Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 00:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
158b0359b582b072c072ad357f1c70581118670de826897a5d5f46041b2094a4.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
158b0359b582b072c072ad357f1c70581118670de826897a5d5f46041b2094a4.exe
-
Size
453KB
-
MD5
1744fd1a4552cca6be0ca192754652a4
-
SHA1
8d55a97e4cb69a2d126c8a5b1f43e43304e39e0a
-
SHA256
158b0359b582b072c072ad357f1c70581118670de826897a5d5f46041b2094a4
-
SHA512
1ad89f3251166a13c3b7af147669886bd35c85e31e1eb6f30a303ab0ece86645d7756a1c9a712529747cc438e62e9da62c02d4a7e2805470525fbfed11bf9bed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1:q7Tc2NYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2508-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-837-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-1861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2800 dvdpv.exe 1224 tbhthb.exe 820 jppdv.exe 1848 xrxxxff.exe 2764 thhbbn.exe 368 jpjjd.exe 3124 dddpd.exe 1560 lffrfxl.exe 3660 jpjvp.exe 2172 xfxrfxl.exe 1140 vpddp.exe 1692 pjpdp.exe 3612 fffxlfx.exe 4896 7nhbnn.exe 2248 pjpdp.exe 264 1dvjv.exe 3508 xlfrlfx.exe 4496 tnhtnh.exe 776 tntbnh.exe 3248 pjddv.exe 5076 fxfrfxx.exe 1664 lllxrlx.exe 3328 flrlfxr.exe 812 ttnbtn.exe 4316 vjvpd.exe 2640 lxxlffr.exe 3604 pjvpj.exe 4252 dvvpp.exe 4180 bbnnbh.exe 2020 djjdp.exe 4272 jdjvv.exe 3540 rxxlxlx.exe 4112 1tthtn.exe 1492 jppdj.exe 448 1rlfxxl.exe 1304 bnhbnh.exe 1484 htbnbn.exe 1272 dpvjp.exe 3388 vvvvv.exe 2132 3rxrllf.exe 1772 tbhhbt.exe 2532 vjppv.exe 1980 vpjjv.exe 1524 xffxrll.exe 2984 lxrrrrr.exe 3280 htbhbh.exe 3596 jpppj.exe 2444 fxxrrfl.exe 1640 tntntn.exe 1480 9jvvd.exe 2140 xllxrlf.exe 3116 nhnhtn.exe 3520 vjvpd.exe 4568 xxfxxrl.exe 4440 tbbthn.exe 3088 5jjvj.exe 3244 5xxlxrf.exe 4508 jvvpj.exe 3112 dvvjv.exe 1848 rlfrlrl.exe 4552 hntnhh.exe 1232 9djvj.exe 3828 jvvjv.exe 4704 xxxlflx.exe -
resource yara_rule behavioral2/memory/2508-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-964-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhtnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2800 2508 158b0359b582b072c072ad357f1c70581118670de826897a5d5f46041b2094a4.exe 82 PID 2508 wrote to memory of 2800 2508 158b0359b582b072c072ad357f1c70581118670de826897a5d5f46041b2094a4.exe 82 PID 2508 wrote to memory of 2800 2508 158b0359b582b072c072ad357f1c70581118670de826897a5d5f46041b2094a4.exe 82 PID 2800 wrote to memory of 1224 2800 dvdpv.exe 83 PID 2800 wrote to memory of 1224 2800 dvdpv.exe 83 PID 2800 wrote to memory of 1224 2800 dvdpv.exe 