Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2024, 01:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61145e83182272c034fac9949e2af8f67c3855b9d823dd496417714139f89514N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
61145e83182272c034fac9949e2af8f67c3855b9d823dd496417714139f89514N.exe
-
Size
453KB
-
MD5
693071be407d64c6652e5d7fd4420cd0
-
SHA1
e89c78380e15b3ed0cd6a08c9b44b801d0ff5cd1
-
SHA256
61145e83182272c034fac9949e2af8f67c3855b9d823dd496417714139f89514
-
SHA512
4a9fb15caf1a462f5deed536ab8c95b12bc6b043617925dfda6de8b4c34865b2bf814ce832257e1f2619dcf96c7d6aebda897cb2b9ee49fffb9ef04cfea3a3b1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJU:q7Tc2NYHUrAwfMp3CDJU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3440-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/796-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-998-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-1024-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-1053-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-1129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-1290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-1658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3668 vvdvv.exe 1728 xlrllll.exe 3112 hbbnnn.exe 380 pjdvj.exe 1268 fxxxrlf.exe 2608 3bnnht.exe 232 dvpjv.exe 4072 jvdvp.exe 4952 frrfrrx.exe 3152 jpjjd.exe 4992 fxfxrrl.exe 1888 rrfrlxx.exe 3940 jdvpp.exe 796 rfrllrx.exe 3064 bhbttt.exe 3336 pvdvp.exe 3504 lrxxxff.exe 2064 hbnnhh.exe 3036 jdjvp.exe 4804 xrffffl.exe 912 ttnhtt.exe 3208 lfrlfxl.exe 3456 bhhhnt.exe 4996 pjjdv.exe 1808 lfrlxrx.exe 1628 thbtbb.exe 2856 nnnhhh.exe 4920 lrrrrxx.exe 5100 nnttbh.exe 1344 vvvpp.exe 4156 xrlfxlx.exe 2880 rxrrlfx.exe 932 7nnbtt.exe 3840 vvppp.exe 1604 flrxrrx.exe 3980 hhbhbt.exe 3584 jdvdj.exe 3480 rxrlxlf.exe 3540 hbtbtb.exe 1224 fxfrrlr.exe 3552 ttnhhh.exe 3916 bttnnh.exe 3620 vjvvv.exe 548 rllfffx.exe 3084 hhntth.exe 3472 vpvpv.exe 2336 tttnnn.exe 5000 jvjdv.exe 4900 thtnhh.exe 3364 vjvpp.exe 4364 lxlfxxr.exe 4348 lxxxxxx.exe 3440 nntnhb.exe 1780 vjpjj.exe 4244 lfxrllf.exe 1524 bntttt.exe 2776 bhhhbt.exe 3892 vdjdv.exe 2688 fxrlrrx.exe 1736 tbttbb.exe 3040 ddpvj.exe 5016 9xxxrxx.exe 3956 5bhbbh.exe 4388 ppjjd.exe -
resource yara_rule behavioral2/memory/3440-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-883-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-998-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-1024-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-1053-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-1129-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3440 wrote to memory of 3668 3440 