Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
551ca38b20b40d7c1beb309677f2a466981067d27846c447094edb0fa3f7a779.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
551ca38b20b40d7c1beb309677f2a466981067d27846c447094edb0fa3f7a779.exe
-
Size
456KB
-
MD5
67ede20ca1951016d4d3d533898ccecb
-
SHA1
c0dd03efcc764e463019c7ac6365a38bc000e098
-
SHA256
551ca38b20b40d7c1beb309677f2a466981067d27846c447094edb0fa3f7a779
-
SHA512
3a2b9d95bcd4d2080ce4bc8c357b3db884980dbddee0df17ac66c6f58596cbeeb3af48b91d7b0048ad8bc09c4bb0bcc74ecef556e9e65f2e1b5e7f9243c9cc8c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbelE:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/748-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-1182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 djjjp.exe 4456 hhhhhh.exe 4928 jdjjp.exe 3888 ffrrlxx.exe 2044 bttnnt.exe 4472 rlrxflr.exe 3528 pvvvv.exe 2788 lrrfffx.exe 3096 hnnntb.exe 4696 fllllxx.exe 3692 ttnhhn.exe 1408 jppdd.exe 2744 xflxllf.exe 3672 vddjd.exe 3240 lflfxfr.exe 3224 pvjdp.exe 4040 7bhhhn.exe 1936 jpvpp.exe 4112 ffrxfff.exe 1420 bnhntn.exe 4012 jjppp.exe 3960 bbnhbh.exe 2148 lffffll.exe 1452 pvvpp.exe 1972 xrrrlrr.exe 3440 rfrlrfl.exe 2512 tttnnh.exe 2144 xrlxxrx.exe 768 1ddpp.exe 2320 nnbnnn.exe 4612 fllfxxx.exe 4556 bhhhht.exe 2932 tttbhn.exe 3132 dvvdv.exe 3880 rffffff.exe 2152 9pppv.exe 3472 rlrlflf.exe 2304 nthhhh.exe 892 xfffrrf.exe 1928 rfxxxxx.exe 1724 bnnntt.exe 3908 pdvdd.exe 3976 ffxlrrx.exe 4408 3thhnt.exe 4404 ppvdp.exe 1532 rllrlxx.exe 4340 bhbhnt.exe 1464 vjppj.exe 4684 rllxrlf.exe 2368 bbhtbh.exe 4108 ddjjd.exe 2380 pdjvv.exe 3420 bhhhhh.exe 2376 nnbnnt.exe 3888 9dvpp.exe 2044 xrxlflf.exe 4692 tbnntb.exe 652 vvjjd.exe 2104 xfrlxxl.exe 2788 nntthn.exe 2728 hbhhhn.exe 736 jppvj.exe 4452 9rxxxff.exe 2688 nbhbtn.exe -
resource yara_rule behavioral2/memory/748-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-664-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 2024 748 551ca38b20b40d7c1beb309677f2a466981067d27846c447094edb0fa3f7a779.exe 83 PID 748 wrote to memory of 2024 748 551ca38b20b40d7c1beb309677f2a466981067d27846c447094edb0fa3f7a779.exe 83 PID 748 wrote to memory of 2024 748 551ca38b20b40d7c1beb309677f2a466981067d27846c447094edb0fa3f7a779.exe 83 PID 2024 wrote to memory of 4456 2024 djjjp.exe 84 PID 2024 wrote to memory of 4456 2024 djjjp.exe 84 PID 2024 wrote to memory of 4456 2024 djjjp.exe 84 PID 4456 wrote to memory of 4928 4456 hhhhhh.exe 85 PID 4456 wrote to memory of 4928 4456 hhhhhh.exe 85 PID 4456 wrote to memory of 4928 4456 hhhhhh.exe 85 PID 4928 wrote to memory of 3888 4928 jdjjp.exe 86 PID 4928 wrote to memory of 3888 4928 jdjjp.exe 86 PID 4928 wrote to memory of 3888 4928 jdjjp.exe 86 PID 3888 wrote to memory of 2044 3888 ffrrlxx.exe 87 PID 3888 wrote to memory of 2044 3888 ffrrlxx.exe 87 PID 3888 wrote to memory of 2044 3888 ffrrlxx.exe 87 PID 2044 wrote to memory of 4472 2044 bttnnt.exe 88 PID 2044 wrote to memory of 4472 2044 bttnnt.exe 88 PID 2044 wrote to memory of 4472 2044 bttnnt.exe 88 PID 4472 wrote to memory of 3528 4472 rlrxflr.exe 89 PID 4472 wrote to memory of 3528 4472 rlrxflr.exe 89 PID 4472 wrote to memory of 3528 4472 rlrxflr.exe 89 PID 3528 wrote to memory