Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 22:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe
-
Size
347KB
-
MD5
d39d1a14153143d31d0dbd9acad218e4
-
SHA1
7a4b7e3ca8a43a40ced6601fb98aecd6d742f2af
-
SHA256
e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3
-
SHA512
2127321eef7ce5afcf18231c2a5eb35a87cbe1d70ee839a6af41206d4faa4c13418fa6d0517bef71e923722d748a30dbb6bae2b1d6a88534e2a5bd279c28d7bc
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAu:l7TcbWXZshJX2VGdu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3148-5-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4088-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4300-20-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4192-18-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3636-29-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4252-35-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2324-42-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2804-50-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4856-59-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1748-66-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1608-77-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2720-88-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1624-93-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3564-99-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4612-110-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2260-116-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5012-122-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4340-128-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1244-140-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4116-159-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4680-157-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5088-168-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1520-179-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5036-190-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5052-193-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1636-209-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4452-219-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4416-223-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1612-236-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2756-240-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3636-243-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4688-252-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3772-255-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2596-273-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3116-284-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3136-291-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3564-301-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4448-323-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4148-330-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1204-337-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3544-344-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1000-363-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3396-376-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4184-380-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1104-399-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3744-403-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/540-408-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3724-424-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1632-434-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3168-450-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/720-500-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3424-516-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2188-526-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4912-588-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1632-643-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2804-656-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3676-715-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3672-743-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3680-765-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4676-919-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4068-995-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3124-1041-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3532-1751-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4088 