Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 18:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe
-
Size
332KB
-
MD5
5b375ffd7e329f847006aa293a451a71
-
SHA1
f953cda54742f7f4cb2305c9461b4ca78e5d64d3
-
SHA256
0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d
-
SHA512
6ca80e64991106a40744e2329f22c8e3e2afa0efbdf0657966f36c4c8da1cbaa8cb37af9405b351a656c1cc36ef67ef6b1a2a7276c3fe2ed1646ada8d8405f8c
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPh7:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTL
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1644-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-907-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-935-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-1177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2952 pvvvp.exe 3056 frllflf.exe 2428 djvpj.exe 448 nbbtnt.exe 232 dddvp.exe 2028 fxxrllf.exe 5004 3tbbtb.exe 4836 lrrrrfx.exe 3552 httntt.exe 1468 pvpjd.exe 1824 7rfxrrr.exe 4956 5bbnnn.exe 4572 xflrlrl.exe 4912 btttnn.exe 3636 rrrlllf.exe 4244 nnnnhb.exe 948 djppd.exe 3112 rllxxrl.exe 3964 bnntht.exe 776 vpvpd.exe 2516 jdvjd.exe 3988 tththt.exe 4708 nbbnbn.exe 4972 3jpdv.exe 2596 xrffrlx.exe 1664 3hhbhb.exe 4892 ddvjd.exe 4592 btnnbt.exe 404 jvvpj.exe 4300 7lfrlfr.exe 1880 xfrfxfr.exe 3864 htbnnh.exe 3004 djpjv.exe 1504 xxrlxrf.exe 4532 lxrxrlf.exe 1160 hbthtt.exe 4284 ddjdv.exe 4360 frllfrx.exe 1644 xlrflxf.exe 1896 hbthbt.exe 3692 dvjdv.exe 3680 pjjpj.exe 1112 xfrlllr.exe 4900 hnnbtn.exe 232 bttnhh.exe 1484 3ppjp.exe 2092 rffrlfx.exe 2260 tnnbnh.exe 1660 9jddv.exe 2200 dvdpp.exe 4748 1flllll.exe 1448 hbhhht.exe 1036 3htnbb.exe 3376 jdvvj.exe 1260 rrrfxll.exe 752 xxfrfxl.exe 4572 nhnbnn.exe 4580 thhhtn.exe 4752 dvpdp.exe 2224 lffxllf.exe 3660 frxrlff.exe 3952 nttnhb.exe 64 nttnhb.exe 4156 dpdvj.exe -
resource yara_rule behavioral2/memory/1644-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-803-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffxr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2952 1644 0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe 86 PID 1644 wrote to memory of 2952 1644 0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe 86 PID 1644 wrote to memory of 2952 1644 0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe 86 PID 2952 wrote to memory of 3056 2952 pvvvp.exe 87 PID 2952 wrote to memory of 3056 2952 pvvvp.exe 87 PID 2952 wrote to memory of 3056 2952 pvvvp.exe 87 PID 3056 wrote to memory of 2428 3056 frllflf.exe 88 PID 3056 wrote to memory of 2428 3056 frllflf.exe 88 PID 3056 wrote to memory of 2428 3056 frllflf.exe 88 PID 2428 wrote to memory of 448 2428 djvpj.exe 89 PID 2428 wrote to memory of 448 2428 djvpj.exe 89 PID 2428 wrote to memory of 448 2428 djvpj.exe 89 PID 448 wrote to memory of 232 448 nbbtnt.exe 90 PID 448 wrote to memory of 232 448 nbbtnt.exe 90 PID 448 wrote to memory of 232 448 nbbtnt.exe 90 PID 232 wrote to memory of 2028 232 dddvp.exe 91 PID 232 wrote to memory of 2028 232 dddvp.exe 91 PID 232 wrote to memory of 2028 232 dddvp.exe 91 PID 2028 wrote to memory of 5004 2028 fxxrllf.exe 92 PID 2028 wrote to memory of 5004 2028 fxxrllf.exe 