83 PID 1224 wrote to memory of 820 1224 tbhthb.exe 84 PID 1224 wrote to memory of 820 1224 tbhthb.exe 84 PID 1224 wrote to memory of 820 1224 tbhthb.exe 84 PID 820 wrote to memory of 1848 820 jppdv.exe 85 PID 820 wrote to memory of 1848 820 jppdv.exe 85 PID 820 wrote to memory of 1848 820 jppdv.exe 85 PID 1848 wrote to memory of 2764 1848 xrxxxff.exe 86 PID 1848 wrote to memory of 2764 1848 xrxxxff.exe 86 PID 1848 wrote to memory of 2764 1848 xrxxxff.exe 86 PID 2764 wrote to memory of 368 2764 thhbbn.exe 87 PID 2764 wrote to memory of 368 2764 thhbbn.exe 87 PID 2764 wrote to memory of 368 2764 thhbbn.exe 87 PID 368 wrote to memory of 3124 368 jpjjd.exe 88 PID 368 wrote to memory of 3124 368 jpjjd.exe 88 PID 368 wrote to memory of 3124 368 jpjjd.exe 88 PID 3124 wrote to memory of 1560 3124 dddpd.exe 89 PID 3124 wrote to memory of 1560 3124 dddpd.exe 89 PID 3124 wrote to memory of 1560 3124 dddpd.exe 89 PID 1560 wrote to memory of 3660 1560 lffrfxl.exe 90 PID 1560 wrote to memory of 3660 1560 lffrfxl.exe 90 PID 1560 wrote to memory of 3660 1560 lffrfxl.exe 90 PID 3660 wrote to memory of 2172 3660 jpjvp.exe 91 PID 3660 wrote to memory of 2172 3660 jpjvp.exe 91 PID 3660 wrote to memory of 2172 3660 jpjvp.exe 91 PID 2172 wrote to memory of 1140 2172 xfxrfxl.exe 92 PID 2172 wrote to memory of 1140 2172 xfxrfxl.exe 92 PID 2172 wrote to memory of 1140 2172 xfxrfxl.exe 92 PID 1140 wrote to memory of 1692 1140 vpddp.exe 93 PID 1140 wrote to memory of 1692 1140 vpddp.exe 93 PID 1140 wrote to memory of 1692 1140 vpddp.exe 93 PID 1692 wrote to memory of 3612 1692 pjpdp.exe 94 PID 1692 wrote to memory of 3612 1692 pjpdp.exe 94 PID 1692 wrote to memory of 3612 1692 pjpdp.exe 94 PID 3612 wrote to memory of 4896 3612 fffxlfx.exe 95 PID 3612 wrote to memory of 4896 3612 fffxlfx.exe 95 PID 3612 wrote to memory of 4896 3612 fffxlfx.exe 95 PID 4896 wrote to memory of 2248 4896 7nhbnn.exe 96 PID 4896 wrote to memory of 2248 4896 7nhbnn.exe 96 PID 4896 wrote to memory of 2248 4896 7nhbnn.exe 96 PID 2248 wrote to memory of 264 2248 pjpdp.exe 97 PID 2248 wrote to memory of 264 2248 pjpdp.exe 97 PID 2248 wrote to memory of 264 2248 pjpdp.exe 97 PID 264 wrote to memory of 3508 264 1dvjv.exe 98 PID 264 wrote to memory of 3508 264 1dvjv.exe 98 PID 264 wrote to memory of 3508 264 1dvjv.exe 98 PID 3508 wrote to memory of 4496 3508 xlfrlfx.exe 99 PID 3508 wrote to memory of 4496 3508 xlfrlfx.exe 99 PID 3508 wrote to memory of 4496 3508 xlfrlfx.exe 99 PID 4496 wrote to memory of 776 4496 tnhtnh.exe 100 PID 4496 wrote to memory of 776 4496 tnhtnh.exe 100 PID 