Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 06:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d0cf433627eb145069e89bdb195692db138c362627f14be8e25f3c83b878ed1c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d0cf433627eb145069e89bdb195692db138c362627f14be8e25f3c83b878ed1c.exe
-
Size
454KB
-
MD5
26946031d86409d8811b1257cd90055d
-
SHA1
cf502ac452b5df12cdddd245645dbdfeee4278be
-
SHA256
d0cf433627eb145069e89bdb195692db138c362627f14be8e25f3c83b878ed1c
-
SHA512
b1722659d5c5e730050d06881b7b9d6f938cb8bfc2bd2b9798ee96d664a5c786fb5fda35a9e3ad927a0663989b5ab7284b8e385ca3cc09a65f549077b748fd49
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2876-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-1137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-1552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1780 pvvpj.exe 3768 3xxxrrx.exe 3252 htnbbt.exe 1388 jddvd.exe 3228 1jdpj.exe 3788 nnbbhh.exe 1740 jdjjj.exe 1976 5lxrxfx.exe 2936 dvdvp.exe 2296 rllllff.exe 2916 lrxrlfx.exe 1468 bthbhb.exe 2796 lflfffx.exe 1492 bnnnhh.exe 5044 vppjj.exe 3168 rflfxrr.exe 1260 hnnnnt.exe 1512 rfxxxxx.exe 4360 hhhbtt.exe 2164 jdpjd.exe 1904 vpvpj.exe 3100 xfllrrr.exe 5096 5nnhhh.exe 2068 vpdvp.exe 2532 7rxrlrl.exe 412 nhnnhn.exe 4324 xlrllfx.exe 1340 3rfxrlf.exe 4744 5bhbhh.exe 3508 dvpjv.exe 2192 vjjdv.exe 4656 fxrxfrf.exe 2492 lxfxxrl.exe 4568 flxxfrr.exe 620 bnbttt.exe 3984 ttbthh.exe 1724 fxlfrrx.exe 2412 hhhhbb.exe 888 lfrfrrr.exe 4640 hbnnht.exe 2836 7bhntb.exe 1964 dvjdj.exe 2308 fxfrfxf.exe 3304 7hhnnn.exe 736 hnhbtt.exe 5084 vvvvp.exe 4400 lxlfxxr.exe 1252 ttbbtn.exe 4028 jjppj.exe 3672 rflllff.exe 1872 lrxrlfr.exe 32 bttnhb.exe 4392 jppjd.exe 4764 rflllll.exe 4848 btbbtb.exe 4936 pjjdv.exe 3768 vdpjd.exe 4728 lfrlfxr.exe 4480 bthbtt.exe 3408 pdjjv.exe 3032 llrxflr.exe 3852 thbttb.exe 3268 9hnhhh.exe 2060 pjpvp.exe -
resource yara_rule behavioral2/memory/2876-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-730-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1780 2876 d0cf433627eb145069e89bdb195692db138c362627f14be8e25f3c83b878ed1c.exe 82 PID 2876 wrote to memory of 1780 2876 d0cf433627eb145069e89bdb195692db138c362627f14be8e25f3c83b878ed1c.exe 82 PID 2876 wrote to memory of 1780 2876 d0cf433627eb145069e89bdb195692db138c362627f14be8e25f3c83b878ed1c.exe 82 PID 1780 wrote to memory of 3768 1780 pvvpj.exe 83 PID 1780 wrote to memory of 3768 1780 pvvpj.exe 83 PID 1780 wrote to memory of 3768 1780 pvvpj.exe 83 PID 3768 wrote to memory of 3252 3768 3xxxrrx.exe 84 PID 3768 wrote to memory of 3252 3768 3xxxrrx.exe 84 PID 3768 wrote to memory of 3252 3768 3xxxrrx.exe 84 PID 3252 wrote to memory of 1388 3252 htnbbt.exe 85 PID 3252 wrote to memory of 1388 3252 htnbbt.exe 85 PID 3252 wrote to memory of 1388 3252 htnbbt.exe 85 PID 1388 wrote to memory of 3228 1388 jddvd.exe 86 PID 1388 wrote to memory of 3228 1388 jddvd.exe 