61145e83182272c034fac9949e2af8f67c3855b9d823dd496417714139f89514N.exe 83 PID 3440 wrote to memory of 3668 3440 61145e83182272c034fac9949e2af8f67c3855b9d823dd496417714139f89514N.exe 83 PID 3440 wrote to memory of 3668 3440 61145e83182272c034fac9949e2af8f67c3855b9d823dd496417714139f89514N.exe 83 PID 3668 wrote to memory of 1728 3668 vvdvv.exe 84 PID 3668 wrote to memory of 1728 3668 vvdvv.exe 84 PID 3668 wrote to memory of 1728 3668 vvdvv.exe 84 PID 1728 wrote to memory of 3112 1728 xlrllll.exe 85 PID 1728 wrote to memory of 3112 1728 xlrllll.exe 85 PID 1728 wrote to memory of 3112 1728 xlrllll.exe 85 PID 3112 wrote to memory of 380 3112 hbbnnn.exe 86 PID 3112 wrote to memory of 380 3112 hbbnnn.exe 86 PID 3112 wrote to memory of 380 3112 hbbnnn.exe 86 PID 380 wrote to memory of 1268 380 pjdvj.exe 87 PID 380 wrote to memory of 1268 380 pjdvj.exe 87 PID 380 wrote to memory of 1268 380 pjdvj.exe 87 PID 1268 wrote to memory of 2608 1268 fxxxrlf.exe 88 PID 1268 wrote to memory of 2608 1268 fxxxrlf.exe 88 PID 1268 wrote to memory of 2608 1268 fxxxrlf.exe 88 PID 2608 wrote to memory of 232 2608 3bnnht.exe 89 PID 2608 wrote to memory of 232 2608 3bnnht.exe 89 PID 2608 wrote to memory of 232 2608 3bnnht.exe 89 PID 232 wrote to memory of 4072 232 dvpjv.exe 90 PID 232 wrote to memory of 4072 232 dvpjv.exe 90 PID 232 wrote to memory of 4072 232 dvpjv.exe 90 PID 4072 wrote to memory of 4952 4072 jvdvp.exe 91 PID 4072 wrote to memory of 4952 4072 jvdvp.exe 91 PID 4072 wrote to memory of 4952 4072 jvdvp.exe 91 PID 4952 wrote to memory of 3152 4952 frrfrrx.exe 92 PID 4952 wrote to memory of 3152 4952 frrfrrx.exe 92 PID 4952 wrote to memory of 3152 4952 frrfrrx.exe 92 PID 3152 wrote to memory of 4992 3152 jpjjd.exe 93 PID 3152 wrote to memory of 4992 3152 jpjjd.exe 93 PID 3152 wrote to memory of 4992 3152 jpjjd.exe 93 PID 4992 wrote to memory of 1888 4992 fxfxrrl.exe 94 PID 4992 wrote to memory of 1888 4992 fxfxrrl.exe 94 PID 4992 wrote to memory of 1888 4992 fxfxrrl.exe 94 PID 1888 wrote to memory of 3940 1888 rrfrlxx.exe 95 PID 1888 wrote to memory of 3940 1888 rrfrlxx.exe 95 PID 1888 wrote to memory of 3940 1888 rrfrlxx.exe 95 PID 3940 wrote to memory of 796 3940 jdvpp.exe 96 PID 3940 wrote to memory of 796 3940 jdvpp.exe 96 PID 3940 wrote to memory of 796 3940 jdvpp.exe 96 PID 796 wrote to memory of 3064 796 rfrllrx.exe 97 PID 796 wrote to memory of 3064 796 rfrllrx.exe 97 PID 796 wrote to memory of 3064 796 rfrllrx.exe 97 PID 3064 wrote to memory of 3336 3064 bhbttt.exe 98 PID 3064 wrote to memory of 3336 3064 bhbttt.exe 98 PID 3064 wrote to memory of 3336 3064 bhbttt.exe 98 PID 3336 wrote to memory of 3504 3336 pvdvp.exe 99 PID 3336 wrote to memory of 3504 3336 pvdvp.exe 