Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 23:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7b5d17f6b39dbd6380f109fcedf98ef332f5dd89f9c8e63a5e30b7dfe23d8485.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7b5d17f6b39dbd6380f109fcedf98ef332f5dd89f9c8e63a5e30b7dfe23d8485.exe
-
Size
453KB
-
MD5
c32636271edfab1fd44baac7ffa2d1dd
-
SHA1
1494576d2d1e5a0f766ba41fe93e020e252274ce
-
SHA256
7b5d17f6b39dbd6380f109fcedf98ef332f5dd89f9c8e63a5e30b7dfe23d8485
-
SHA512
346f1454960c445ab21c9652321c0710d17d3707d7dc1f1116e12d5f2dcccc000552389143194139f747913c34951090bd9e0d077cdb81a3ddf78811c1fb5584
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/748-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-1309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-1691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4804 jdjdv.exe 2840 pjjdv.exe 536 frxfxxr.exe 4088 bntttt.exe 516 jvvpv.exe 372 rrrrllf.exe 4524 rlfxrlf.exe 4816 ddppv.exe 1356 djpvj.exe 2556 xlxlrrl.exe 2240 hhttbh.exe 2184 llffxrl.exe 2520 nnbtbb.exe 2848 pjjdv.exe 4976 rlllllf.exe 1568 jjvpv.exe 4768 ntnhbb.exe 4128 dvdvv.exe 3504 xlxrrrr.exe 404 vvppj.exe 4388 dddvv.exe 4680 9btnhn.exe 656 5bbtth.exe 3196 5vdvp.exe 4820 lrxxxxx.exe 2288 hbnnnh.exe 464 djvpj.exe 3960 tthhnh.exe 4812 jjvpd.exe 828 pvjvp.exe 4456 pvvpj.exe 3472 llxrlfx.exe 5100 9xfxrrr.exe 4032 9bhbbb.exe 3288 tttnnn.exe 5080 7pvpv.exe 5072 9xxrlrl.exe 2664 bthbbb.exe 2508 pdpdp.exe 5064 7lfrllf.exe 3448 btbnhh.exe 4596 btbttt.exe 808 fffllfl.exe 4216 3rrrlll.exe 1532 tttntt.exe 4520 jjjjd.exe 2840 lllfxfx.exe 536 nttttt.exe 4088 hbhnhn.exe 1136 vpvpj.exe 4424 rrflffx.exe 3728 tbnnth.exe 2980 pjvpp.exe 4428 7jjdd.exe 1272 frxlfff.exe 1660 hhbnhh.exe 3688 ppdvp.exe 2188 pdpjj.exe 2576 lfllffx.exe 4284 bntnhb.exe 972 pjjdv.exe 1372 pddvj.exe 4472 lllffll.exe 2432 tnnnhh.exe -
resource yara_rule behavioral2/memory/748-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-1212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-1309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-1691-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 4804 748 7b5d17f6b39dbd6380f109fcedf98ef332f5dd89f9c8e63a5e30b7dfe23d8485.exe 82 PID 748 wrote to memory of 4804 748 7b5d17f6b39dbd6380f109fcedf98ef332f5dd89f9c8e63a5e30b7dfe23d8485.exe 82 PID 748 wrote to memory of 4804 748 7b5d17f6b39dbd6380f109fcedf98ef332f5dd89f9c8e63a5e30b7dfe23d8485.exe 82 PID 4804 wrote to memory of 2840 4804 jdjdv.exe 83 PID 4804 wrote to memory of 2840 4804 jdjdv.exe 83 PID 4804 wrote to memory of 2840 4804 jdjdv.exe 83 PID 2840 wrote to memory of 536 2840 pjjdv.exe 84 PID 2840 wrote to memory of 536 2840 pjjdv.exe 84 PID 2840 wrote to memory of 536 2840 pjjdv.exe 84 PID 536 wrote to memory of 4088 536 frxfxxr.exe 85 PID 536 wrote to memory of 4088 536 frxfxxr.exe 85 PID 536 wrote to memory of 4088 536 frxfxxr.exe 85 PID 4088 wrote to memory of 516 4088 bntttt.exe 86 PID 4088 wrote to memory of 516 4088 bntttt.exe 86 PID 4088 wrote to memory of 516 4088 bntttt.exe 86 PID 516 wrote to memory of 372 516 jvvpv.exe 87 PID 516 wrote to memory of 372 516 jvvpv.exe 87 PID 516 wrote to memory of 372 516 jvvpv.exe 87 PID 372 