrote to memory of 2536 2676 dpjdp.exe 100 PID 2676 wrote to memory of 2536 2676 dpjdp.exe 100 PID 2536 wrote to memory of 4300 2536 jvdpp.exe 101 PID 2536 wrote to memory of 4300 2536 jvdpp.exe 101 PID 2536 wrote to memory of 4300 2536 jvdpp.exe 101 PID 4300 wrote to memory of 3012 4300 xfxlfxl.exe 102 PID 4300 wrote to memory of 3012 4300 xfxlfxl.exe 102 PID 4300 wrote to memory of 3012 4300 xfxlfxl.exe 102 PID 3012 wrote to memory of 2808 3012 1nhtnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\946746ddfedd9d72bbc7f32577611fb39f62f27fd0d95a4fcaf22683e69baf7b.exe"C:\Users\Admin\AppData\Local\Temp\946746ddfedd9d72bbc7f32577611fb39f62f27fd0d95a4fcaf22683e69baf7b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\1jdpp.exec:\1jdpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\frfrxlx.exec:\frfrxlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\9rlfrxl.exec:\9rlfrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\pvvjd.exec:\pvvjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\bnhtnt.exec:\bnhtnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\pppdd.exec:\pppdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\3llxrll.exec:\3llxrll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\jppjv.exec:\jppjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\3bnbnh.exec:\3bnbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\1jdpd.exec:\1jdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\5frfrlx.exec:\5frfrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\9rllxlx.exec:\9rllxlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\1jvpp.exec:\1jvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\llrfxrl.exec:\llrfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\lllrrlr.exec:\lllrrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\tttnbt.exec:\tttnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\bhhtnh.exec:\bhhtnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\dpjdp.exec:\dpjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\jvdpp.exec:\jvdpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\xfxlfxl.exec:\xfxlfxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\1nhtnh.exec:\1nhtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\dvddd.exec:\dvddd.exe23⤵
- Executes dropped EXE
PID:2808 -
\??\c:\rxrflfr.exec:\rxrflfr.exe24⤵
- Executes dropped EXE
PID:4872 -
\??\c:\nnnbtn.exec:\nnnbtn.exe25⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rrfxlxx.exec:\rrfxlxx.exe26⤵
- Executes dropped EXE
PID:2788 -
\??\c:\btnhhb.exec:\btnhhb.exe27⤵
- Executes dropped EXE
PID:408 -
\??\c:\5ddvp.exec:\5ddvp.exe28⤵