86 PID 1388 wrote to memory of 3228 1388 jddvd.exe 86 PID 3228 wrote to memory of 3788 3228 1jdpj.exe 87 PID 3228 wrote to memory of 3788 3228 1jdpj.exe 87 PID 3228 wrote to memory of 3788 3228 1jdpj.exe 87 PID 3788 wrote to memory of 1740 3788 nnbbhh.exe 88 PID 3788 wrote to memory of 1740 3788 nnbbhh.exe 88 PID 3788 wrote to memory of 1740 3788 nnbbhh.exe 88 PID 1740 wrote to memory of 1976 1740 jdjjj.exe 89 PID 1740 wrote to memory of 1976 1740 jdjjj.exe 89 PID 1740 wrote to memory of 1976 1740 jdjjj.exe 89 PID 1976 wrote to memory of 2936 1976 5lxrxfx.exe 90 PID 1976 wrote to memory of 2936 1976 5lxrxfx.exe 90 PID 1976 wrote to memory of 2936 1976 5lxrxfx.exe 90 PID 2936 wrote to memory of 2296 2936 dvdvp.exe 91 PID 2936 wrote to memory of 2296 2936 dvdvp.exe 91 PID 2936 wrote to memory of 2296 2936 dvdvp.exe 91 PID 2296 wrote to memory of 2916 2296 rllllff.exe 92 PID 2296 wrote to memory of 2916 2296 rllllff.exe 92 PID 2296 wrote to memory of 2916 2296 rllllff.exe 92 PID 2916 wrote to memory of 1468 2916 lrxrlfx.exe 93 PID 2916 wrote to memory of 1468 2916 lrxrlfx.exe 93 PID 2916 wrote to memory of 1468 2916 lrxrlfx.exe 93 PID 1468 wrote to memory of 2796 1468 bthbhb.exe 94 PID 1468 wrote to memory of 2796 1468 bthbhb.exe 94 PID 1468 wrote to memory of 2796 1468 bthbhb.exe 94 PID 2796 wrote to memory of 1492 2796 lflfffx.exe 95 PID 2796 wrote to memory of 1492 2796 lflfffx.exe 95 PID 2796 wrote to memory of 1492 2796 lflfffx.exe 95 PID 1492 wrote to memory of 5044 1492 bnnnhh.exe 96 PID 1492 wrote to memory of 5044 1492 bnnnhh.exe 96 PID 1492 wrote to memory of 5044 1492 bnnnhh.exe 96 PID 5044 wrote to memory of 3168 5044 vppjj.exe 97 PID 5044 wrote to memory of 3168 5044 vppjj.exe 97 PID 5044 wrote to memory of 3168 5044 vppjj.exe 97 PID 3168 wrote to memory of 1260 3168 rflfxrr.exe 98 PID 3168 wrote to memory of 1260 3168 rflfxrr.exe 98 PID 3168 wrote to memory of 1260 3168 rflfxrr.exe 98 PID 1260 wrote to memory of 1512 1260 hnnnnt.exe 99 PID 1260 wrote to memory of 1512 1260 hnnnnt.exe 99 PID 1260 wrote to memory of 1512 1260 hnnnnt.exe 99 PID 1512 wrote to memory of 4360 1512 rfxxxxx.exe 100 PID 1512 wrote to memory of 4360 1512 rfxxxxx.exe 100 PID 1512 wrote to memory of 4360 1512 rfxxxxx.exe 100 PID 4360 wrote to memory of 2164 4360 hhhbtt.exe 101 PID 4360 wrote to memory of 2164 4360 hhhbtt.exe 101 PID 4360 wrote to memory of 2164 4360 hhhbtt.exe 101 PID 2164 wrote to memory of 1904 2164 jdpjd.exe 102 PID 2164 wrote to memory of 1904 2164 jdpjd.exe 102 PID 2164 wrote to memory of 1904 2164 jdpjd.exe 102 PID 1904 wrote to memory of 3100 1904 