Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 01:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8058d1dee529ebcb82558093957efe08c0104afeb399c4589f8276b20d4a2d4.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b8058d1dee529ebcb82558093957efe08c0104afeb399c4589f8276b20d4a2d4.exe
-
Size
453KB
-
MD5
115d6b888b5aec6c8e4d86e66f060e3f
-
SHA1
ad79dce13e451cd9804ef47fedf5f538dee48a10
-
SHA256
b8058d1dee529ebcb82558093957efe08c0104afeb399c4589f8276b20d4a2d4
-
SHA512
c1b2f2acf7c594e435a5de5b01981a29a9e24b1ed6f9e195259e3adc5cb11925bb1527d9ad5ef44f5a113a01891d2842b3d9d9db30ba6ebb0cb6f6df57b456d2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4864-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-1361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-1657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1116 ddpjj.exe 2828 ttttnh.exe 736 btbtbn.exe 4892 jvdvj.exe 916 fxfxffl.exe 404 tntnhb.exe 4732 9vdpv.exe 1076 hntnhh.exe 4612 3jpdv.exe 1928 fflfrrf.exe 3396 xxrlfxr.exe 2956 1jvjd.exe 1380 dpvdp.exe 2340 xllfxrl.exe 2620 nbbtnh.exe 4028 vpjvp.exe 1520 pjpdv.exe 1576 htttnn.exe 1936 ddppp.exe 4576 vdpjv.exe 2752 xrrfxrl.exe 5000 1vpjj.exe 2384 xllfrlf.exe 3080 tbtnhb.exe 4680 1rxlrxf.exe 4876 hntthb.exe 4552 rffxrll.exe 1608 3djdp.exe 2364 bnbbtt.exe 4060 1lfxrxf.exe 4772 3djdj.exe 2616 frrlxrl.exe 4824 3ddvv.exe 1620 hbtttb.exe 364 pjdvv.exe 4592 3flxrrl.exe 3444 bbnhtt.exe 2100 pjvpj.exe 5032 xlfxfrf.exe 1768 ddpjj.exe 1084 7jjdd.exe 3752 xrfxfxr.exe 2776 7bnhbb.exe 4052 5pvpj.exe 264 flllllx.exe 3804 fxfrlll.exe 3580 5hhbtn.exe 1248 9jjdv.exe 3440 fxrxrrr.exe 1760 bnbthh.exe 4692 jddvv.exe 4792 xlxrllf.exe 2028 xlrflff.exe 4916 3hnhbb.exe 3092 vdpjv.exe 408 lxfxrrr.exe 2164 lllrlxr.exe 2108 bbbbtb.exe 2016 djjdp.exe 32 jjvjv.exe 4752 rxxlfff.exe 3060 nnnhtn.exe 2096 vppjd.exe 3896 xrllfff.exe -
resource yara_rule behavioral2/memory/4864-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-1121-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9htntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4864 wrote to memory of 1116 4864 b8058d1dee529ebcb82558093957efe08c0104afeb399c4589f8276b20d4a2d4.exe 83 PID 4864 wrote to memory of 1116 4864 b8058d1dee529ebcb82558093957efe08c0104afeb399c4589f8276b20d4a2d4.exe 83 PID 4864 wrote to memory of 1116 4864 b8058d1dee529ebcb82558093957efe08c0104afeb399c4589f8276b20d4a2d4.exe 83 PID 1116 wrote to memory of 2828 1116 ddpjj.exe 84 PID 1116 wrote to memory of 2828 1116 ddpjj.exe 84 PID 1116 wrote to memory of 2828 1116 ddpjj.exe 84 PID 2828 wrote to memory of 736 2828 ttttnh.exe 85 PID 2828 wrote to memory of 736 2828 ttttnh.exe 85 PID 2828 wrote to memory of 736 2828 ttttnh.exe 85 PID 736 wrote to memory of 4892 736 btbtbn.exe 86 PID 736 wrote to memory of 4892 736 btbtbn.exe 86 PID 736 wrote to memory of 4892 736 btbtbn.exe 86 PID 4892 wrote to memory of 916 4892 jvdvj.exe 87 PID 4892 wrote to memory of 916 4892 jvdvj.exe 87 PID 4892 wrote to memory of 916 4892 jvdvj.exe 87 PID 916 wrote to memory of 404 916 fxfxffl.exe 88 PID 916 wrote to memory of 404 916 fxfxffl.exe 88 PID 916 wrote to memory of 404 916 fxfxffl.exe 88 PID 404 wrote to memory of 4732 404 