- Executes dropped EXE
PID:4936 -
\??\c:\ntbnbh.exec:\ntbnbh.exe29⤵
- Executes dropped EXE
PID:4176 -
\??\c:\7nbtbt.exec:\7nbtbt.exe30⤵
- Executes dropped EXE
PID:3452 -
\??\c:\jppdp.exec:\jppdp.exe31⤵
- Executes dropped EXE
PID:3300 -
\??\c:\hnbthb.exec:\hnbthb.exe32⤵
- Executes dropped EXE
PID:2104 -
\??\c:\frlxllf.exec:\frlxllf.exe33⤵
- Executes dropped EXE
PID:4912 -
\??\c:\djpdp.exec:\djpdp.exe34⤵
- Executes dropped EXE
PID:4868 -
\??\c:\jdvjp.exec:\jdvjp.exe35⤵
- Executes dropped EXE
PID:3572 -
\??\c:\tnnhtt.exec:\tnnhtt.exe36⤵
- Executes dropped EXE
PID:3468 -
\??\c:\vddvj.exec:\vddvj.exe37⤵
- Executes dropped EXE
PID:3076 -
\??\c:\rxfrxrl.exec:\rxfrxrl.exe38⤵
- Executes dropped EXE
PID:1696 -
\??\c:\thhhbn.exec:\thhhbn.exe39⤵
- Executes dropped EXE
PID:4184 -
\??\c:\hhbthb.exec:\hhbthb.exe40⤵
- Executes dropped EXE
PID:2712 -
\??\c:\pvdpv.exec:\pvdpv.exe41⤵
- Executes dropped EXE
PID:1860 -
\??\c:\xfxlxrl.exec:\xfxlxrl.exe42⤵
- Executes dropped EXE
PID:1756 -
\??\c:\btnhbt.exec:\btnhbt.exe43⤵
- Executes dropped EXE
PID:2076 -
\??\c:\jvdpd.exec:\jvdpd.exe44⤵
- Executes dropped EXE
PID:4508 -
\??\c:\xrllxxr.exec:\xrllxxr.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3124 -
\??\c:\vjjdv.exec:\vjjdv.exe46⤵
- Executes dropped EXE
PID:2864 -
\??\c:\pvvpj.exec:\pvvpj.exe47⤵
- Executes dropped EXE
PID:2700 -
\??\c:\rlrllff.exec:\rlrllff.exe48⤵
- Executes dropped EXE
PID:4816 -
\??\c:\1tbtnt.exec:\1tbtnt.exe49⤵
- Executes dropped EXE
PID:3868 -
\??\c:\9dvjp.exec:\9dvjp.exe50⤵
- Executes dropped EXE
PID:5080 -
\??\c:\jvjjd.exec:\jvjjd.exe51⤵
- Executes dropped EXE
PID:4860 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe52⤵
- Executes dropped EXE
PID:460 -
\??\c:\hnbtnh.exec:\hnbtnh.exe53⤵
- Executes dropped EXE
PID:3384 -
\??\c:\vpdvd.exec:\vpdvd.exe54⤵
- Executes dropped EXE
PID:4400 -
\??\c:\vpdvj.exec:\vpdvj.exe55⤵
- Executes dropped EXE
PID:3484 -
\??\c:\frlflll.exec:\frlflll.exe56⤵
- Executes dropped EXE
PID:4364 -
\??\c:\1nnbnh.exec:\1nnbnh.exe57⤵
- Executes dropped EXE
PID:2276 -
\??\c:\vddpd.exec:\vddpd.exe58⤵
- Executes dropped EXE
PID:4804 -
\??\c:\vpvpd.exec:\vpvpd.exe59⤵
- Executes dropped EXE
PID:3556 -
\??\c:\xllfllx.exec:\xllfllx.exe60⤵
- Executes dropped EXE
PID:1824 -
\??\c:\nnnhtb.exec:\nnnhtb.exe61⤵
- Executes dropped EXE
PID:2452 -
\??\c:\thhbnh.exec:\thhbnh.exe62⤵
- Executes dropped EXE
PID:4628 -
\??\c:\pppdp.exec:\pppdp.exe63⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vjdvj.exec:\vjdvj.exe64⤵
- Executes dropped EXE
PID:876 -
\??\c:\rxxlfxf.exec:\rxxlfxf.exe65⤵
- Executes dropped EXE
PID:4800 -