of 2788 3528 pvvvv.exe 90 PID 3528 wrote to memory of 2788 3528 pvvvv.exe 90 PID 3528 wrote to memory of 2788 3528 pvvvv.exe 90 PID 2788 wrote to memory of 3096 2788 lrrfffx.exe 91 PID 2788 wrote to memory of 3096 2788 lrrfffx.exe 91 PID 2788 wrote to memory of 3096 2788 lrrfffx.exe 91 PID 3096 wrote to memory of 4696 3096 hnnntb.exe 92 PID 3096 wrote to memory of 4696 3096 hnnntb.exe 92 PID 3096 wrote to memory of 4696 3096 hnnntb.exe 92 PID 4696 wrote to memory of 3692 4696 fllllxx.exe 93 PID 4696 wrote to memory of 3692 4696 fllllxx.exe 93 PID 4696 wrote to memory of 3692 4696 fllllxx.exe 93 PID 3692 wrote to memory of 1408 3692 ttnhhn.exe 94 PID 3692 wrote to memory of 1408 3692 ttnhhn.exe 94 PID 3692 wrote to memory of 1408 3692 ttnhhn.exe 94 PID 1408 wrote to memory of 2744 1408 jppdd.exe 95 PID 1408 wrote to memory of 2744 1408 jppdd.exe 95 PID 1408 wrote to memory of 2744 1408 jppdd.exe 95 PID 2744 wrote to memory of 3672 2744 xflxllf.exe 96 PID 2744 wrote to memory of 3672 2744 xflxllf.exe 96 PID 2744 wrote to memory of 3672 2744 xflxllf.exe 96 PID 3672 wrote to memory of 3240 3672 vddjd.exe 97 PID 3672 wrote to memory of 3240 3672 vddjd.exe 97 PID 3672 wrote to memory of 3240 3672 vddjd.exe 97 PID 3240 wrote to memory of 3224 3240 lflfxfr.exe 98 PID 3240 wrote to memory of 3224 3240 lflfxfr.exe 98 PID 3240 wrote to memory of 3224 3240 lflfxfr.exe 98 PID 3224 wrote to memory of 4040 3224 pvjdp.exe 99 PID 3224 wrote to memory of 4040 3224 pvjdp.exe 99 PID 3224 wrote to memory of 4040 3224 pvjdp.exe 99 PID 4040 wrote to memory of 1936 4040 7bhhhn.exe 100 PID 4040 wrote to memory of 1936 4040 7bhhhn.exe 100 PID 4040 wrote to memory of 1936 4040 7bhhhn.exe 100 PID 1936 wrote to memory of 4112 1936 jpvpp.exe 101 PID 1936 wrote to memory of 4112 1936 jpvpp.exe 101 PID 1936 wrote to memory of 4112 1936 jpvpp.exe 101 PID 4112 wrote to memory of 1420 4112 ffrxfff.exe 102 PID 4112 wrote to memory of 1420 4112 ffrxfff.exe 102 PID 4112 wrote to memory of 1420 4112 ffrxfff.exe 102 PID 1420 wrote to memory of 4012 1420 bnhntn.exe 103 PID 1420 wrote to memory of 4012 1420 bnhntn.exe 103 PID 1420 wrote to memory of 4012 1420 bnhntn.exe 103 PID 4012 wrote to memory of 3960 4012 jjppp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\551ca38b20b40d7c1beb309677f2a466981067d27846c447094edb0fa3f7a779.exe"C:\Users\Admin\AppData\Local\Temp\551ca38b20b40d7c1beb309677f2a466981067d27846c447094edb0fa3f7a779.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\djjjp.exec:\djjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\hhhhhh.exec:\hhhhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\jdjjp.exec:\jdjjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\ffrrlxx.exec:\ffrrlxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\bttnnt.exec:\bttnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\rlrxflr.exec:\rlrxflr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\pvvvv.exec:\pvvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\lrrfffx.exec:\lrrfffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\hnnntb.exec:\hnnntb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\fllllxx.exec:\fllllxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\ttnhhn.exec:\ttnhhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\jppdd.exec:\jppdd.