92 PID 2028 wrote to memory of 5004 2028 fxxrllf.exe 92 PID 5004 wrote to memory of 4836 5004 3tbbtb.exe 93 PID 5004 wrote to memory of 4836 5004 3tbbtb.exe 93 PID 5004 wrote to memory of 4836 5004 3tbbtb.exe 93 PID 4836 wrote to memory of 3552 4836 lrrrrfx.exe 94 PID 4836 wrote to memory of 3552 4836 lrrrrfx.exe 94 PID 4836 wrote to memory of 3552 4836 lrrrrfx.exe 94 PID 3552 wrote to memory of 1468 3552 httntt.exe 95 PID 3552 wrote to memory of 1468 3552 httntt.exe 95 PID 3552 wrote to memory of 1468 3552 httntt.exe 95 PID 1468 wrote to memory of 1824 1468 pvpjd.exe 96 PID 1468 wrote to memory of 1824 1468 pvpjd.exe 96 PID 1468 wrote to memory of 1824 1468 pvpjd.exe 96 PID 1824 wrote to memory of 4956 1824 7rfxrrr.exe 98 PID 1824 wrote to memory of 4956 1824 7rfxrrr.exe 98 PID 1824 wrote to memory of 4956 1824 7rfxrrr.exe 98 PID 4956 wrote to memory of 4572 4956 5bbnnn.exe 99 PID 4956 wrote to memory of 4572 4956 5bbnnn.exe 99 PID 4956 wrote to memory of 4572 4956 5bbnnn.exe 99 PID 4572 wrote to memory of 4912 4572 xflrlrl.exe 100 PID 4572 wrote to memory of 4912 4572 xflrlrl.exe 100 PID 4572 wrote to memory of 4912 4572 xflrlrl.exe 100 PID 4912 wrote to memory of 3636 4912 btttnn.exe 101 PID 4912 wrote to memory of 3636 4912 btttnn.exe 101 PID 4912 wrote to memory of 3636 4912 btttnn.exe 101 PID 3636 wrote to memory of 4244 3636 rrrlllf.exe 102 PID 3636 wrote to memory of 4244 3636 rrrlllf.exe 102 PID 3636 wrote to memory of 4244 3636 rrrlllf.exe 102 PID 4244 wrote to memory of 948 4244 nnnnhb.exe 103 PID 4244 wrote to memory of 948 4244 nnnnhb.exe 103 PID 4244 wrote to memory of 948 4244 nnnnhb.exe 103 PID 948 wrote to memory of 3112 948 djppd.exe 104 PID 948 wrote to memory of 3112 948 djppd.exe 104 PID 948 wrote to memory of 3112 948 djppd.exe 104 PID 3112 wrote to memory of 3964 3112 rllxxrl.exe 105 PID 3112 wrote to memory of 3964 3112 rllxxrl.exe 105 PID 3112 wrote to memory of 3964 3112 rllxxrl.exe 105 PID 3964 wrote to memory of 776 3964 bnntht.exe 106 PID 3964 wrote to memory of 776 3964 bnntht.exe 106 PID 3964 wrote to memory of 776 3964 bnntht.exe 106 PID 776 wrote to memory of 2516 776 vpvpd.exe 107 PID 776 wrote to memory of 2516 776 vpvpd.exe 107 PID 776 wrote to memory of 2516 776 vpvpd.exe 107 PID 2516 wrote to memory of 3988 2516 jdvjd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe"C:\Users\Admin\AppData\Local\Temp\0cbf5beff86b0f9c8a5cf98e0c991fb754052798e791d087a49d490d2dcc806d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\pvvvp.exec:\pvvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\frllflf.exec:\frllflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\djvpj.exec:\djvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\nbbtnt.exec:\nbbtnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\dddvp.exec:\dddvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\fxxrllf.exec:\fxxrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\3tbbtb.exec:\3tbbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\lrrrrfx.exec:\lrrrrfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\httntt.exec:\httntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\pvpjd.exec:\pvpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\7rfxrrr.exec:\7rfxrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\5bbnnn.exec:\5bbnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\xflrlrl.exec:\xflrlrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\btttnn.exec:\btttnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\rrrlllf.exec:\rrrlllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\nnnnhb.exec:\nnnnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\djppd.exec:\djppd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\rllxxrl.exec:\rllxxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\bnntht.exec:\bnntht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\vpvpd.exec:\vpvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\jdvjd.exec:\jdvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\tththt.exec:\tththt.exe23⤵
- Executes dropped EXE
PID:3988 -
\??\c:\nbbnbn.exec:\nbbnbn.exe24⤵
- Executes dropped EXE
PID:4708 -
\??\c:\3jpdv.exec:\3jpdv.exe25⤵
- Executes dropped EXE
PID:4972 -
\??\c:\xrffrlx.exec:\xrffrlx.exe26⤵
- Executes dropped EXE
PID:2596 -
\??\c:\3hhbhb.exec:\3hhbhb.exe27⤵
- Executes dropped EXE
PID:1664 -
\??\c:\ddvjd.exec:\ddvjd.exe28⤵
- Executes dropped EXE
PID:4892 -
\??\c:\btnnbt.exec:\btnnbt.exe29⤵
- Executes dropped EXE
PID:4592 -
\??\c:\jvvpj.exec:\jvvpj.exe30⤵
- Executes dropped EXE
PID:404 -
\??\c:\7lfrlfr.exec:\7lfrlfr.exe31⤵
- Executes dropped EXE
PID:4300 -
\??\c:\xfrfxfr.exec:\xfrfxfr.exe32⤵
- Executes dropped EXE
PID:1880 -
\??\c:\htbnnh.exec:\htbnnh.exe33⤵
- Executes dropped EXE
PID:3864 -
\??\c:\djpjv.exec:\djpjv.exe34⤵
- Executes dropped EXE
PID:3004 -
\??\c:\xxrlxrf.exec:\xxrlxrf.exe35⤵
- Executes dropped EXE
PID:1504 -
\??\c:\lxrxrlf.exec:\lxrxrlf.exe36⤵
- Executes dropped EXE
PID:4532 -
\??\c:\hbthtt.exec:\hbthtt.exe37⤵
- Executes dropped EXE
PID:1160 -
\??\c:\ddjdv.exec:\ddjdv.exe38⤵
- Executes dropped EXE
PID:4284 -
\??\c:\frllfrx.exec:\frllfrx.exe39⤵
- Executes dropped EXE
PID:4360 -
\??\c:\xlrflxf.exec:\xlrflxf.exe40⤵
- Executes dropped EXE
PID:1644 -
\??\c:\hbthbt.exec:\hbthbt.exe41⤵
- Executes dropped EXE
PID:1896 -
\??\c:\dvjdv.exec:\dvjdv.exe42⤵
- Executes dropped EXE
PID:3692 -
\??\c:\pjjpj.exec:\pjjpj.exe43⤵
- Executes dropped EXE
PID:3680 -
\??\c:\xfrlllr.exec:\xfrlllr.exe44⤵
- Executes dropped EXE
PID:1112 -
\??\c:\hnnbtn.exec:\hnnbtn.exe45⤵
- Executes dropped EXE
PID:4900 -
\??\c:\bttnhh.exec:\bttnhh.exe46⤵
- Executes dropped EXE
PID:232 -
\??\c:\3ppjp.exec:\3ppjp.exe47⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rffrlfx.exec:\rffrlfx.exe48⤵
- Executes dropped EXE
PID:2092 -
\??\c:\tnnbnh.exec:\tnnbnh.exe49⤵
- Executes dropped EXE
PID:2260 -
\??\c:\9jddv.exec:\9jddv.exe50⤵
- Executes dropped EXE
PID:1660 -
\??\c:\dvdpp.exec:\dvdpp.exe51⤵
- Executes dropped EXE
PID:2200 -
\??\c:\1flllll.exec:\1flllll.exe52⤵
- Executes dropped EXE
PID:4748 -
\??\c:\hbhhht.exec:\hbhhht.exe53⤵
- Executes dropped EXE
PID:1448 -
\??\c:\3htnbb.exec:\3htnbb.exe54⤵
- Executes dropped EXE
PID:1036 -
\??\c:\jdvvj.exec:\jdvvj.exe55⤵
- Executes dropped EXE
PID:3376 -
\??\c:\rrrfxll.exec:\rrrfxll.exe56⤵
- Executes dropped EXE
PID:1260 -