tntnhb.exe 89 PID 404 wrote to memory of 4732 404 tntnhb.exe 89 PID 404 wrote to memory of 4732 404 tntnhb.exe 89 PID 4732 wrote to memory of 1076 4732 9vdpv.exe 90 PID 4732 wrote to memory of 1076 4732 9vdpv.exe 90 PID 4732 wrote to memory of 1076 4732 9vdpv.exe 90 PID 1076 wrote to memory of 4612 1076 hntnhh.exe 91 PID 1076 wrote to memory of 4612 1076 hntnhh.exe 91 PID 1076 wrote to memory of 4612 1076 hntnhh.exe 91 PID 4612 wrote to memory of 1928 4612 3jpdv.exe 92 PID 4612 wrote to memory of 1928 4612 3jpdv.exe 92 PID 4612 wrote to memory of 1928 4612 3jpdv.exe 92 PID 1928 wrote to memory of 3396 1928 fflfrrf.exe 93 PID 1928 wrote to memory of 3396 1928 fflfrrf.exe 93 PID 1928 wrote to memory of 3396 1928 fflfrrf.exe 93 PID 3396 wrote to memory of 2956 3396 xxrlfxr.exe 94 PID 3396 wrote to memory of 2956 3396 xxrlfxr.exe 94 PID 3396 wrote to memory of 2956 3396 xxrlfxr.exe 94 PID 2956 wrote to memory of 1380 2956 1jvjd.exe 95 PID 2956 wrote to memory of 1380 2956 1jvjd.exe 95 PID 2956 wrote to memory of 1380 2956 1jvjd.exe 95 PID 1380 wrote to memory of 2340 1380 dpvdp.exe 96 PID 1380 wrote to memory of 2340 1380 dpvdp.exe 96 PID 1380 wrote to memory of 2340 1380 dpvdp.exe 96 PID 2340 wrote to memory of 2620 2340 xllfxrl.exe 97 PID 2340 wrote to memory of 2620 2340 xllfxrl.exe 97 PID 2340 wrote to memory of 2620 2340 xllfxrl.exe 97 PID 2620 wrote to memory of 4028 2620 nbbtnh.exe 98 PID 2620 wrote to memory of 4028 2620 nbbtnh.exe 98 PID 2620 wrote to memory of 4028 2620 nbbtnh.exe 98 PID 4028 wrote to memory of 1520 4028 vpjvp.exe 99 PID 4028 wrote to memory of 1520 4028 vpjvp.exe 99 PID 4028 wrote to memory of 1520 4028 vpjvp.exe 99 PID 1520 wrote to memory of 1576 1520 pjpdv.exe 100 PID 1520 wrote to memory of 1576 1520 pjpdv.exe 100 PID 1520 wrote to memory of 1576 1520 pjpdv.exe 100 PID 1576 wrote to memory of 1936 1576 htttnn.exe 101 PID 1576 wrote to memory of 1936 1576 htttnn.exe 101 PID 1576 wrote to memory of 1936 1576 htttnn.exe 101 PID 1936 wrote to memory of 4576 1936 ddppp.exe 102 PID 1936 wrote to memory of 4576 1936 ddppp.exe 102 PID 1936 wrote to memory of 4576 1936 ddppp.exe 102 PID 4576 wrote to memory of 2752 4576 vdpjv.exe 103 PID 4576 wrote to memory of 2752 4576 vdpjv.exe 103 PID 4576 wrote to memory of 2752 4576 vdpjv.exe 103 PID 2752 wrote to memory of 5000 2752 xrrfxrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8058d1dee529ebcb82558093957efe08c0104afeb399c4589f8276b20d4a2d4.exe"C:\Users\Admin\AppData\Local\Temp\b8058d1dee529ebcb82558093957efe08c0104afeb399c4589f8276b20d4a2d4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\ddpjj.exec:\ddpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\ttttnh.exec:\ttttnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\btbtbn.exec:\btbtbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\jvdvj.exec:\jvdvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\fxfxffl.exec:\fxfxffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\tntnhb.exec:\tntnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\9vdpv.exec:\9vdpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\hntnhh.exec:\hntnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\3jpdv.exec