wrote to memory of 4524 372 rrrrllf.exe 88 PID 372 wrote to memory of 4524 372 rrrrllf.exe 88 PID 372 wrote to memory of 4524 372 rrrrllf.exe 88 PID 4524 wrote to memory of 4816 4524 rlfxrlf.exe 89 PID 4524 wrote to memory of 4816 4524 rlfxrlf.exe 89 PID 4524 wrote to memory of 4816 4524 rlfxrlf.exe 89 PID 4816 wrote to memory of 1356 4816 ddppv.exe 90 PID 4816 wrote to memory of 1356 4816 ddppv.exe 90 PID 4816 wrote to memory of 1356 4816 ddppv.exe 90 PID 1356 wrote to memory of 2556 1356 djpvj.exe 91 PID 1356 wrote to memory of 2556 1356 djpvj.exe 91 PID 1356 wrote to memory of 2556 1356 djpvj.exe 91 PID 2556 wrote to memory of 2240 2556 xlxlrrl.exe 92 PID 2556 wrote to memory of 2240 2556 xlxlrrl.exe 92 PID 2556 wrote to memory of 2240 2556 xlxlrrl.exe 92 PID 2240 wrote to memory of 2184 2240 hhttbh.exe 93 PID 2240 wrote to memory of 2184 2240 hhttbh.exe 93 PID 2240 wrote to memory of 2184 2240 hhttbh.exe 93 PID 2184 wrote to memory of 2520 2184 llffxrl.exe 94 PID 2184 wrote to memory of 2520 2184 llffxrl.exe 94 PID 2184 wrote to memory of 2520 2184 llffxrl.exe 94 PID 2520 wrote to memory of 2848 2520 nnbtbb.exe 95 PID 2520 wrote to memory of 2848 2520 nnbtbb.exe 95 PID 2520 wrote to memory of 2848 2520 nnbtbb.exe 95 PID 2848 wrote to memory of 4976 2848 pjjdv.exe 96 PID 2848 wrote to memory of 4976 2848 pjjdv.exe 96 PID 2848 wrote to memory of 4976 2848 pjjdv.exe 96 PID 4976 wrote to memory of 1568 4976 rlllllf.exe 97 PID 4976 wrote to memory of 1568 4976 rlllllf.exe 97 PID 4976 wrote to memory of 1568 4976 rlllllf.exe 97 PID 1568 wrote to memory of 4768 1568 jjvpv.exe 98 PID 1568 wrote to memory of 4768 1568 jjvpv.exe 98 PID 1568 wrote to memory of 4768 1568 jjvpv.exe 98 PID 4768 wrote to memory of 4128 4768 ntnhbb.exe 99 PID 4768 wrote to memory of 4128 4768 ntnhbb.exe 99 PID 4768 wrote to memory of 4128 4768 ntnhbb.exe 99 PID 4128 wrote to memory of 3504 4128 dvdvv.exe 100 PID 4128 wrote to memory of 3504 4128 dvdvv.exe 100 PID 4128 wrote to memory of 3504 4128 dvdvv.exe 100 PID 3504 wrote to memory of 404 3504 xlxrrrr.exe 101 PID 3504 wrote to memory of 404 3504 xlxrrrr.exe 101 PID 3504 wrote to memory of 404 3504 xlxrrrr.exe 101 PID 404 wrote to memory of 4388 404 vvppj.exe 102 PID 404 wrote to memory of 4388 404 vvppj.exe 102 PID 404 wrote to memory of 4388 404 vvppj.exe 102 PID 4388 wrote to memory of 4680 4388 dddvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b5d17f6b39dbd6380f109fcedf98ef332f5dd89f9c8e63a5e30b7dfe23d8485.exe"C:\Users\Admin\AppData\Local\Temp\7b5d17f6b39dbd6380f109fcedf98ef332f5dd89f9c8e63a5e30b7dfe23d8485.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\jdjdv.exec:\jdjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\pjjdv.exec:\pjjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\frxfxxr.exec:\frxfxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\bntttt.exec:\bntttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\jvvpv.exec:\jvvpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\rrrrllf.exec:\rrrrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\ddppv.exec:\ddppv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\djpvj.exec:\djpvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\xlxlrrl.exec:\xlxlrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\hhttbh.exec:\hhttbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\llffxrl.exec:\llffxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\nnbtbb.exec:\nnbtbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\pjjdv.exec:\pjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\rlllllf.exec:\rlllllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\jjvpv.exec:\jjvpv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\ntnhbb.exec:\ntnhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\dvdvv.exec:\dvdvv.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\vvppj.exec:\vvppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\dddvv.exec:\dddvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\9btnhn.exec:\9btnhn.exe23⤵
- Executes dropped EXE
PID:4680 -
\??\c:\5bbtth.exec:\5bbtth.exe24⤵
- Executes dropped EXE
PID:656 -
\??\c:\5vdvp.exec:\5vdvp.exe25⤵
- Executes dropped EXE
PID:3196 -
\??\c:\lrxxxxx.exec:\lrxxxxx.exe26⤵
- Executes dropped EXE
PID:4820 -
\??\c:\hbnnnh.exec:\hbnnnh.exe27⤵
- Executes dropped EXE
PID:2288 -
\??\c:\djvpj.exec:\djvpj.exe28⤵
- Executes dropped EXE
PID:464 -
\??\c:\tthhnh.exec:\tthhnh.exe29⤵
- Executes dropped EXE
PID:3960 -
\??\c:\jjvpd.exec:\jjvpd.exe30⤵
- Executes dropped EXE
PID:4812 -
\??\c:\pvjvp.exec:\pvjvp.exe31⤵
- Executes dropped EXE
PID:828 -
\??\c:\pvvpj.exec:\pvvpj.exe32⤵
- Executes dropped EXE
PID:4456 -
\??\c:\llxrlfx.exec:\llxrlfx.exe33⤵
- Executes dropped EXE
PID:3472 -
\??\c:\9xfxrrr.exec:\9xfxrrr.exe34⤵
- Executes dropped EXE
PID:5100 -
\??\c:\9bhbbb.exec:\9bhbbb.exe35⤵
- Executes dropped EXE
PID:4032 -
\??\c:\tttnnn.exec:\tttnnn.exe36⤵
- Executes dropped EXE
PID:3288 -
\??\c:\7pvpv.exec:\7pvpv.exe37⤵
- Executes dropped EXE
PID:5080 -
\??\c:\9xxrlrl.exec:\9xxrlrl.exe38⤵
- Executes dropped EXE
PID:5072 -
\??\c:\bthbbb.exec:\bthbbb.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\pdpdp.exec:\pdpdp.exe40⤵
- Executes dropped EXE
PID:2508 -
\??\c:\7lfrllf.exec:\7lfrllf.exe41⤵
- Executes dropped EXE
PID:5064 -
\??\c:\btbnhh.exec:\btbnhh.exe42⤵
- Executes dropped EXE
PID:3448 -
\??\c:\btbttt.exec:\btbttt.exe43⤵
- Executes dropped EXE
PID:4596 -
\??\c:\dvvpp.exec:\dvvpp.exe44⤵PID:1964
-
\??\c:\fffllfl.exec:\fffllfl.exe45⤵
- Executes dropped EXE
PID:808 -
\??\c:\3rrrlll.exec:\3rrrlll.exe46⤵
- Executes dropped EXE
PID:4216 -
\??\c:\tttntt.exec:\tttntt.exe47⤵
- Executes dropped EXE
PID:1532 -
\??\c:\jjjjd.exec:\jjjjd.exe48⤵
- Executes dropped EXE
PID:4520 -
\??\c:\lllfxfx.exec:\lllfxfx.exe49⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nttttt.exec:\nttttt.exe50⤵
- Executes dropped EXE
PID:536 -
\??\c:\hbhnhn.exec:\hbhnhn.exe51⤵
- Executes dropped EXE
PID:4088 -
\??\c:\vpvpj.exec:\vpvpj.exe52⤵
- Executes dropped EXE
PID:1136 -
\??\c:\rrflffx.exec:\rrflffx.exe53⤵
- Executes dropped EXE
PID:4424 -
\??\c:\tbnnth.exec:\tbnnth.exe54⤵
- Executes dropped EXE
PID:3728 -
\??\c:\pjvpp.exec:\pjvpp.exe55⤵
- Executes dropped EXE
PID:2980 -
\??\c:\7jjdd.exec:\7jjdd.exe56⤵
- Executes dropped EXE
PID:4428 -
\??\c:\frxlfff.exec:\frxlfff.exe57⤵
- Executes dropped EXE
PID:1272 -
