Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 05:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe
-
Size
455KB
-
MD5
586844b1b9fedf8945bf698ece5ae46f
-
SHA1
de05dcf23bbfecff202fc078b529cac8ae6eca7a
-
SHA256
e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17
-
SHA512
cde0c16ad83d110ae8cb3d9289471af6630a7014e99c6c744edad97e976792002cdb56a310777fded3f65c58aee8c8c6e97a6421dea14b05ea66449eb29e40c3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRw:q7Tc2NYHUrAwfMp3CDRw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4512-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-903-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-982-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-1074-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-1087-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-1179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-1457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-1582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1320 dpdvv.exe 4928 rffrfrf.exe 3960 nnnbth.exe 3724 pjddp.exe 1840 lrfxlfx.exe 4436 bnhbbt.exe 2840 vjjvp.exe 3636 9xxlxrl.exe 4952 fxrlxrl.exe 3000 ttbnbt.exe 1880 pvvjv.exe 2036 nhhtnh.exe 3732 7jjjv.exe 3020 frrflfr.exe 2728 htthth.exe 4888 vpdvj.exe 3196 htnbbn.exe 1468 ththbn.exe 2896 tnbtht.exe 1856 ffxxlxf.exe 2716 3ddpp.exe 2296 5vvjd.exe 4640 rlxlxrl.exe 624 bnnbnb.exe 1504 bnhtbt.exe 3144 bnhtth.exe 4692 pdvpd.exe 3432 nnthth.exe 2600 jddpp.exe 5052 frlxlfr.exe 2156 vddvj.exe 412 bbbnnh.exe 884 jvpjv.exe 4216 3hthbt.exe 1488 hhtbbn.exe 2432 pdjpv.exe 1596 7fxrfxl.exe 4552 hbthtn.exe 3604 vdjjj.exe 3436 vpvpp.exe 856 rrlxlfx.exe 2720 9tbhhb.exe 4152 vpjvj.exe 900 lrllfrf.exe 1100 xxfffrf.exe 4316 nnnhbt.exe 4272 vvdpd.exe 1376 rrlfxrf.exe 2508 xlrlffl.exe 3536 tntntn.exe 3892 3ppjv.exe 1564 xffrfxl.exe 4668 lxxlxll.exe 4368 bnnbnh.exe 3256 pppdv.exe 2388 flfllxf.exe 4436 hthttn.exe 2860 vvjdj.exe 1044 jpdvj.exe 3636 rfrfxlf.exe 3492 flrfffr.exe 3612 tnthhb.exe 4432 jvpjv.exe 1324 rrfrfxl.exe -
resource yara_rule behavioral2/memory/4512-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-844-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4512 wrote to memory of 1320 4512 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 83 PID 4512 wrote to memory of 1320 4512 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 83 PID 4512 wrote to memory of 1320 4512 e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe 83 PID 1320 wrote to memory of 4928 1320 dpdvv.exe 84 PID 1320 wrote to memory of 4928 1320 dpdvv.exe 84 PID 1320 wrote to memory of 4928 1320 dpdvv.exe 84 PID 4928 wrote to memory of 3960 4928 rffrfrf.exe 85 PID 4928 wrote to memory of 3960 4928 rffrfrf.exe 85 PID 4928 wrote to memory of 3960 4928 rffrfrf.exe 85 PID 3960 wrote to memory of 3724 3960 nnnbth.exe 86 PID 3960 wrote to memory of 3724 3960 nnnbth.exe 86 PID 3960 wrote to memory of 3724 3960 nnnbth.exe 86 PID 3724 wrote to memory of 1840 3724 pjddp.exe 87 PID 3724 wrote to memory of 1840 3724 pjddp.exe 87 PID 3724 wrote to memory of 1840 3724 pjddp.exe 87 PID 1840 wrote to memory of 4436 1840 lrfxlfx.exe 88 PID 1840 wrote to memory of 4436 1840 lrfxlfx.exe 88 PID 1840 wrote to memory of 4436 1840 lrfxlfx.exe 88 PID 