vpvpj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0cf433627eb145069e89bdb195692db138c362627f14be8e25f3c83b878ed1c.exe"C:\Users\Admin\AppData\Local\Temp\d0cf433627eb145069e89bdb195692db138c362627f14be8e25f3c83b878ed1c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\pvvpj.exec:\pvvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\3xxxrrx.exec:\3xxxrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\htnbbt.exec:\htnbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\jddvd.exec:\jddvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\1jdpj.exec:\1jdpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\nnbbhh.exec:\nnbbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\jdjjj.exec:\jdjjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\5lxrxfx.exec:\5lxrxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\dvdvp.exec:\dvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\rllllff.exec:\rllllff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\bthbhb.exec:\bthbhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\lflfffx.exec:\lflfffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\bnnnhh.exec:\bnnnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\vppjj.exec:\vppjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\rflfxrr.exec:\rflfxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\hnnnnt.exec:\hnnnnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\rfxxxxx.exec:\rfxxxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\hhhbtt.exec:\hhhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\jdpjd.exec:\jdpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\vpvpj.exec:\vpvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\xfllrrr.exec:\xfllrrr.exe23⤵
- Executes dropped EXE
PID:3100 -
\??\c:\5nnhhh.exec:\5nnhhh.exe24⤵
- Executes dropped EXE
PID:5096 -
\??\c:\vpdvp.exec:\vpdvp.exe25⤵
- Executes dropped EXE
PID:2068 -
\??\c:\7rxrlrl.exec:\7rxrlrl.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532 -
\??\c:\nhnnhn.exec:\nhnnhn.exe27⤵
- Executes dropped EXE
PID:412 -
\??\c:\xlrllfx.exec:\xlrllfx.exe28⤵
- Executes dropped EXE
PID:4324 -
\??\c:\3rfxrlf.exec:\3rfxrlf.exe29⤵
- Executes dropped EXE
PID:1340 -
\??\c:\5bhbhh.exec:\5bhbhh.exe30⤵
- Executes dropped EXE
PID:4744 -
\??\c:\dvpjv.exec:\dvpjv.exe31⤵
- Executes dropped EXE
PID:3508 -
\??\c:\vjjdv.exec:\vjjdv.exe32⤵
- Executes dropped EXE
PID:2192 -
\??\c:\fxrxfrf.exec:\fxrxfrf.exe33⤵
- Executes dropped EXE
PID:4656 -
\??\c:\lxfxxrl.exec:\lxfxxrl.exe34⤵
- Executes dropped EXE
PID:2492 -
\??\c:\flxxfrr.exec:\flxxfrr.exe35⤵
- Executes dropped EXE
PID:4568 -
\??\c:\bnbttt.exec:\bnbttt.exe36⤵
- Executes dropped EXE
PID:620 -
\??\c:\ttbthh.exec:\ttbthh.exe37⤵
- Executes dropped EXE
PID:3984 -
\??\c:\fxlfrrx.exec:\fxlfrrx.exe38⤵
- Executes dropped EXE
PID:1724 -
\??\c:\hhhhbb.exec:\hhhhbb.exe39⤵
- Executes dropped EXE
PID:2412 -
\??\c:\lfrfrrr.exec:\lfrfrrr.exe40⤵
- Executes dropped EXE
PID:888 -
\??\c:\hbnnht.exec:\hbnnht.exe41⤵
- Executes dropped EXE
PID:4640 -
\??\c:\7bhntb.exec:\7bhntb.exe42⤵
- Executes dropped EXE
PID:2836 -
\??\c:\dvjdj.exec:\dvjdj.exe43⤵
- Executes dropped EXE
PID:1964 -