4496 wrote to memory of 776 4496 tnhtnh.exe 100 PID 776 wrote to memory of 3248 776 tntbnh.exe 101 PID 776 wrote to memory of 3248 776 tntbnh.exe 101 PID 776 wrote to memory of 3248 776 tntbnh.exe 101 PID 3248 wrote to memory of 5076 3248 pjddv.exe 102 PID 3248 wrote to memory of 5076 3248 pjddv.exe 102 PID 3248 wrote to memory of 5076 3248 pjddv.exe 102 PID 5076 wrote to memory of 1664 5076 fxfrfxx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\158b0359b582b072c072ad357f1c70581118670de826897a5d5f46041b2094a4.exe"C:\Users\Admin\AppData\Local\Temp\158b0359b582b072c072ad357f1c70581118670de826897a5d5f46041b2094a4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\dvdpv.exec:\dvdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\tbhthb.exec:\tbhthb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\jppdv.exec:\jppdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\xrxxxff.exec:\xrxxxff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\thhbbn.exec:\thhbbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\jpjjd.exec:\jpjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\dddpd.exec:\dddpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\lffrfxl.exec:\lffrfxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\jpjvp.exec:\jpjvp.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\xfxrfxl.exec:\xfxrfxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\vpddp.exec:\vpddp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\pjpdp.exec:\pjpdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\fffxlfx.exec:\fffxlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\7nhbnn.exec:\7nhbnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\pjpdp.exec:\pjpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\1dvjv.exec:\1dvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\tnhtnh.exec:\tnhtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\tntbnh.exec:\tntbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\pjddv.exec:\pjddv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\fxfrfxx.exec:\fxfrfxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\lllxrlx.exec:\lllxrlx.exe23⤵
- Executes dropped EXE
PID:1664 -
\??\c:\flrlfxr.exec:\flrlfxr.exe24⤵
- Executes dropped EXE
PID:3328 -
\??\c:\ttnbtn.exec:\ttnbtn.exe25⤵
- Executes dropped EXE
PID:812 -
\??\c:\vjvpd.exec:\vjvpd.exe26⤵
- Executes dropped EXE
PID:4316 -
\??\c:\lxxlffr.exec:\lxxlffr.exe27⤵
- Executes dropped EXE
PID:2640 -
\??\c:\pjvpj.exec:\pjvpj.exe28⤵
- Executes dropped EXE
PID:3604 -
\??\c:\dvvpp.exec:\dvvpp.exe29⤵
- Executes dropped EXE
PID:4252 -