3fxrlrl.exe 4192 pjpjj.exe 4300 rllfxfx.exe 3636 bnbbnn.exe 4252 hhhbnt.exe 2324 dpjvj.exe 2804 9nnthb.exe 1456 dvjdd.exe 4856 rxxllll.exe 1748 5jdpv.exe 528 9ntnhh.exe 1608 vpddj.exe 556 ffrlllr.exe 2720 dddjv.exe 1624 rlrlffx.exe 3564 7nthbt.exe 3676 jvdvj.exe 4612 xfrlfxx.exe 2260 hthbtn.exe 5012 7ffxrrf.exe 4340 hbnnnh.exe 4712 dpvpj.exe 1244 lfflffr.exe 700 vjvpp.exe 4756 1lxrfrl.exe 4680 3hnnhn.exe 4116 7ddvj.exe 1000 jddvj.exe 5088 lfxrlxr.exe 3084 bntttn.exe 1520 vvvpj.exe 4516 vpvdv.exe 5036 nbnbnn.exe 5052 vdjpj.exe 1864 1rxrlll.exe 2308 tbbnhh.exe 4084 jvjvp.exe 1636 jdjvp.exe 2724 rrlrlll.exe 1480 tntnnb.exe 4452 3jdpj.exe 4416 rrrrrrl.exe 3148 1nhthb.exe 916 1jvpv.exe 3480 frrlfff.exe 1612 1flfxrl.exe 2756 thnhhb.exe 3636 dvvvv.exe 4252 5jjdp.exe 3500 lffxrlx.exe 4688 nbbthb.exe 3772 pvvpd.exe 5096 frxrlxx.exe 4352 rlfxfxr.exe 4500 hthbnb.exe 3408 3ddpj.exe 3364 7dpjv.exe 2596 xrfxlfx.exe 3932 1hhtnh.exe 1360 nbhbnn.exe 3116 ppdvp.exe 556 vpjjj.exe 3136 rlrlffl.exe 856 nhhtnh.exe -
resource yara_rule behavioral2/memory/3148-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4088-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4300-20-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4192-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3636-29-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4252-35-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2324-42-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1456-48-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2804-50-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4856-59-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1748-66-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1608-77-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2720-88-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1624-93-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3564-99-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4612-110-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2260-116-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5012-122-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4340-128-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4712-130-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1244-140-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4116-159-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4680-157-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5088-168-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1520-179-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5036-190-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5052-193-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1636-209-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4452-219-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4416-223-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1612-236-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2756-240-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3636-243-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4688-252-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3772-255-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2596-273-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4252-274-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3116-284-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3136-291-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3564-301-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4448-323-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4148-330-