\??\c:\hhbnhh.exec:\hhbnhh.exe58⤵
- Executes dropped EXE
PID:1660 -
\??\c:\ppdvp.exec:\ppdvp.exe59⤵
- Executes dropped EXE
PID:3688 -
\??\c:\pdpjj.exec:\pdpjj.exe60⤵
- Executes dropped EXE
PID:2188 -
\??\c:\lfllffx.exec:\lfllffx.exe61⤵
- Executes dropped EXE
PID:2576 -
\??\c:\bntnhb.exec:\bntnhb.exe62⤵
- Executes dropped EXE
PID:4284 -
\??\c:\pjjdv.exec:\pjjdv.exe63⤵
- Executes dropped EXE
PID:972 -
\??\c:\pddvj.exec:\pddvj.exe64⤵
- Executes dropped EXE
PID:1372 -
\??\c:\lllffll.exec:\lllffll.exe65⤵
- Executes dropped EXE
PID:4472 -
\??\c:\tnnnhh.exec:\tnnnhh.exe66⤵
- Executes dropped EXE
PID:2432 -
\??\c:\pvdvd.exec:\pvdvd.exe67⤵PID:5016
-
\??\c:\jpppj.exec:\jpppj.exe68⤵PID:3656
-
\??\c:\3xxrffx.exec:\3xxrffx.exe69⤵PID:4604
-
\??\c:\nnhhbb.exec:\nnhhbb.exe70⤵PID:4404
-
\??\c:\pjpjj.exec:\pjpjj.exe71⤵PID:2896
-
\??\c:\frrlffx.exec:\frrlffx.exe72⤵PID:900
-
\??\c:\5tnnhn.exec:\5tnnhn.exe73⤵PID:2472
-
\??\c:\jpvpj.exec:\jpvpj.exe74⤵PID:4388
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe75⤵PID:4108
-
\??\c:\fffxxxx.exec:\fffxxxx.exe76⤵PID:1056
-
\??\c:\tbhhhb.exec:\tbhhhb.exe77⤵PID:3608
-
\??\c:\ppvpp.exec:\ppvpp.exe78⤵PID:656
-
\??\c:\ddvvp.exec:\ddvvp.exe79⤵PID:3092
-
\??\c:\9xxrllf.exec:\9xxrllf.exe80⤵PID:1160
-
\??\c:\hbhbtt.exec:\hbhbtt.exe81⤵PID:2488
-
\??\c:\jjdvj.exec:\jjdvj.exe82⤵PID:2348
-
\??\c:\rflxrxx.exec:\rflxrxx.exe83⤵PID:1140
-
\??\c:\btnhbn.exec:\btnhbn.exe84⤵PID:464
-
\??\c:\ddddp.exec:\ddddp.exe85⤵PID:612
-
\??\c:\ppvvv.exec:\ppvvv.exe86⤵PID:3968
-
\??\c:\7flfxxl.exec:\7flfxxl.exe87⤵PID:2612
-
\??\c:\nnnhhh.exec:\nnnhhh.exe88⤵PID:2372
-
\??\c:\vjvjj.exec:\vjvjj.exe89⤵PID:1852
-
\??\c:\dvvpj.exec:\dvvpj.exe90⤵PID:4880
-
\??\c:\rlxxfxr.exec:\rlxxfxr.exe91⤵PID:1988
-
\??\c:\tttttn.exec:\tttttn.exe92⤵PID:3288
-
\??\c:\jppjd.exec:\jppjd.exe93⤵PID:5080
-
\??\c:\jdpjj.exec:\jdpjj.exe94⤵PID:4312
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe95⤵PID:2480
-
\??\c:\btnhbb.exec:\btnhbb.exe96⤵PID:4584
-
\??\c:\nntnhh.exec:\nntnhh.exe97⤵PID:4764
-
\??\c:\vdppj.exec:\vdppj.exe98⤵PID:4020
-
\??\c:\xrxrrll.exec:\xrxrrll.exe99⤵
- System Location Discovery: System Language Discovery
PID:4352 -
\??\c:\nbttnh.exec:\nbttnh.exe100⤵PID:1684
-
\??\c:\jjpdd.exec:\jjpdd.exe101⤵PID:4804
-
\??\c:\jvddv.exec:\jvddv.exe102⤵PID:1432
-
\??\c:\rxlfxrr.exec:\rxlfxrr.exe103⤵PID:2400
-
\??\c:\bttbbt.exec:\bttbbt.exe104⤵PID:4520
-
\??\c:\pvvjd.exec:\pvvjd.exe105⤵PID:2264
-
\??\c:\llrlflf.exec:\llrlflf.exe106⤵PID:536
-
\??\c:\btnbbb.exec:\btnbbb.exe107⤵PID:5092
-
\??\c:\tbnntb.exec:\tbnntb.exe108⤵PID:2164
-
\??\c:\pvjdv.exec:\pvjdv.exe109⤵PID:864
-
\??\c:\3rrlffx.exec:\3rrlffx.exe110⤵PID:3616
-
\??\c:\lffxrlf.exec:\lffxrlf.exe111⤵PID:3516
-
\??\c:\hhthnh.exec:\hhthnh.exe112⤵PID:4844
-
\??\c:\1ppdp.exec:\1ppdp.exe113⤵PID:4428
-
\??\c:\frxfxrr.exec:\frxfxrr.exe114⤵PID:2304
-
\??\c:\nhhbtb.exec:\nhhbtb.exe115⤵PID:1724
-
\??\c:\nbhbtn.exec:\nbhbtn.exe116⤵PID:3376
-
\??\c:\pjjdv.exec:\pjjdv.exe117⤵PID:3688
-
\??\c:\xrxrffx.exec:\xrxrffx.exe118⤵PID:60
-
\??\c:\nnbhbb.exec:\nnbhbb.exe119⤵PID:2576
-
\??\c:\9vdvp.exec:\9vdvp.exe120⤵PID:1424
-
\??\c:\rflflfl.exec:\rflflfl.exe121⤵PID:2092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-