\??\c:\bbnnbh.exec:\bbnnbh.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4180 -
\??\c:\djjdp.exec:\djjdp.exe31⤵
- Executes dropped EXE
PID:2020 -
\??\c:\jdjvv.exec:\jdjvv.exe32⤵
- Executes dropped EXE
PID:4272 -
\??\c:\rxxlxlx.exec:\rxxlxlx.exe33⤵
- Executes dropped EXE
PID:3540 -
\??\c:\1tthtn.exec:\1tthtn.exe34⤵
- Executes dropped EXE
PID:4112 -
\??\c:\jppdj.exec:\jppdj.exe35⤵
- Executes dropped EXE
PID:1492 -
\??\c:\1rlfxxl.exec:\1rlfxxl.exe36⤵
- Executes dropped EXE
PID:448 -
\??\c:\bnhbnh.exec:\bnhbnh.exe37⤵
- Executes dropped EXE
PID:1304 -
\??\c:\htbnbn.exec:\htbnbn.exe38⤵
- Executes dropped EXE
PID:1484 -
\??\c:\dpvjp.exec:\dpvjp.exe39⤵
- Executes dropped EXE
PID:1272 -
\??\c:\vvvvv.exec:\vvvvv.exe40⤵
- Executes dropped EXE
PID:3388 -
\??\c:\3rxrllf.exec:\3rxrllf.exe41⤵
- Executes dropped EXE
PID:2132 -
\??\c:\tbhhbt.exec:\tbhhbt.exe42⤵
- Executes dropped EXE
PID:1772 -
\??\c:\vjppv.exec:\vjppv.exe43⤵
- Executes dropped EXE
PID:2532 -
\??\c:\vpjjv.exec:\vpjjv.exe44⤵
- Executes dropped EXE
PID:1980 -
\??\c:\xffxrll.exec:\xffxrll.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524 -
\??\c:\lxrrrrr.exec:\lxrrrrr.exe46⤵
- Executes dropped EXE
PID:2984 -
\??\c:\htbhbh.exec:\htbhbh.exe47⤵
- Executes dropped EXE
PID:3280 -
\??\c:\jpppj.exec:\jpppj.exe48⤵
- Executes dropped EXE
PID:3596 -
\??\c:\fxxrrfl.exec:\fxxrrfl.exe49⤵
- Executes dropped EXE
PID:2444 -
\??\c:\tntntn.exec:\tntntn.exe50⤵
- Executes dropped EXE
PID:1640 -
\??\c:\9jvvd.exec:\9jvvd.exe51⤵
- Executes dropped EXE
PID:1480 -
\??\c:\xllxrlf.exec:\xllxrlf.exe52⤵
- Executes dropped EXE
PID:2140 -
\??\c:\nhnhtn.exec:\nhnhtn.exe53⤵
- Executes dropped EXE
PID:3116 -
\??\c:\vjvpd.exec:\vjvpd.exe54⤵
- Executes dropped EXE
PID:3520 -
\??\c:\xxfxxrl.exec:\xxfxxrl.exe55⤵
- Executes dropped EXE
PID:4568 -
\??\c:\tbbthn.exec:\tbbthn.exe56⤵
- Executes dropped EXE
PID:4440 -
\??\c:\5jjvj.exec:\5jjvj.exe57⤵
- Executes dropped EXE
PID:3088 -
\??\c:\5xxlxrf.exec:\5xxlxrf.exe58⤵
- Executes dropped EXE
PID:3244 -
\??\c:\jvvpj.exec:\jvvpj.exe59⤵
- Executes dropped EXE
PID:4508 -
\??\c:\dvvjv.exec:\dvvjv.exe60⤵
- Executes dropped EXE
PID:3112 -
\??\c:\rlfrlrl.exec:\rlfrlrl.exe61⤵
- Executes dropped EXE
PID:1848 -
\??\c:\hntnhh.exec:\hntnhh.exe62⤵
- Executes dropped EXE
PID:4552 -
\??\c:\9djvj.exec:\9djvj.exe63⤵
- Executes dropped EXE
PID:1232 -
\??\c:\jvvjv.exec:\jvvjv.exe64⤵
- Executes dropped EXE
PID:3828 -
\??\c:\xxxlflx.exec:\xxxlflx.exe65⤵
- Executes dropped EXE
PID:4704 -
\??\c:\hnnbth.exec:\hnnbth.exe66⤵PID:3124
-
\??\c:\vjvjv.exec:\vjvjv.exe67⤵PID:5012
-