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1204-337-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3544-344-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1000-363-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3396-376-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4184-380-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1104-399-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3744-403-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/540-408-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3724-424-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1632-434-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3168-450-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4528-469-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/720-500-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3424-516-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2188-526-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1344-560-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4912-588-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1632-643-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2804-656-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3676-715-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3672-743-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3680-765-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4088 3148 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 83 PID 3148 wrote to memory of 4088 3148 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 83 PID 3148 wrote to memory of 4088 3148 e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe 83 PID 4088 wrote to memory of 4192 4088 3fxrlrl.exe 84 PID 4088 wrote to memory of 4192 4088 3fxrlrl.exe 84 PID 4088 wrote to memory of 4192 4088 3fxrlrl.exe 84 PID 4192 wrote to memory of 4300 4192 pjpjj.exe 85 PID 4192 wrote to memory of 4300 4192 pjpjj.exe 85 PID 4192 wrote to memory of 4300 4192 pjpjj.exe 85 PID 4300 wrote to memory of 3636 4300 rllfxfx.exe 86 PID 4300 wrote to memory of 3636 4300 rllfxfx.exe 86 PID 4300 wrote to memory of 3636 4300 rllfxfx.exe 86 PID 3636 wrote to memory of 4252 3636 bnbbnn.exe 87 PID 3636 wrote to memory of 4252 3636 bnbbnn.exe 87 PID 3636 wrote to memory of 4252 3636 bnbbnn.exe 87 PID 4252 wrote to memory of 2324 4252 hhhbnt.exe 88 PID 4252 wrote to memory of 2324 4252 hhhbnt.exe 88 PID 4252 wrote to memory of 2324 4252 hhhbnt.exe 88 PID 2324 wrote to memory of 2804 2324 dpjvj.exe 89 PID 2324 wrote to memory of 2804 2324 dpjvj.exe 89 PID 2324 wrote to memory of 2804 2324 dpjvj.exe 89 PID 2804 wrote to memory of 1456 2804 9nnthb.exe 90 PID 2804 wrote to memory of 1456 2804 9nnthb.exe 90 PID 2804 wrote to memory of 1456 2804 9nnthb.exe 90 PID 1456 wrote to memory of 4856 1456 dvjdd.exe 91 PID 1456 wrote to memory of 4856 1456 dvjdd.exe 91 PID 1456 wrote to memory of 4856 1456 dvjdd.exe 91 PID 4856 wrote to memory of 1748 4856 rxxllll.exe 92 PID 4856 wrote to memory of 1748 4856 rxxllll.exe 92 PID 4856 wrote to memory of 1748 4856 rxxllll.exe 92 PID 1748 wrote to memory of 528 1748 5jdpv.exe 93 PID 1748 wrote to memory of 528 1748 5jdpv.exe 93 PID 1748 wrote to memory of 528 1748 5jdpv.exe 93 PID 528 wrote to memory of 1608 528 9ntnhh.exe 94 PID 528 wrote to memory of 1608 528 9ntnhh.exe 94 PID 528 wrote to memory of 1608 528 9ntnhh.exe 94 PID 1608 wrote to memory of 556 1608 vpddj.exe 95 PID 1608 wrote to memory of 556 1608 vpddj.exe 95 PID 1608 wrote to memory of 556 1608 vpddj.exe 95 PID 556 wrote to memory of 2720 556 ffrlllr.exe 96 PID 556 wrote to memory of 2720 556 ffrlllr.exe 96 PID 556 wrote to memory of 2720 556 ffrlllr.exe 96 PID 2720 wrote to memory of 1624 2720 dddjv.exe 97 PID 2720 wrote to memory of 1624 2720 dddjv.exe 97 PID 2720 wrote to memory of 1624 2720 dddjv.exe 97 PID 1624 wrote to memory of 3564 1624 rlrlffx.exe 98 PID 1624 wrote to memory of 3564 1624 rlrlffx.exe 98 PID 1624 wrote to memory of 3564 1624 rlrlffx.exe 98 PID 3564 wrote to memory of 3676 3564 7nthbt.exe 