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\xflxllf.exec:\xflxllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\vddjd.exec:\vddjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\lflfxfr.exec:\lflfxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\pvjdp.exec:\pvjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\7bhhhn.exec:\7bhhhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\jpvpp.exec:\jpvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\ffrxfff.exec:\ffrxfff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\bnhntn.exec:\bnhntn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\jjppp.exec:\jjppp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\bbnhbh.exec:\bbnhbh.exe23⤵
- Executes dropped EXE
PID:3960 -
\??\c:\lffffll.exec:\lffffll.exe24⤵
- Executes dropped EXE
PID:2148 -
\??\c:\pvvpp.exec:\pvvpp.exe25⤵
- Executes dropped EXE
PID:1452 -
\??\c:\xrrrlrr.exec:\xrrrlrr.exe26⤵
- Executes dropped EXE
PID:1972 -
\??\c:\rfrlrfl.exec:\rfrlrfl.exe27⤵
- Executes dropped EXE
PID:3440 -
\??\c:\tttnnh.exec:\tttnnh.exe28⤵
- Executes dropped EXE
PID:2512 -
\??\c:\xrlxxrx.exec:\xrlxxrx.exe29⤵
- Executes dropped EXE
PID:2144 -
\??\c:\1ddpp.exec:\1ddpp.exe30⤵
- Executes dropped EXE
PID:768 -
\??\c:\nnbnnn.exec:\nnbnnn.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\fllfxxx.exec:\fllfxxx.exe32⤵
- Executes dropped EXE
PID:4612 -
\??\c:\bhhhht.exec:\bhhhht.exe33⤵
- Executes dropped EXE
PID:4556 -
\??\c:\tttbhn.exec:\tttbhn.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
\??\c:\dvvdv.exec:\dvvdv.exe35⤵
- Executes dropped EXE
PID:3132 -
\??\c:\rffffff.exec:\rffffff.exe36⤵
- Executes dropped EXE
PID:3880 -
\??\c:\9pppv.exec:\9pppv.exe37⤵
- Executes dropped EXE
PID:2152 -
\??\c:\rlrlflf.exec:\rlrlflf.exe38⤵
- Executes dropped EXE
PID:3472 -
\??\c:\nthhhh.exec:\nthhhh.exe39⤵
- Executes dropped EXE
PID:2304 -
\??\c:\xfffrrf.exec:\xfffrrf.exe40⤵
- Executes dropped EXE
PID:892 -
\??\c:\rfxxxxx.exec:\rfxxxxx.exe41⤵
- Executes dropped EXE
PID:1928 -
\??\c:\bnnntt.exec:\bnnntt.exe42⤵
- Executes dropped EXE
PID:1724 -
\??\c:\pdvdd.exec:\pdvdd.exe43⤵
- Executes dropped EXE
PID:3908 -
\??\c:\ffxlrrx.exec:\ffxlrrx.exe44⤵
- Executes dropped EXE
PID:3976 -
\??\c:\3thhnt.exec:\3thhnt.exe45⤵
- Executes dropped EXE
PID:4408 -
\??\c:\ppvdp.exec:\ppvdp.exe46⤵
- Executes dropped EXE
PID:4404 -
\??\c:\rllrlxx.exec:\rllrlxx.exe47⤵
- Executes dropped EXE
PID:1532 -
\??\c:\bhbhnt.exec:\bhbhnt.exe48⤵
- Executes dropped EXE
PID:4340 -
\??\c:\vjppj.exec:\vjppj.exe49⤵
- Executes dropped EXE
PID:1464 -
\??\c:\rllxrlf.exec:\rllxrlf.exe50⤵
- Executes dropped EXE
PID:4684 -
\??\c:\bbhtbh.exec:\bbhtbh.exe51⤵
- Executes dropped EXE
PID:2368 -
\??\c:\ddjjd.exec:\ddjjd.exe52⤵
- Executes dropped EXE
PID:4108 -
\??\c:\pdjvv.exec:\pdjvv.exe53⤵
- Executes dropped EXE
PID:2380 -
\??\c:\bhhhhh.exec:\bhhhhh.exe54⤵
- Executes dropped EXE
PID:3420 -
\??\c:\nnbnnt.exec:\nnbnnt.exe55⤵
- Executes dropped EXE
PID:2376 -
\??\c:\9dvpp.exec:\9dvpp.exe56⤵
- Executes dropped EXE
PID:3888 -
\??\c:\xrxlflf.exec:\xrxlflf.exe57⤵
- Executes dropped EXE
PID:2044 -