:\3jpdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\fflfrrf.exec:\fflfrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\xxrlfxr.exec:\xxrlfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\1jvjd.exec:\1jvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\dpvdp.exec:\dpvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\xllfxrl.exec:\xllfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\nbbtnh.exec:\nbbtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\vpjvp.exec:\vpjvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\pjpdv.exec:\pjpdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\htttnn.exec:\htttnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\ddppp.exec:\ddppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\vdpjv.exec:\vdpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\1vpjj.exec:\1vpjj.exe23⤵
- Executes dropped EXE
PID:5000 -
\??\c:\xllfrlf.exec:\xllfrlf.exe24⤵
- Executes dropped EXE
PID:2384 -
\??\c:\tbtnhb.exec:\tbtnhb.exe25⤵
- Executes dropped EXE
PID:3080 -
\??\c:\1rxlrxf.exec:\1rxlrxf.exe26⤵
- Executes dropped EXE
PID:4680 -
\??\c:\hntthb.exec:\hntthb.exe27⤵
- Executes dropped EXE
PID:4876 -
\??\c:\rffxrll.exec:\rffxrll.exe28⤵
- Executes dropped EXE
PID:4552 -
\??\c:\3djdp.exec:\3djdp.exe29⤵
- Executes dropped EXE
PID:1608 -
\??\c:\bnbbtt.exec:\bnbbtt.exe30⤵
- Executes dropped EXE
PID:2364 -
\??\c:\1lfxrxf.exec:\1lfxrxf.exe31⤵
- Executes dropped EXE
PID:4060 -
\??\c:\3djdj.exec:\3djdj.exe32⤵
- Executes dropped EXE
PID:4772 -
\??\c:\frrlxrl.exec:\frrlxrl.exe33⤵
- Executes dropped EXE
PID:2616 -
\??\c:\3ddvv.exec:\3ddvv.exe34⤵
- Executes dropped EXE
PID:4824 -
\??\c:\hbtttb.exec:\hbtttb.exe35⤵
- Executes dropped EXE
PID:1620 -
\??\c:\pjdvv.exec:\pjdvv.exe36⤵
- Executes dropped EXE
PID:364 -
\??\c:\3flxrrl.exec:\3flxrrl.exe37⤵
- Executes dropped EXE
PID:4592 -
\??\c:\bbnhtt.exec:\bbnhtt.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3444 -
\??\c:\pjvpj.exec:\pjvpj.exe39⤵
- Executes dropped EXE
PID:2100 -
\??\c:\xlfxfrf.exec:\xlfxfrf.exe40⤵
- Executes dropped EXE
PID:5032 -
\??\c:\ddpjj.exec:\ddpjj.exe41⤵
- Executes dropped EXE
PID:1768 -
\??\c:\7jjdd.exec:\7jjdd.exe42⤵
- Executes dropped EXE
PID:1084 -
\??\c:\xrfxfxr.exec:\xrfxfxr.exe43⤵
- Executes dropped EXE
PID:3752 -
\??\c:\7bnhbb.exec:\7bnhbb.exe44⤵
- Executes dropped EXE
PID:2776 -
\??\c:\5pvpj.exec:\5pvpj.exe45⤵
- Executes dropped EXE
PID:4052 -
\??\c:\flllllx.exec:\flllllx.exe46⤵
- Executes dropped EXE
PID:264 -
\??\c:\fxfrlll.exec:\fxfrlll.exe47⤵
- Executes dropped EXE
PID:3804 -
\??\c:\5hhbtn.exec:\5hhbtn.exe48⤵
- Executes dropped EXE
PID:3580 -
\??\c:\9jjdv.exec:\9jjdv.exe49⤵
- Executes dropped EXE
PID:1248 -
\??\c:\fxrxrrr.exec:\fxrxrrr.exe50⤵
- Executes dropped EXE
PID:3440 -
\??\c:\bnbthh.exec:\bnbthh.exe51⤵
- Executes dropped EXE
PID:1760 -
\??\c:\jddvv.exec:\jddvv.exe52⤵
- Executes dropped EXE
PID:4692 -
\??\c:\xlxrllf.exec:\xlxrllf.exe53⤵
- Executes dropped EXE
PID:4792 -
\??\c:\xlrflff.exec:\xlrflff.exe54⤵
- Executes dropped EXE
PID:2028 -
\??\c:\3hnhbb.exec:\3hnhbb.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916 -
\??\c:\vdpjv.exec:\vdpjv.exe56⤵
- Executes dropped EXE