4436 wrote to memory of 2840 4436 bnhbbt.exe 89 PID 4436 wrote to memory of 2840 4436 bnhbbt.exe 89 PID 4436 wrote to memory of 2840 4436 bnhbbt.exe 89 PID 2840 wrote to memory of 3636 2840 vjjvp.exe 90 PID 2840 wrote to memory of 3636 2840 vjjvp.exe 90 PID 2840 wrote to memory of 3636 2840 vjjvp.exe 90 PID 3636 wrote to memory of 4952 3636 9xxlxrl.exe 91 PID 3636 wrote to memory of 4952 3636 9xxlxrl.exe 91 PID 3636 wrote to memory of 4952 3636 9xxlxrl.exe 91 PID 4952 wrote to memory of 3000 4952 fxrlxrl.exe 92 PID 4952 wrote to memory of 3000 4952 fxrlxrl.exe 92 PID 4952 wrote to memory of 3000 4952 fxrlxrl.exe 92 PID 3000 wrote to memory of 1880 3000 ttbnbt.exe 93 PID 3000 wrote to memory of 1880 3000 ttbnbt.exe 93 PID 3000 wrote to memory of 1880 3000 ttbnbt.exe 93 PID 1880 wrote to memory of 2036 1880 pvvjv.exe 94 PID 1880 wrote to memory of 2036 1880 pvvjv.exe 94 PID 1880 wrote to memory of 2036 1880 pvvjv.exe 94 PID 2036 wrote to memory of 3732 2036 nhhtnh.exe 95 PID 2036 wrote to memory of 3732 2036 nhhtnh.exe 95 PID 2036 wrote to memory of 3732 2036 nhhtnh.exe 95 PID 3732 wrote to memory of 3020 3732 7jjjv.exe 96 PID 3732 wrote to memory of 3020 3732 7jjjv.exe 96 PID 3732 wrote to memory of 3020 3732 7jjjv.exe 96 PID 3020 wrote to memory of 2728 3020 frrflfr.exe 97 PID 3020 wrote to memory of 2728 3020 frrflfr.exe 97 PID 3020 wrote to memory of 2728 3020 frrflfr.exe 97 PID 2728 wrote to memory of 4888 2728 htthth.exe 98 PID 2728 wrote to memory of 4888 2728 htthth.exe 98 PID 2728 wrote to memory of 4888 2728 htthth.exe 98 PID 4888 wrote to memory of 3196 4888 vpdvj.exe 99 PID 4888 wrote to memory of 3196 4888 vpdvj.exe 99 PID 4888 wrote to memory of 3196 4888 vpdvj.exe 99 PID 3196 wrote to memory of 1468 3196 htnbbn.exe 100 PID 3196 wrote to memory of 1468 3196 htnbbn.exe 100 PID 3196 wrote to memory of 1468 3196 htnbbn.exe 100 PID 1468 wrote to memory of 2896 1468 ththbn.exe 101 PID 1468 wrote to memory of 2896 1468 ththbn.exe 101 PID 1468 wrote to memory of 2896 1468 ththbn.exe 101 PID 2896 wrote to memory of 1856 2896 tnbtht.exe 102 PID 2896 wrote to memory of 1856 2896 tnbtht.exe 102 PID 2896 wrote to memory of 1856 2896 tnbtht.exe 102 PID 1856 wrote to memory of 2716 1856 ffxxlxf.exe 103 PID 1856 wrote to memory of 2716 1856 ffxxlxf.exe 103 PID 1856 wrote to memory of 2716 1856 ffxxlxf.exe 103 PID 2716 wrote to memory of 2296 2716 3ddpp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe"C:\Users\Admin\AppData\Local\Temp\e11e7583a7296162b34b32cf87af82c5563733a142a60482858f34c4326f8a17.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\dpdvv.exec:\dpdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\rffrfrf.exec:\rffrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\nnnbth.exec:\nnnbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\pjddp.exec:\pjddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\lrfxlfx.exec:\lrfxlfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\bnhbbt.exec:\bnhbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\vjjvp.exec:\vjjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\9xxlxrl.exec:\9xxlxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\fxrlxrl.exec:\fxrlxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\ttbnbt.