99 PID 3336 wrote to memory of 3504 3336 pvdvp.exe 99 PID 3504 wrote to memory of 2064 3504 lrxxxff.exe 100 PID 3504 wrote to memory of 2064 3504 lrxxxff.exe 100 PID 3504 wrote to memory of 2064 3504 lrxxxff.exe 100 PID 2064 wrote to memory of 3036 2064 hbnnhh.exe 101 PID 2064 wrote to memory of 3036 2064 hbnnhh.exe 101 PID 2064 wrote to memory of 3036 2064 hbnnhh.exe 101 PID 3036 wrote to memory of 4804 3036 jdjvp.exe 102 PID 3036 wrote to memory of 4804 3036 jdjvp.exe 102 PID 3036 wrote to memory of 4804 3036 jdjvp.exe 102 PID 4804 wrote to memory of 912 4804 xrffffl.exe 103 PID 4804 wrote to memory of 912 4804 xrffffl.exe 103 PID 4804 wrote to memory of 912 4804 xrffffl.exe 103 PID 912 wrote to memory of 3208 912 ttnhtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\61145e83182272c034fac9949e2af8f67c3855b9d823dd496417714139f89514N.exe"C:\Users\Admin\AppData\Local\Temp\61145e83182272c034fac9949e2af8f67c3855b9d823dd496417714139f89514N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\vvdvv.exec:\vvdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\xlrllll.exec:\xlrllll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\hbbnnn.exec:\hbbnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\pjdvj.exec:\pjdvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\fxxxrlf.exec:\fxxxrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\3bnnht.exec:\3bnnht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\dvpjv.exec:\dvpjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\jvdvp.exec:\jvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\frrfrrx.exec:\frrfrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\jpjjd.exec:\jpjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\rrfrlxx.exec:\rrfrlxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\jdvpp.exec:\jdvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\rfrllrx.exec:\rfrllrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\bhbttt.exec:\bhbttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\pvdvp.exec:\pvdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\lrxxxff.exec:\lrxxxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\hbnnhh.exec:\hbnnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\jdjvp.exec:\jdjvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\xrffffl.exec:\xrffffl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\ttnhtt.exec:\ttnhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\lfrlfxl.exec:\lfrlfxl.exe23⤵
- Executes dropped EXE
PID:3208 -
\??\c:\bhhhnt.exec:\bhhhnt.exe24⤵
- Executes dropped EXE
PID:3456 -
\??\c:\pjjdv.exec:\pjjdv.exe25⤵
- Executes dropped EXE
PID:4996 -
\??\c:\lfrlxrx.exec:\lfrlxrx.exe26⤵