\??\c:\nhhhbt.exec:\nhhhbt.exe66⤵PID:2280
-
\??\c:\9dddd.exec:\9dddd.exe67⤵PID:2888
-
\??\c:\dpjjv.exec:\dpjjv.exe68⤵PID:1484
-
\??\c:\fxrlxrf.exec:\fxrlxrf.exe69⤵PID:3880
-
\??\c:\tnbttt.exec:\tnbttt.exe70⤵PID:4576
-
\??\c:\jvpdp.exec:\jvpdp.exe71⤵PID:3044
-
\??\c:\rflfxxr.exec:\rflfxxr.exe72⤵PID:2996
-
\??\c:\lflffxf.exec:\lflffxf.exe73⤵PID:772
-
\??\c:\bnnbbt.exec:\bnnbbt.exe74⤵PID:1332
-
\??\c:\pddvp.exec:\pddvp.exe75⤵PID:2856
-
\??\c:\lffxrrl.exec:\lffxrrl.exe76⤵PID:2316
-
\??\c:\xlrlxlx.exec:\xlrlxlx.exe77⤵PID:5112
-
\??\c:\bhhbtn.exec:\bhhbtn.exe78⤵PID:3648
-
\??\c:\dpdjv.exec:\dpdjv.exe79⤵PID:1428
-
\??\c:\pvppd.exec:\pvppd.exe80⤵PID:4564
-
\??\c:\rrlffxx.exec:\rrlffxx.exe81⤵PID:3540
-
\??\c:\5btthb.exec:\5btthb.exe82⤵PID:1352
-
\??\c:\htnbnh.exec:\htnbnh.exe83⤵PID:1492
-
\??\c:\vpjvp.exec:\vpjvp.exe84⤵PID:4012
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe85⤵
- System Location Discovery: System Language Discovery
PID:4604 -
\??\c:\nthbtt.exec:\nthbtt.exe86⤵PID:4292
-
\??\c:\htbbtn.exec:\htbbtn.exe87⤵PID:3772
-
\??\c:\pjpdd.exec:\pjpdd.exe88⤵PID:4872
-
\??\c:\ntthbt.exec:\ntthbt.exe89⤵PID:2632
-
\??\c:\dpdvj.exec:\dpdvj.exe90⤵PID:2268
-
\??\c:\lllxlff.exec:\lllxlff.exe91⤵PID:4560
-
\??\c:\xfxxlfx.exec:\xfxxlfx.exe92⤵PID:408
-
\??\c:\hbtnnh.exec:\hbtnnh.exe93⤵PID:3732
-
\??\c:\vjjvj.exec:\vjjvj.exe94⤵PID:2740
-
\??\c:\jdvpd.exec:\jdvpd.exe95⤵PID:1468
-
\??\c:\rrlfllf.exec:\rrlfllf.exe96⤵PID:3480
-
\??\c:\bbtnhb.exec:\bbtnhb.exe97⤵PID:4616
-
\??\c:\pddvd.exec:\pddvd.exe98⤵PID:3968
-
\??\c:\xffxfxr.exec:\xffxfxr.exe99⤵PID:1296
-
\??\c:\xflxrlf.exec:\xflxrlf.exe100⤵PID:3512
-
\??\c:\1ththb.exec:\1ththb.exe101⤵PID:5108
-
\??\c:\3vpjv.exec:\3vpjv.exe102⤵PID:1248
-
\??\c:\vjjvj.exec:\vjjvj.exe103⤵PID:2780
-
\??\c:\ffrlfxr.exec:\ffrlfxr.exe104⤵PID:3020
-
\??\c:\9hbtnh.exec:\9hbtnh.exe105⤵PID:2356
-
\??\c:\djjdp.exec:\djjdp.exe106⤵PID:1688
-
\??\c:\lrxlxrx.exec:\lrxlxrx.exe107⤵PID:3640
-
\??\c:\ffrlxrl.exec:\ffrlxrl.exe108⤵PID:1684
-
\??\c:\bnthbt.exec:\bnthbt.exe109⤵PID:3564
-
\??\c:\vjjjd.exec:\vjjjd.exe110⤵PID:1736
-
\??\c:\rrlxfxl.exec:\rrlxfxl.exe111⤵PID:960
-
\??\c:\thnbbt.exec:\thnbbt.exe112⤵PID:2076
-
\??\c:\dvdvp.exec:\dvdvp.exe113⤵PID:4508
-
\??\c:\jpvjp.exec:\jpvjp.exe114⤵PID:2876
-
\??\c:\xrrfxrf.exec:\xrrfxrf.exe115⤵PID:2864
-
\??\c:\bthbbt.exec:\bthbbt.exe116⤵PID:1964
-
\??\c:\jdjjp.exec:\jdjjp.exe117⤵PID:3768
-
\??\c:\jdpdj.exec:\jdpdj.exe118⤵PID:2920
-
\??\c:\frllfrl.exec:\frllfrl.exe119⤵PID:2176
-
\??\c:\ntbtnn.exec:\ntbtnn.exe120⤵PID:3700
-
\??\c:\vpdvj.exec:\vpdvj.exe121⤵PID:460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-