exec:\ttbnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\pvvjv.exec:\pvvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\nhhtnh.exec:\nhhtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\7jjjv.exec:\7jjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\frrflfr.exec:\frrflfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\htthth.exec:\htthth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\vpdvj.exec:\vpdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\htnbbn.exec:\htnbbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\ththbn.exec:\ththbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\tnbtht.exec:\tnbtht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\ffxxlxf.exec:\ffxxlxf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\3ddpp.exec:\3ddpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\5vvjd.exec:\5vvjd.exe23⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rlxlxrl.exec:\rlxlxrl.exe24⤵
- Executes dropped EXE
PID:4640 -
\??\c:\bnnbnb.exec:\bnnbnb.exe25⤵
- Executes dropped EXE
PID:624 -
\??\c:\bnhtbt.exec:\bnhtbt.exe26⤵
- Executes dropped EXE
PID:1504 -
\??\c:\bnhtth.exec:\bnhtth.exe27⤵
- Executes dropped EXE
PID:3144 -
\??\c:\pdvpd.exec:\pdvpd.exe28⤵
- Executes dropped EXE
PID:4692 -
\??\c:\nnthth.exec:\nnthth.exe29⤵
- Executes dropped EXE
PID:3432 -
\??\c:\jddpp.exec:\jddpp.exe30⤵
- Executes dropped EXE
PID:2600 -
\??\c:\frlxlfr.exec:\frlxlfr.exe31⤵
- Executes dropped EXE
PID:5052 -
\??\c:\vddvj.exec:\vddvj.exe32⤵
- Executes dropped EXE
PID:2156 -
\??\c:\bbbnnh.exec:\bbbnnh.exe33⤵
- Executes dropped EXE
PID:412 -
\??\c:\jvpjv.exec:\jvpjv.exe34⤵
- Executes dropped EXE
PID:884 -
\??\c:\3hthbt.exec:\3hthbt.exe35⤵
- Executes dropped EXE
PID:4216 -
\??\c:\hhtbbn.exec:\hhtbbn.exe36⤵
- Executes dropped EXE
PID:1488 -
\??\c:\pdjpv.exec:\pdjpv.exe37⤵
- Executes dropped EXE
PID:2432 -
\??\c:\7fxrfxl.exec:\7fxrfxl.exe38⤵
- Executes dropped EXE
PID:1596 -
\??\c:\hbthtn.exec:\hbthtn.exe39⤵
- Executes dropped EXE
PID:4552 -
\??\c:\vdjjj.exec:\vdjjj.exe40⤵
- Executes dropped EXE
PID:3604 -
\??\c:\vpvpp.exec:\vpvpp.exe41⤵
- Executes dropped EXE
PID:3436 -
\??\c:\rrlxlfx.exec:\rrlxlfx.exe42⤵
- Executes dropped EXE
PID:856 -
\??\c:\9tbhhb.exec:\9tbhhb.exe43⤵
- Executes dropped EXE
PID:2720 -
\??\c:\vpjvj.exec:\vpjvj.exe44⤵
- Executes dropped EXE
PID:4152 -
\??\c:\lrllfrf.exec:\lrllfrf.exe45⤵
- Executes dropped EXE
PID:900 -
\??\c:\xxfffrf.exec:\xxfffrf.exe46⤵
- Executes dropped EXE
PID:1100 -
\??\c:\nnnhbt.exec:\nnnhbt.exe47⤵
- Executes dropped EXE
PID:4316 -
\??\c:\vvdpd.exec:\vvdpd.exe48⤵
- Executes dropped EXE
PID:4272 -
\??\c:\rrlfxrf.exec:\rrlfxrf.exe49⤵
- Executes dropped EXE
PID:1376 -
\??\c:\xlrlffl.exec:\xlrlffl.exe50⤵
- Executes dropped EXE
PID:2508 -
\??\c:\tntntn.exec:\tntntn.exe51⤵
- Executes dropped EXE
PID:3536 -
\??\c:\3ppjv.exec:\3ppjv.exe52⤵
- Executes dropped EXE
PID:3892 -
\??\c:\xffrfxl.exec:\xffrfxl.exe53⤵
- Executes dropped EXE
PID:1564 -
\??\c:\lxxlxll.exec:\lxxlxll.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4668 -
\??\c:\bnnbnh.exec:\bnnbnh.exe55⤵
- Executes dropped EXE
PID:4368 -
\??\c:\pppdv.exec:\pppdv.exe56⤵
- Executes dropped EXE
PID:3256 -
\??\c:\flfllxf.exec:\flfllxf.exe57⤵
- Executes dropped EXE
PID:2388 -