- Executes dropped EXE
PID:1808 -
\??\c:\thbtbb.exec:\thbtbb.exe27⤵
- Executes dropped EXE
PID:1628 -
\??\c:\nnnhhh.exec:\nnnhhh.exe28⤵
- Executes dropped EXE
PID:2856 -
\??\c:\lrrrrxx.exec:\lrrrrxx.exe29⤵
- Executes dropped EXE
PID:4920 -
\??\c:\nnttbh.exec:\nnttbh.exe30⤵
- Executes dropped EXE
PID:5100 -
\??\c:\vvvpp.exec:\vvvpp.exe31⤵
- Executes dropped EXE
PID:1344 -
\??\c:\xrlfxlx.exec:\xrlfxlx.exe32⤵
- Executes dropped EXE
PID:4156 -
\??\c:\rxrrlfx.exec:\rxrrlfx.exe33⤵
- Executes dropped EXE
PID:2880 -
\??\c:\7nnbtt.exec:\7nnbtt.exe34⤵
- Executes dropped EXE
PID:932 -
\??\c:\vvppp.exec:\vvppp.exe35⤵
- Executes dropped EXE
PID:3840 -
\??\c:\flrxrrx.exec:\flrxrrx.exe36⤵
- Executes dropped EXE
PID:1604 -
\??\c:\hhbhbt.exec:\hhbhbt.exe37⤵
- Executes dropped EXE
PID:3980 -
\??\c:\jdvdj.exec:\jdvdj.exe38⤵
- Executes dropped EXE
PID:3584 -
\??\c:\rxrlxlf.exec:\rxrlxlf.exe39⤵
- Executes dropped EXE
PID:3480 -
\??\c:\hbtbtb.exec:\hbtbtb.exe40⤵
- Executes dropped EXE
PID:3540 -
\??\c:\fxfrrlr.exec:\fxfrrlr.exe41⤵
- Executes dropped EXE
PID:1224 -
\??\c:\ttnhhh.exec:\ttnhhh.exe42⤵
- Executes dropped EXE
PID:3552 -
\??\c:\bttnnh.exec:\bttnnh.exe43⤵
- Executes dropped EXE
PID:3916 -
\??\c:\vjvvv.exec:\vjvvv.exe44⤵
- Executes dropped EXE
PID:3620 -
\??\c:\rllfffx.exec:\rllfffx.exe45⤵
- Executes dropped EXE
PID:548 -
\??\c:\hhntth.exec:\hhntth.exe46⤵
- Executes dropped EXE
PID:3084 -
\??\c:\vpvpv.exec:\vpvpv.exe47⤵
- Executes dropped EXE
PID:3472 -
\??\c:\tttnnn.exec:\tttnnn.exe48⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jvjdv.exec:\jvjdv.exe49⤵
- Executes dropped EXE
PID:5000 -
\??\c:\thtnhh.exec:\thtnhh.exe50⤵
- Executes dropped EXE
PID:4900 -
\??\c:\vjvpp.exec:\vjvpp.exe51⤵
- Executes dropped EXE
PID:3364 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe52⤵
- Executes dropped EXE
PID:4364 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe53⤵
- Executes dropped EXE
PID:4348 -
\??\c:\nntnhb.exec:\nntnhb.exe54⤵
- Executes dropped EXE
PID:3440 -
\??\c:\vjpjj.exec:\vjpjj.exe55⤵
- Executes dropped EXE
PID:1780 -
\??\c:\lfxrllf.exec:\lfxrllf.exe56⤵
- Executes dropped EXE
PID:4244 -
\??\c:\bntttt.exec:\bntttt.exe57⤵
- Executes dropped EXE
PID:1524 -
\??\c:\bhhhbt.exec:\bhhhbt.exe58⤵
- Executes dropped EXE
PID:2776 -
\??\c:\vdjdv.exec:\vdjdv.exe59⤵
- Executes dropped EXE
PID:3892 -
\??\c:\fxrlrrx.exec:\fxrlrrx.exe60⤵
- Executes dropped EXE
PID:2688 -
\??\c:\tbttbb.exec:\tbttbb.exe61⤵
- Executes dropped EXE
PID:1736 -
\??\c:\ddpvj.exec:\ddpvj.exe62⤵
- Executes dropped EXE
PID:3040 -
\??\c:\9xxxrxx.exec:\9xxxrxx.exe63⤵
- Executes dropped EXE
PID:5016 -
\??\c:\5bhbbh.exec:\5bhbbh.exe64⤵
- Executes dropped EXE
PID:3956 -
\??\c:\ppjjd.exec:\ppjjd.exe65⤵