99 PID 3564 wrote to memory of 3676 3564 7nthbt.exe 99 PID 3564 wrote to memory of 3676 3564 7nthbt.exe 99 PID 3676 wrote to memory of 4612 3676 jvdvj.exe 100 PID 3676 wrote to memory of 4612 3676 jvdvj.exe 100 PID 3676 wrote to memory of 4612 3676 jvdvj.exe 100 PID 4612 wrote to memory of 2260 4612 xfrlfxx.exe 101 PID 4612 wrote to memory of 2260 4612 xfrlfxx.exe 101 PID 4612 wrote to memory of 2260 4612 xfrlfxx.exe 101 PID 2260 wrote to memory of 5012 2260 hthbtn.exe 102 PID 2260 wrote to memory of 5012 2260 hthbtn.exe 102 PID 2260 wrote to memory of 5012 2260 hthbtn.exe 102 PID 5012 wrote to memory of 4340 5012 7ffxrrf.exe 103 PID 5012 wrote to memory of 4340 5012 7ffxrrf.exe 103 PID 5012 wrote to memory of 4340 5012 7ffxrrf.exe 103 PID 4340 wrote to memory of 4712 4340 hbnnnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe"C:\Users\Admin\AppData\Local\Temp\e6c93f896606d3bfe559599550668ac7cff5390e3bc323409873a599750198a3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\3fxrlrl.exec:\3fxrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\pjpjj.exec:\pjpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\rllfxfx.exec:\rllfxfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\bnbbnn.exec:\bnbbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\hhhbnt.exec:\hhhbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\dpjvj.exec:\dpjvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\9nnthb.exec:\9nnthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\dvjdd.exec:\dvjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\rxxllll.exec:\rxxllll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\5jdpv.exec:\5jdpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\9ntnhh.exec:\9ntnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\vpddj.exec:\vpddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\ffrlllr.exec:\ffrlllr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\dddjv.exec:\dddjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\rlrlffx.exec:\rlrlffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\7nthbt.exec:\7nthbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\jvdvj.exec:\jvdvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\xfrlfxx.exec:\xfrlfxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\hthbtn.exec:\hthbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\7ffxrrf.exec:\7ffxrrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\hbnnnh.exec:\hbnnnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\dpvpj.exec:\dpvpj.exe23⤵
- Executes dropped EXE
PID:4712 -
\??\c:\lfflffr.exec:\lfflffr.exe24⤵
- Executes dropped EXE
PID:1244 -
\??\c:\vjvpp.exec:\vjvpp.exe25⤵
- Executes dropped EXE
PID:700 -
\??\c:\1lxrfrl.exec:\1lxrfrl.exe26⤵
- Executes dropped EXE
PID:4756 -
\??\c:\3hnnhn.exec:\3hnnhn.exe27⤵
- Executes dropped EXE
PID:4680 -
\??\c:\7ddvj.exec:\7ddvj.exe28⤵
- Executes dropped EXE
PID:4116 -
\??\c:\jddvj.exec:\jddvj.exe29⤵
- Executes dropped EXE
PID:1000 -
\??\c:\lfxrlxr.exec:\lfxrlxr.exe30⤵
- Executes dropped EXE
PID:5088 -
\??\c:\bntttn.exec:\bntttn.exe31⤵
- Executes dropped EXE
PID:3084 -
\??\c:\vvvpj.exec:\vvvpj.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520 -
\??\c:\vpvdv.exec:\vpvdv.exe33⤵
- Executes dropped EXE
PID:4516 -
\??\c:\nbnbnn.exec:\nbnbnn.exe34⤵
- Executes dropped EXE
PID:5036 -
\??\c:\vdjpj.exec:\vdjpj.exe35⤵
- Executes dropped EXE
PID:5052 -
\??\c:\1rxrlll.exec:\1rxrlll.exe36⤵
- Executes dropped EXE
PID:1864 -
\??\c:\tbbnhh.exec:\tbbnhh.exe37⤵
- Executes dropped EXE
PID:2308 -
\??\c:\jvjvp.exec:\jvjvp.exe38⤵
- Executes dropped EXE
PID:4084 -
\??\c:\jdjvp.exec:\jdjvp.exe39⤵
- Executes dropped EXE
PID:1636 -
\??\c:\rrlrlll.exec:\rrlrlll.exe40⤵
- Executes dropped EXE
PID:2724 -
\??\c:\tntnnb.exec:\tntnnb.exe41⤵
- Executes dropped EXE
PID:1480 -
\??\c:\3jdpj.exec:\3jdpj.exe42⤵
- Executes dropped EXE
PID:4452 -
\??\c:\rrrrrrl.exec:\rrrrrrl.exe43⤵
- Executes dropped EXE
PID:4416 -
\??\c:\1nhthb.exec:\1nhthb.exe44⤵
- Executes dropped EXE
PID:3148 -