PID:3092 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe57⤵
- Executes dropped EXE
PID:408 -
\??\c:\lllrlxr.exec:\lllrlxr.exe58⤵
- Executes dropped EXE
PID:2164 -
\??\c:\bbbbtb.exec:\bbbbtb.exe59⤵
- Executes dropped EXE
PID:2108 -
\??\c:\djjdp.exec:\djjdp.exe60⤵
- Executes dropped EXE
PID:2016 -
\??\c:\jjvjv.exec:\jjvjv.exe61⤵
- Executes dropped EXE
PID:32 -
\??\c:\rxxlfff.exec:\rxxlfff.exe62⤵
- Executes dropped EXE
PID:4752 -
\??\c:\nnnhtn.exec:\nnnhtn.exe63⤵
- Executes dropped EXE
PID:3060 -
\??\c:\vppjd.exec:\vppjd.exe64⤵
- Executes dropped EXE
PID:2096 -
\??\c:\xrllfff.exec:\xrllfff.exe65⤵
- Executes dropped EXE
PID:3896 -
\??\c:\9nnhtt.exec:\9nnhtt.exe66⤵PID:2448
-
\??\c:\tnnhtn.exec:\tnnhtn.exe67⤵PID:2956
-
\??\c:\pjjdv.exec:\pjjdv.exe68⤵PID:4964
-
\??\c:\vjjvj.exec:\vjjvj.exe69⤵PID:4256
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe70⤵PID:2428
-
\??\c:\ppjvp.exec:\ppjvp.exe71⤵PID:1932
-
\??\c:\rrxrfxx.exec:\rrxrfxx.exe72⤵PID:1460
-
\??\c:\5tbhhh.exec:\5tbhhh.exe73⤵PID:4820
-
\??\c:\tttnhb.exec:\tttnhb.exe74⤵PID:3572
-
\??\c:\dddvv.exec:\dddvv.exe75⤵PID:4536
-
\??\c:\frxrffx.exec:\frxrffx.exe76⤵PID:4728
-
\??\c:\1tnnbb.exec:\1tnnbb.exe77⤵PID:4260
-
\??\c:\tbhhtt.exec:\tbhhtt.exe78⤵PID:2516
-
\??\c:\jjjdp.exec:\jjjdp.exe79⤵PID:4368
-
\??\c:\xflrlxx.exec:\xflrlxx.exe80⤵PID:1120
-
\??\c:\1bbnhn.exec:\1bbnhn.exe81⤵PID:60
-
\??\c:\1btnhh.exec:\1btnhh.exe82⤵PID:1700
-
\??\c:\jjjdp.exec:\jjjdp.exe83⤵PID:1584
-
\??\c:\fflfrlf.exec:\fflfrlf.exe84⤵PID:5108
-
\??\c:\hhtnhb.exec:\hhtnhb.exe85⤵PID:1488
-
\??\c:\dpvpd.exec:\dpvpd.exe86⤵PID:4876
-
\??\c:\xflxlfx.exec:\xflxlfx.exe87⤵PID:3404
-
\??\c:\bhhbnh.exec:\bhhbnh.exe88⤵PID:3108
-
\??\c:\vpdvv.exec:\vpdvv.exe89⤵PID:3120
-
\??\c:\9vdvd.exec:\9vdvd.exe90⤵PID:2364
-
\??\c:\rrrlfxx.exec:\rrrlfxx.exe91⤵PID:4640
-
\??\c:\7tthbt.exec:\7tthbt.exe92⤵PID:3260
-
\??\c:\pvvvj.exec:\pvvvj.exe93⤵PID:4772
-
\??\c:\jddvp.exec:\jddvp.exe94⤵PID:4764
-
\??\c:\lrrfllx.exec:\lrrfllx.exe95⤵PID:3428
-
\??\c:\htbnbt.exec:\htbnbt.exe96⤵PID:4020
-
\??\c:\9ttnhb.exec:\9ttnhb.exe97⤵PID:4928
-
\??\c:\jvdpv.exec:\jvdpv.exe98⤵PID:2196
-
\??\c:\9lrrxxl.exec:\9lrrxxl.exe99⤵PID:3576
-
\??\c:\rlflflf.exec:\rlflflf.exe100⤵PID:4704
-
\??\c:\5hntnb.exec:\5hntnb.exe101⤵PID:4228
-
\??\c:\pjpdd.exec:\pjpdd.exe102⤵PID:4736
-
\??\c:\9frffff.exec:\9frffff.exe103⤵PID:2316
-
\??\c:\7tbtnh.exec:\7tbtnh.exe104⤵PID:1084
-
\??\c:\tntnbh.exec:\tntnbh.exe105⤵PID:2960
-
\??\c:\7ddpj.exec:\7ddpj.exe106⤵PID:320
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe107⤵PID:4316
-
\??\c:\hhhtnb.exec:\hhhtnb.exe108⤵PID:4532
-
\??\c:\ttbntt.exec:\ttbntt.exe109⤵PID:2980
-
\??\c:\5ddpj.exec:\5ddpj.exe110⤵PID:3100
-
\??\c:\rffxrrl.exec:\rffxrrl.exe111⤵PID:3580
-
\??\c:\bntnhh.exec:\bntnhh.exe112⤵PID:1248
-
\??\c:\pdpdv.exec:\pdpdv.exe113⤵PID:3904
-
\??\c:\flrlxxr.exec:\flrlxxr.exe114⤵PID:2796
-
\??\c:\thnbbn.exec:\thnbbn.exe115⤵PID:804
-
\??\c:\htnhhb.exec:\htnhhb.exe116⤵PID:2848
-
\??\c:\jjdvd.exec:\jjdvd.exe117⤵PID:2244
-
\??\c:\xlrlfxx.exec:\xlrlfxx.exe118⤵PID:916
-
\??\c:\5tnnbb.exec:\5tnnbb.exe119⤵PID:404
-
\??\c:\pjvvp.exec:\pjvvp.exe120⤵PID:4184
-
\??\c:\lxlxfxf.exec:\lxlxfxf.exe121⤵PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-