\??\c:\tbnntb.exec:\tbnntb.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4692 -
\??\c:\vvjjd.exec:\vvjjd.exe59⤵
- Executes dropped EXE
PID:652 -
\??\c:\xfrlxxl.exec:\xfrlxxl.exe60⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nntthn.exec:\nntthn.exe61⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hbhhhn.exec:\hbhhhn.exe62⤵
- Executes dropped EXE
PID:2728 -
\??\c:\jppvj.exec:\jppvj.exe63⤵
- Executes dropped EXE
PID:736 -
\??\c:\9rxxxff.exec:\9rxxxff.exe64⤵
- Executes dropped EXE
PID:4452 -
\??\c:\nbhbtn.exec:\nbhbtn.exe65⤵
- Executes dropped EXE
PID:2688 -
\??\c:\jjppj.exec:\jjppj.exe66⤵PID:3120
-
\??\c:\lrlrxfl.exec:\lrlrxfl.exe67⤵PID:2832
-
\??\c:\xxrrrll.exec:\xxrrrll.exe68⤵
- System Location Discovery: System Language Discovery
PID:4356 -
\??\c:\thbtnn.exec:\thbtnn.exe69⤵PID:3924
-
\??\c:\jdppp.exec:\jdppp.exe70⤵PID:3672
-
\??\c:\rxxrlrl.exec:\rxxrlrl.exe71⤵PID:4372
-
\??\c:\btbnhn.exec:\btbnhn.exe72⤵PID:2496
-
\??\c:\jjppp.exec:\jjppp.exe73⤵PID:528
-
\??\c:\vjdpp.exec:\vjdpp.exe74⤵PID:3712
-
\??\c:\5flllll.exec:\5flllll.exe75⤵PID:3476
-
\??\c:\9tnnth.exec:\9tnnth.exe76⤵
- System Location Discovery: System Language Discovery
PID:3952 -
\??\c:\fflllxx.exec:\fflllxx.exe77⤵PID:2356
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe78⤵PID:1600
-
\??\c:\7hhbbb.exec:\7hhbbb.exe79⤵PID:1012
-
\??\c:\dvddd.exec:\dvddd.exe80⤵PID:4600
-
\??\c:\lrfxrrl.exec:\lrfxrrl.exe81⤵PID:3392
-
\??\c:\btbbbh.exec:\btbbbh.exe82⤵PID:4792
-
\??\c:\vvvvd.exec:\vvvvd.exe83⤵PID:4984
-
\??\c:\jdddv.exec:\jdddv.exe84⤵PID:4960
-
\??\c:\rffrrrr.exec:\rffrrrr.exe85⤵PID:2344
-
\??\c:\3hhhtb.exec:\3hhhtb.exe86⤵PID:5064
-
\??\c:\pdddd.exec:\pdddd.exe87⤵PID:4360
-
\??\c:\lflfxfx.exec:\lflfxfx.exe88⤵PID:4528
-
\??\c:\nthntb.exec:\nthntb.exe89⤵PID:4804
-
\??\c:\pvvvp.exec:\pvvvp.exe90⤵PID:3508
-
\??\c:\xxfxrxr.exec:\xxfxrxr.exe91⤵PID:980
-
\??\c:\nttttb.exec:\nttttb.exe92⤵PID:4844
-
\??\c:\ddvpp.exec:\ddvpp.exe93⤵PID:4556
-
\??\c:\xrffrrr.exec:\xrffrrr.exe94⤵PID:2932
-
\??\c:\9nttnn.exec:\9nttnn.exe95⤵PID:3004
-
\??\c:\vdddd.exec:\vdddd.exe96⤵PID:1640
-
\??\c:\jjdvv.exec:\jjdvv.exe97⤵PID:400
-
\??\c:\xxllrxx.exec:\xxllrxx.exe98⤵PID:3920
-
\??\c:\bhthth.exec:\bhthth.exe99⤵PID:920
-
\??\c:\7pjdd.exec:\7pjdd.exe100⤵PID:456
-
\??\c:\3xxffll.exec:\3xxffll.exe101⤵PID:3644
-
\??\c:\ntttnt.exec:\ntttnt.exe102⤵PID:1504
-
\??\c:\jpddp.exec:\jpddp.exe103⤵PID:512
-
\??\c:\frxlllr.exec:\frxlllr.exe104⤵PID:664
-
\??\c:\rfflllf.exec:\rfflllf.exe105⤵PID:116
-
\??\c:\hnhhhn.exec:\hnhhhn.exe106⤵PID:820
-
\??\c:\vvppp.exec:\vvppp.exe107⤵PID:4348
-
\??\c:\1vddj.exec:\1vddj.exe108⤵PID:2888
-
\??\c:\rxfffff.exec:\rxfffff.exe109⤵PID:2408
-
\??\c:\bhnnnb.exec:\bhnnnb.exe110⤵PID:2252
-
\??\c:\jdppp.exec:\jdppp.exe111⤵PID:1616
-
\??\c:\fxrfxlr.exec:\fxrfxlr.exe112⤵PID:3400
-
\??\c:\5tbbbb.exec:\5tbbbb.exe113⤵PID:4004
-
\??\c:\3jjpv.exec:\3jjpv.exe114⤵PID:1820
-
\??\c:\jvdjp.exec:\jvdjp.exe115⤵PID:4736
-
\??\c:\bbnnnn.exec:\bbnnnn.exe116⤵PID:1524
-
\??\c:\1bhhhn.exec:\1bhhhn.exe117⤵PID:4448
-
\??\c:\ddpjj.exec:\ddpjj.exe118⤵PID:928
-
\??\c:\xffffff.exec:\xffffff.exe119⤵PID:3768
-
\??\c:\1bnnhn.exec:\1bnnhn.exe120⤵PID:4488
-
\??\c:\pdddp.exec:\pdddp.exe121⤵PID:3148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-