\??\c:\jvdpd.exec:\jvdpd.exe68⤵PID:5056
-
\??\c:\5xxlfxx.exec:\5xxlfxx.exe69⤵PID:4372
-
\??\c:\nnttnh.exec:\nnttnh.exe70⤵PID:2484
-
\??\c:\5vvpj.exec:\5vvpj.exe71⤵PID:5044
-
\??\c:\rllfrrl.exec:\rllfrrl.exe72⤵PID:1464
-
\??\c:\7bbbtt.exec:\7bbbtt.exe73⤵PID:1904
-
\??\c:\ttbbnn.exec:\ttbbnn.exe74⤵PID:636
-
\??\c:\1ddvp.exec:\1ddvp.exe75⤵PID:668
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe76⤵PID:3704
-
\??\c:\ntthhb.exec:\ntthhb.exe77⤵PID:4908
-
\??\c:\5jjvj.exec:\5jjvj.exe78⤵PID:4804
-
\??\c:\llrrllr.exec:\llrrllr.exe79⤵PID:4312
-
\??\c:\lfrllfx.exec:\lfrllfx.exe80⤵PID:224
-
\??\c:\9ppjp.exec:\9ppjp.exe81⤵PID:3348
-
\??\c:\1ffrrlr.exec:\1ffrrlr.exe82⤵PID:528
-
\??\c:\ntbnbt.exec:\ntbnbt.exe83⤵PID:4380
-
\??\c:\5ddvj.exec:\5ddvj.exe84⤵PID:4012
-
\??\c:\lxfrfrf.exec:\lxfrfrf.exe85⤵PID:3588
-
\??\c:\rfrxrfl.exec:\rfrxrfl.exe86⤵PID:432
-
\??\c:\htnbnh.exec:\htnbnh.exe87⤵PID:1728
-
\??\c:\pjjjd.exec:\pjjjd.exe88⤵PID:4276
-
\??\c:\flrfrfr.exec:\flrfrfr.exe89⤵PID:5048
-
\??\c:\fflllff.exec:\fflllff.exe90⤵PID:1748
-
\??\c:\nbbtbt.exec:\nbbtbt.exe91⤵PID:928
-
\??\c:\vjjvj.exec:\vjjvj.exe92⤵PID:1300
-
\??\c:\fxfrrrl.exec:\fxfrrrl.exe93⤵PID:5116
-
\??\c:\rffxxll.exec:\rffxxll.exe94⤵PID:3604
-
\??\c:\thnhth.exec:\thnhth.exe95⤵PID:4616
-
\??\c:\pddvv.exec:\pddvv.exe96⤵PID:4828
-
\??\c:\rxlrfrf.exec:\rxlrfrf.exe97⤵PID:4120
-
\??\c:\hhtnht.exec:\hhtnht.exe98⤵PID:736
-
\??\c:\dvvpv.exec:\dvvpv.exe99⤵PID:4144
-
\??\c:\vpvjj.exec:\vpvjj.exe100⤵PID:1964
-
\??\c:\rfxrxrl.exec:\rfxrxrl.exe101⤵PID:1468
-
\??\c:\9btthh.exec:\9btthh.exe102⤵PID:3600
-
\??\c:\3nhbnn.exec:\3nhbnn.exe103⤵PID:2740
-
\??\c:\pvdvp.exec:\pvdvp.exe104⤵PID:2896
-
\??\c:\ffxrfxr.exec:\ffxrfxr.exe105⤵PID:3576
-
\??\c:\nnnbhb.exec:\nnnbhb.exe106⤵PID:2616
-
\??\c:\vdvpj.exec:\vdvpj.exe107⤵PID:1768
-
\??\c:\xlffxxl.exec:\xlffxxl.exe108⤵PID:1428
-
\??\c:\tnbtbb.exec:\tnbtbb.exe109⤵PID:4216
-
\??\c:\5tnbnn.exec:\5tnbnn.exe110⤵
- System Location Discovery: System Language Discovery
PID:2076 -
\??\c:\1jpdj.exec:\1jpdj.exe111⤵PID:3788
-
\??\c:\llffxrl.exec:\llffxrl.exe112⤵PID:1036
-
\??\c:\9hnhnn.exec:\9hnhnn.exe113⤵PID:4360
-
\??\c:\pdvjv.exec:\pdvjv.exe114⤵PID:3204
-
\??\c:\9xfrlxr.exec:\9xfrlxr.exe115⤵PID:396
-
\??\c:\5flfxxx.exec:\5flfxxx.exe116⤵PID:1264
-
\??\c:\nhthbt.exec:\nhthbt.exe117⤵PID:4192
-
\??\c:\pvpjd.exec:\pvpjd.exe118⤵PID:3180
-
\??\c:\5rxrxrl.exec:\5rxrxrl.exe119⤵
- System Location Discovery: System Language Discovery
PID:5024 -
\??\c:\5nthbt.exec:\5nthbt.exe120⤵PID:3848
-
\??\c:\vjdpd.exec:\vjdpd.exe121⤵PID:3320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-