\??\c:\hthttn.exec:\hthttn.exe58⤵
- Executes dropped EXE
PID:4436 -
\??\c:\vvjdj.exec:\vvjdj.exe59⤵
- Executes dropped EXE
PID:2860 -
\??\c:\jpdvj.exec:\jpdvj.exe60⤵
- Executes dropped EXE
PID:1044 -
\??\c:\rfrfxlf.exec:\rfrfxlf.exe61⤵
- Executes dropped EXE
PID:3636 -
\??\c:\flrfffr.exec:\flrfffr.exe62⤵
- Executes dropped EXE
PID:3492 -
\??\c:\tnthhb.exec:\tnthhb.exe63⤵
- Executes dropped EXE
PID:3612 -
\??\c:\jvpjv.exec:\jvpjv.exe64⤵
- Executes dropped EXE
PID:4432 -
\??\c:\rrfrfxl.exec:\rrfrfxl.exe65⤵
- Executes dropped EXE
PID:1324 -
\??\c:\hbnbth.exec:\hbnbth.exe66⤵PID:3292
-
\??\c:\pvvjd.exec:\pvvjd.exe67⤵PID:4136
-
\??\c:\jvvpj.exec:\jvvpj.exe68⤵
- System Location Discovery: System Language Discovery
PID:532 -
\??\c:\frlfflr.exec:\frlfflr.exe69⤵PID:3652
-
\??\c:\hbbbnb.exec:\hbbbnb.exe70⤵PID:4380
-
\??\c:\tnbnbn.exec:\tnbnbn.exe71⤵PID:2016
-
\??\c:\dpjdp.exec:\dpjdp.exe72⤵PID:2040
-
\??\c:\7fffrrl.exec:\7fffrrl.exe73⤵PID:2192
-
\??\c:\7rrfxrl.exec:\7rrfxrl.exe74⤵PID:2088
-
\??\c:\hntnbt.exec:\hntnbt.exe75⤵PID:3600
-
\??\c:\djjvj.exec:\djjvj.exe76⤵PID:392
-
\??\c:\vjvpp.exec:\vjvpp.exe77⤵PID:592
-
\??\c:\lrxlffr.exec:\lrxlffr.exe78⤵PID:2672
-
\??\c:\hbtnbt.exec:\hbtnbt.exe79⤵PID:4228
-
\??\c:\dvjvj.exec:\dvjvj.exe80⤵PID:1856
-
\??\c:\9llxlfx.exec:\9llxlfx.exe81⤵PID:4364
-
\??\c:\bhthth.exec:\bhthth.exe82⤵PID:4956
-
\??\c:\7vvjv.exec:\7vvjv.exe83⤵PID:4340
-
\??\c:\pdpvj.exec:\pdpvj.exe84⤵PID:4756
-
\??\c:\xlfrxlf.exec:\xlfrxlf.exe85⤵PID:3272
-
\??\c:\1hbthh.exec:\1hbthh.exe86⤵PID:3796
-
\??\c:\9dvpd.exec:\9dvpd.exe87⤵PID:5028
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe88⤵
- System Location Discovery: System Language Discovery
PID:2312 -
\??\c:\ntbthb.exec:\ntbthb.exe89⤵PID:2960
-
\??\c:\htnbnh.exec:\htnbnh.exe90⤵PID:3432
-
\??\c:\7pdjp.exec:\7pdjp.exe91⤵PID:3460
-
\??\c:\9llxllx.exec:\9llxllx.exe92⤵PID:852
-
\??\c:\thbnbt.exec:\thbnbt.exe93⤵PID:4356
-
\??\c:\vddjp.exec:\vddjp.exe94⤵PID:2592
-
\??\c:\xflflfx.exec:\xflflfx.exe95⤵PID:60
-
\??\c:\frllrfl.exec:\frllrfl.exe96⤵PID:4260
-
\??\c:\bthbht.exec:\bthbht.exe97⤵PID:1012
-
\??\c:\vjjvj.exec:\vjjvj.exe98⤵PID:1428
-
\??\c:\rrxlrlf.exec:\rrxlrlf.exe99⤵PID:1924
-
\??\c:\htnnbn.exec:\htnnbn.exe100⤵PID:1676
-
\??\c:\9vjvj.exec:\9vjvj.exe101⤵PID:2132
-
\??\c:\pddpd.exec:\pddpd.exe102⤵PID:2824
-
\??\c:\lfffffl.exec:\lfffffl.exe103⤵PID:3604
-
\??\c:\bntnnh.exec:\bntnnh.exe104⤵PID:4476
-
\??\c:\jvdpd.exec:\jvdpd.exe105⤵PID:1584
-
\??\c:\rrrrlrl.exec:\rrrrlrl.exe106⤵
- System Location Discovery: System Language Discovery
PID:2888 -
\??\c:\htbttn.exec:\htbttn.exe107⤵PID:4152
-
\??\c:\pvvjd.exec:\pvvjd.exe108⤵PID:684
-
\??\c:\dvdvd.exec:\dvdvd.exe109⤵PID:4536
-
\??\c:\llrflfl.exec:\llrflfl.exe110⤵PID:4988
-
\??\c:\bnttnn.exec:\bnttnn.exe111⤵PID:5056
-
\??\c:\nbbthb.exec:\nbbthb.exe112⤵PID:2288
-
\??\c:\ppvjv.exec:\ppvjv.exe113⤵PID:1320
-
\??\c:\flrlxrf.exec:\flrlxrf.exe114⤵PID:3952
-
\??\c:\1rlrflf.exec:\1rlrflf.exe115⤵PID:964
-
\??\c:\tbthtn.exec:\tbthtn.exe116⤵PID:3792
-
\??\c:\ddvpj.exec:\ddvpj.exe117⤵PID:4716
-
\??\c:\rrfxfxf.exec:\rrfxfxf.exe118⤵PID:2916
-
\??\c:\bnhthn.exec:\bnhthn.exe119⤵PID:1776
-
\??\c:\9pjvj.exec:\9pjvj.exe120⤵PID:3256
-
\??\c:\rxfflfx.exec:\rxfflfx.exe121⤵PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-