\??\c:\xxfrfxl.exec:\xxfrfxl.exe57⤵
- Executes dropped EXE
PID:752 -
\??\c:\nhnbnn.exec:\nhnbnn.exe58⤵
- Executes dropped EXE
PID:4572 -
\??\c:\thhhtn.exec:\thhhtn.exe59⤵
- Executes dropped EXE
PID:4580 -
\??\c:\dvpdp.exec:\dvpdp.exe60⤵
- Executes dropped EXE
PID:4752 -
\??\c:\lffxllf.exec:\lffxllf.exe61⤵
- Executes dropped EXE
PID:2224 -
\??\c:\frxrlff.exec:\frxrlff.exe62⤵
- Executes dropped EXE
PID:3660 -
\??\c:\nttnhb.exec:\nttnhb.exe63⤵
- Executes dropped EXE
PID:3952 -
\??\c:\nttnhb.exec:\nttnhb.exe64⤵
- Executes dropped EXE
PID:64 -
\??\c:\dpdvj.exec:\dpdvj.exe65⤵
- Executes dropped EXE
PID:4156 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe66⤵PID:452
-
\??\c:\xflfllx.exec:\xflfllx.exe67⤵PID:3312
-
\??\c:\bttnbb.exec:\bttnbb.exe68⤵PID:3432
-
\??\c:\nbhtbn.exec:\nbhtbn.exe69⤵PID:4944
-
\??\c:\dvpjj.exec:\dvpjj.exe70⤵PID:456
-
\??\c:\7flfxxr.exec:\7flfxxr.exe71⤵PID:2488
-
\??\c:\lxlxxrx.exec:\lxlxxrx.exe72⤵PID:1116
-
\??\c:\tnnhbt.exec:\tnnhbt.exe73⤵PID:2596
-
\??\c:\dppdj.exec:\dppdj.exe74⤵PID:820
-
\??\c:\dvvjd.exec:\dvvjd.exe75⤵PID:1460
-
\??\c:\xrlflfx.exec:\xrlflfx.exe76⤵PID:4160
-
\??\c:\5llxlfr.exec:\5llxlfr.exe77⤵PID:2536
-
\??\c:\9hnbhb.exec:\9hnbhb.exe78⤵PID:656
-
\??\c:\dpjvj.exec:\dpjvj.exe79⤵PID:4204
-
\??\c:\dddvv.exec:\dddvv.exe80⤵PID:1008
-
\??\c:\rrfrllf.exec:\rrfrllf.exe81⤵PID:2736
-
\??\c:\ntthtt.exec:\ntthtt.exe82⤵PID:3004
-
\??\c:\pjjdd.exec:\pjjdd.exe83⤵PID:1504
-
\??\c:\rffrxff.exec:\rffrxff.exe84⤵PID:4532
-
\??\c:\dvjdp.exec:\dvjdp.exe85⤵PID:1160
-
\??\c:\fllxlfx.exec:\fllxlfx.exe86⤵PID:4284
-
\??\c:\nhbthb.exec:\nhbthb.exe87⤵PID:848
-
\??\c:\5pddd.exec:\5pddd.exe88⤵PID:1988
-
\??\c:\fffflff.exec:\fffflff.exe89⤵PID:2072
-
\??\c:\bnthbb.exec:\bnthbb.exe90⤵PID:2140
-
\??\c:\3pjdp.exec:\3pjdp.exe91⤵PID:1112
-
\??\c:\vpvdp.exec:\vpvdp.exe92⤵PID:4900
-
\??\c:\frxlrxr.exec:\frxlrxr.exe93⤵PID:2832
-
\??\c:\frlfxrl.exec:\frlfxrl.exe94⤵PID:1020
-
\??\c:\tttnbt.exec:\tttnbt.exe95⤵PID:3272
-
\??\c:\jjppj.exec:\jjppj.exe96⤵PID:5004
-
\??\c:\pjdpj.exec:\pjdpj.exe97⤵PID:2324
-
\??\c:\tnbtbt.exec:\tnbtbt.exe98⤵PID:4184
-
\??\c:\vjjjv.exec:\vjjjv.exe99⤵PID:2816
-
\??\c:\pjdpd.exec:\pjdpd.exe100⤵PID:1148
-
\??\c:\xxlxfxr.exec:\xxlxfxr.exe101⤵PID:4640
-
\??\c:\1nhbth.exec:\1nhbth.exe102⤵PID:1764
-
\??\c:\bhbhtt.exec:\bhbhtt.exe103⤵PID:4600
-
\??\c:\pdjvd.exec:\pdjvd.exe104⤵PID:2228
-
\??\c:\xfxrfxr.exec:\xfxrfxr.exe105⤵PID:3224
-
\??\c:\xlrfrlx.exec:\xlrfrlx.exe106⤵PID:4572
-
\??\c:\thhtnt.exec:\thhtnt.exe107⤵PID:2312
-
\??\c:\htnhtn.exec:\htnhtn.exe108⤵PID:3744
-
\??\c:\vvjvp.exec:\vvjvp.exe109⤵PID:928
-
\??\c:\7ddpd.exec:\7ddpd.exe110⤵PID:1984
-
\??\c:\xlfxllx.exec:\xlfxllx.exe111⤵PID:3952
-
\??\c:\3bhbnh.exec:\3bhbnh.exe112⤵PID:3276
-
\??\c:\ttnhth.exec:\ttnhth.exe113⤵PID:2136
-
\??\c:\pdpdd.exec:\pdpdd.exe114⤵PID:1768
-
\??\c:\ddpvj.exec:\ddpvj.exe115⤵PID:452
-
\??\c:\frrfrlx.exec:\frrfrlx.exe116⤵PID:2172
-
\??\c:\xrxrxxf.exec:\xrxrxxf.exe117⤵PID:2280
-
\??\c:\tbhhnn.exec:\tbhhnn.exe118⤵PID:4944
-
\??\c:\pppdp.exec:\pppdp.exe119⤵PID:4528
-
\??\c:\vpvpp.exec:\vpvpp.exe120⤵PID:3468
-
\??\c:\lllrrrl.exec:\lllrrrl.exe121⤵PID:4940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-