- Executes dropped EXE
PID:4388 -
\??\c:\flfxrrr.exec:\flfxrrr.exe66⤵PID:4384
-
\??\c:\1hnnnn.exec:\1hnnnn.exe67⤵PID:392
-
\??\c:\jdjdj.exec:\jdjdj.exe68⤵PID:2648
-
\??\c:\1frllrr.exec:\1frllrr.exe69⤵PID:1908
-
\??\c:\bnbttt.exec:\bnbttt.exe70⤵PID:5076
-
\??\c:\7dpdp.exec:\7dpdp.exe71⤵PID:2500
-
\??\c:\vvdvd.exec:\vvdvd.exe72⤵PID:4716
-
\??\c:\rrrfrrx.exec:\rrrfrrx.exe73⤵PID:3992
-
\??\c:\5hnhtt.exec:\5hnhtt.exe74⤵PID:4032
-
\??\c:\jddvv.exec:\jddvv.exe75⤵PID:2696
-
\??\c:\1xxrlll.exec:\1xxrlll.exe76⤵PID:2208
-
\??\c:\hbttnn.exec:\hbttnn.exe77⤵PID:5056
-
\??\c:\vppjd.exec:\vppjd.exe78⤵PID:3008
-
\??\c:\vpdvp.exec:\vpdvp.exe79⤵PID:3132
-
\??\c:\hnnhhh.exec:\hnnhhh.exe80⤵PID:1340
-
\??\c:\tbtnbn.exec:\tbtnbn.exe81⤵PID:2116
-
\??\c:\vdjdd.exec:\vdjdd.exe82⤵PID:5116
-
\??\c:\xflffxl.exec:\xflffxl.exe83⤵PID:2304
-
\??\c:\nhnnhn.exec:\nhnnhn.exe84⤵
- System Location Discovery: System Language Discovery
PID:1352 -
\??\c:\pvpvp.exec:\pvpvp.exe85⤵PID:1792
-
\??\c:\hthbtt.exec:\hthbtt.exe86⤵PID:228
-
\??\c:\ttttnn.exec:\ttttnn.exe87⤵PID:4752
-
\??\c:\jjjdv.exec:\jjjdv.exe88⤵PID:3824
-
\??\c:\xlrrrll.exec:\xlrrrll.exe89⤵PID:668
-
\??\c:\bhtthb.exec:\bhtthb.exe90⤵PID:4604
-
\??\c:\bbbttt.exec:\bbbttt.exe91⤵PID:4404
-
\??\c:\pdjdv.exec:\pdjdv.exe92⤵PID:4588
-
\??\c:\5xrlfrl.exec:\5xrlfrl.exe93⤵PID:800
-
\??\c:\nnttth.exec:\nnttth.exe94⤵PID:5100
-
\??\c:\pddvp.exec:\pddvp.exe95⤵
- System Location Discovery: System Language Discovery
PID:2708 -
\??\c:\rxlllll.exec:\rxlllll.exe96⤵PID:904
-
\??\c:\hbhnnb.exec:\hbhnnb.exe97⤵PID:1296
-
\??\c:\dvvvp.exec:\dvvvp.exe98⤵PID:2080
-
\??\c:\jddvp.exec:\jddvp.exe99⤵PID:4764
-
\??\c:\rxxxrlf.exec:\rxxxrlf.exe100⤵PID:3172
-
\??\c:\5xxrrrr.exec:\5xxrrrr.exe101⤵PID:4868
-
\??\c:\bttnht.exec:\bttnht.exe102⤵PID:2176
-
\??\c:\dvdvv.exec:\dvdvv.exe103⤵PID:4400
-
\??\c:\3lffxfx.exec:\3lffxfx.exe104⤵PID:3304
-
\??\c:\hbhbtt.exec:\hbhbtt.exe105⤵PID:1952
-
\??\c:\pvdvp.exec:\pvdvp.exe106⤵PID:4984
-
\??\c:\7pjpj.exec:\7pjpj.exe107⤵PID:3708
-
\??\c:\rrrlrrf.exec:\rrrlrrf.exe108⤵PID:3516
-
\??\c:\nntttt.exec:\nntttt.exe109⤵PID:3952
-
\??\c:\ddjdv.exec:\ddjdv.exe110⤵PID:1532
-
\??\c:\dvjdv.exec:\dvjdv.exe111⤵PID:1712
-
\??\c:\rfrlffx.exec:\rfrlffx.exe112⤵PID:3084
-
\??\c:\hhtntt.exec:\hhtntt.exe113⤵PID:216
-
\??\c:\5vdvv.exec:\5vdvv.exe114⤵PID:3548
-
\??\c:\5rrrlll.exec:\5rrrlll.exe115⤵PID:1372
-
\??\c:\xlllffx.exec:\xlllffx.exe116⤵PID:3272
-
\??\c:\hntnnt.exec:\hntnnt.exe117⤵PID:4516
-
\??\c:\ppvvp.exec:\ppvvp.exe118⤵PID:4380
-
\??\c:\vjppp.exec:\vjppp.exe119⤵PID:4116
-
\??\c:\lrxflrx.exec:\lrxflrx.exe120⤵PID:5020
-
\??\c:\bttttb.exec:\bttttb.exe121⤵PID:2068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-