\??\c:\1jvpv.exec:\1jvpv.exe45⤵
- Executes dropped EXE
PID:916 -
\??\c:\frrlfff.exec:\frrlfff.exe46⤵
- Executes dropped EXE
PID:3480 -
\??\c:\1flfxrl.exec:\1flfxrl.exe47⤵
- Executes dropped EXE
PID:1612 -
\??\c:\thnhhb.exec:\thnhhb.exe48⤵
- Executes dropped EXE
PID:2756 -
\??\c:\dvvvv.exec:\dvvvv.exe49⤵
- Executes dropped EXE
PID:3636 -
\??\c:\5jjdp.exec:\5jjdp.exe50⤵
- Executes dropped EXE
PID:4252 -
\??\c:\lffxrlx.exec:\lffxrlx.exe51⤵
- Executes dropped EXE
PID:3500 -
\??\c:\nbbthb.exec:\nbbthb.exe52⤵
- Executes dropped EXE
PID:4688 -
\??\c:\pvvpd.exec:\pvvpd.exe53⤵
- Executes dropped EXE
PID:3772 -
\??\c:\frxrlxx.exec:\frxrlxx.exe54⤵
- Executes dropped EXE
PID:5096 -
\??\c:\rlfxfxr.exec:\rlfxfxr.exe55⤵
- Executes dropped EXE
PID:4352 -
\??\c:\hthbnb.exec:\hthbnb.exe56⤵
- Executes dropped EXE
PID:4500 -
\??\c:\3ddpj.exec:\3ddpj.exe57⤵
- Executes dropped EXE
PID:3408 -
\??\c:\7dpjv.exec:\7dpjv.exe58⤵
- Executes dropped EXE
PID:3364 -
\??\c:\xrfxlfx.exec:\xrfxlfx.exe59⤵
- Executes dropped EXE
PID:2596 -
\??\c:\1hhtnh.exec:\1hhtnh.exe60⤵
- Executes dropped EXE
PID:3932 -
\??\c:\nbhbnn.exec:\nbhbnn.exe61⤵
- Executes dropped EXE
PID:1360 -
\??\c:\ppdvp.exec:\ppdvp.exe62⤵
- Executes dropped EXE
PID:3116 -
\??\c:\vpjjj.exec:\vpjjj.exe63⤵
- Executes dropped EXE
PID:556 -
\??\c:\rlrlffl.exec:\rlrlffl.exe64⤵
- Executes dropped EXE
PID:3136 -
\??\c:\nhhtnh.exec:\nhhtnh.exe65⤵
- Executes dropped EXE
PID:856 -
\??\c:\jjvvd.exec:\jjvvd.exe66⤵PID:4564
-
\??\c:\pjdpd.exec:\pjdpd.exe67⤵PID:3564
-
\??\c:\rfrfrlf.exec:\rfrfrlf.exe68⤵PID:1936
-
\??\c:\hbnbtn.exec:\hbnbtn.exe69⤵PID:5004
-
\??\c:\jdjpp.exec:\jdjpp.exe70⤵PID:4676
-
\??\c:\1ppdv.exec:\1ppdv.exe71⤵PID:4612
-
\??\c:\xllfxfx.exec:\xllfxfx.exe72⤵PID:5104
-
\??\c:\ttbhbb.exec:\ttbhbb.exe73⤵PID:372
-
\??\c:\7nhnhb.exec:\7nhnhb.exe74⤵PID:4448
-
\??\c:\jjdpv.exec:\jjdpv.exe75⤵PID:1828
-
\??\c:\llfxrrr.exec:\llfxrrr.exe76⤵
- System Location Discovery: System Language Discovery
PID:4148 -
\??\c:\7hnbbh.exec:\7hnbbh.exe77⤵PID:668
-
\??\c:\thbhnb.exec:\thbhnb.exe78⤵PID:1204
-
\??\c:\frlxffx.exec:\frlxffx.exe79⤵PID:868
-
\??\c:\htbtnb.exec:\htbtnb.exe80⤵PID:3544
-
\??\c:\1hnthh.exec:\1hnthh.exe81⤵PID:2600
-
\??\c:\pjpjd.exec:\pjpjd.exe82⤵PID:4700
-
\??\c:\rffrlxr.exec:\rffrlxr.exe83⤵PID:3768
-
\??\c:\hhtnhh.exec:\hhtnhh.exe84⤵PID:1304
-
\??\c:\nnbbhh.exec:\nnbbhh.exe85⤵PID:4524
-
\??\c:\jdjdv.exec:\jdjdv.exe86⤵PID:1000
-
\??\c:\3fxxrrf.exec:\3fxxrrf.exe87⤵PID:4660
-
\??\c:\bttnhh.exec:\bttnhh.exe88⤵PID:732
-
\??\c:\hthbtn.exec:\hthbtn.exe89⤵PID:4296
-
\??\c:\jjjdv.exec:\jjjdv.exe90⤵PID:3396
-
\??\c:\rlxxlrx.exec:\rlxxlrx.exe91⤵PID:4184
-
\??\c:\thtnnh.exec:\thtnnh.exe92⤵PID:5068
-
\??\c:\djpdp.exec:\djpdp.exe93⤵PID:5024
-
\??\c:\rlfrfxr.exec:\rlfrfxr.exe94⤵PID:1896
-
\??\c:\1xfxxrr.exec:\1xfxxrr.exe95⤵PID:1736
-
\??\c:\tnnbnh.exec:\tnnbnh.exe96⤵PID:4024
-
\??\c:\3ddpd.exec:\3ddpd.exe97⤵PID:1104
-
\??\c:\fffxffr.exec:\fffxffr.exe98⤵PID:3744
-
\??\c:\xfxxrlx.exec:\xfxxrlx.exe99⤵PID:432
-
\??\c:\htntbt.exec:\htntbt.exe100⤵PID:540
-
\??\c:\vppjv.exec:\vppjv.exe101⤵PID:4440
-
\??\c:\jvjdv.exec:\jvjdv.exe102⤵PID:3120
-
\??\c:\xxrlxrf.exec:\xxrlxrf.exe103⤵PID:3832
-
\??\c:\rrxxrfx.exec:\rrxxrfx.exe104⤵PID:5032
-
\??\c:\nbhbtn.exec:\nbhbtn.exe105⤵PID:3724
-
\??\c:\dppdj.exec:\dppdj.exe106⤵PID:4312
-
\??\c:\dvdvv.exec:\dvdvv.exe107⤵PID:3896
-
\??\c:\fffxrll.exec:\fffxrll.exe108⤵PID:1632
-
\??\c:\fxfxfrf.exec:\fxfxfrf.exe109⤵PID:3868
-
\??\c:\3nnhbt.exec:\3nnhbt.exe110⤵PID:4476
-
\??\c:\dvpjj.exec:\dvpjj.exe111⤵PID:412
-
\??\c:\9llxlfr.exec:\9llxlfr.exe112⤵PID:2804
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe113⤵PID:3168
-
\??\c:\tnhnnh.exec:\tnhnnh.exe114⤵PID:3684
-
\??\c:\tntnbb.exec:\tntnbb.exe115⤵PID:3124
-
\??\c:\ddvpd.exec:\ddvpd.exe116⤵PID:4864
-
\??\c:\7xlxfxx.exec:\7xlxfxx.exe117⤵PID:1748
-
\??\c:\htbbnh.exec:\htbbnh.exe118⤵PID:1744
-
\??\c:\nnbnhn.exec:\nnbnhn.exe119⤵PID:3364
-
\??\c:\vddpv.exec:\vddpv.exe120⤵PID:4528
-
\??\c:\7rrfrlx.exec:\7rrfrlx.exe121⤵PID:4924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-