\??\c:\fxfrfxf.exec:\fxfrfxf.exe44⤵
- Executes dropped EXE
PID:2308 -
\??\c:\7hhnnn.exec:\7hhnnn.exe45⤵
- Executes dropped EXE
PID:3304 -
\??\c:\hnhbtt.exec:\hnhbtt.exe46⤵
- Executes dropped EXE
PID:736 -
\??\c:\vvvvp.exec:\vvvvp.exe47⤵
- Executes dropped EXE
PID:5084 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe48⤵
- Executes dropped EXE
PID:4400 -
\??\c:\ttbbtn.exec:\ttbbtn.exe49⤵
- Executes dropped EXE
PID:1252 -
\??\c:\jjppj.exec:\jjppj.exe50⤵
- Executes dropped EXE
PID:4028 -
\??\c:\rflllff.exec:\rflllff.exe51⤵
- Executes dropped EXE
PID:3672 -
\??\c:\lrxrlfr.exec:\lrxrlfr.exe52⤵
- Executes dropped EXE
PID:1872 -
\??\c:\bttnhb.exec:\bttnhb.exe53⤵
- Executes dropped EXE
PID:32 -
\??\c:\jppjd.exec:\jppjd.exe54⤵
- Executes dropped EXE
PID:4392 -
\??\c:\rflllll.exec:\rflllll.exe55⤵
- Executes dropped EXE
PID:4764 -
\??\c:\btbbtb.exec:\btbbtb.exe56⤵
- Executes dropped EXE
PID:4848 -
\??\c:\pjjdv.exec:\pjjdv.exe57⤵
- Executes dropped EXE
PID:4936 -
\??\c:\vdpjd.exec:\vdpjd.exe58⤵
- Executes dropped EXE
PID:3768 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe59⤵
- Executes dropped EXE
PID:4728 -
\??\c:\bthbtt.exec:\bthbtt.exe60⤵
- Executes dropped EXE
PID:4480 -
\??\c:\pdjjv.exec:\pdjjv.exe61⤵
- Executes dropped EXE
PID:3408 -
\??\c:\llrxflr.exec:\llrxflr.exe62⤵
- Executes dropped EXE
PID:3032 -
\??\c:\thbttb.exec:\thbttb.exe63⤵
- Executes dropped EXE
PID:3852 -
\??\c:\9hnhhh.exec:\9hnhhh.exe64⤵
- Executes dropped EXE
PID:3268 -
\??\c:\pjpvp.exec:\pjpvp.exe65⤵
- Executes dropped EXE
PID:2060 -
\??\c:\llxxxrf.exec:\llxxxrf.exe66⤵PID:3644
-
\??\c:\frfxxxr.exec:\frfxxxr.exe67⤵PID:1740
-
\??\c:\nbnnnn.exec:\nbnnnn.exe68⤵PID:1976
-
\??\c:\jppjd.exec:\jppjd.exe69⤵PID:1612
-
\??\c:\dvddv.exec:\dvddv.exe70⤵PID:4768
-
\??\c:\frfflfl.exec:\frfflfl.exe71⤵PID:1940
-
\??\c:\nhnhhh.exec:\nhnhhh.exe72⤵PID:2928
-
\??\c:\ppvpp.exec:\ppvpp.exe73⤵PID:3752
-
\??\c:\pjpjj.exec:\pjpjj.exe74⤵PID:3908
-
\??\c:\5rxrrrx.exec:\5rxrrrx.exe75⤵PID:1728
-
\??\c:\tntnhb.exec:\tntnhb.exe76⤵PID:2960
-
\??\c:\httnbb.exec:\httnbb.exe77⤵PID:4912
-
\??\c:\pdvvd.exec:\pdvvd.exe78⤵PID:3456
-
\??\c:\fflfxxx.exec:\fflfxxx.exe79⤵PID:2280
-
\??\c:\nhhbnb.exec:\nhhbnb.exe80⤵PID:1992
-
\??\c:\vpddd.exec:\vpddd.exe81⤵PID:3996
-
\??\c:\9fffxxr.exec:\9fffxxr.exe82⤵PID:2464
-
\??\c:\xlxxxxx.exec:\xlxxxxx.exe83⤵PID:1904
-
\??\c:\nhtnnn.exec:\nhtnnn.exe84⤵PID:1968
-
\??\c:\pjvpv.exec:\pjvpv.exe85⤵PID:3464
-
\??\c:\rlffxff.exec:\rlffxff.exe86⤵PID:3744
-
\??\c:\xflfxxr.exec:\xflfxxr.exe87⤵PID:5016
-
\??\c:\tttnht.exec:\tttnht.exe88⤵PID:1464
-
\??\c:\dvvpj.exec:\dvvpj.exe89⤵PID:4296
-
\??\c:\lffxrlf.exec:\lffxrlf.exe90⤵PID:5112
-
\??\c:\hnttnn.exec:\hnttnn.exe91⤵PID:2532
-
\??\c:\jvjvd.exec:\jvjvd.exe92⤵PID:2948
-
\??\c:\vjddj.exec:\vjddj.exe93⤵PID:1340
-
\??\c:\fffxxxx.exec:\fffxxxx.exe94⤵PID:2196
-
\??\c:\hbhbbb.exec:\hbhbbb.exe95⤵PID:232
-
\??\c:\vvppj.exec:\vvppj.exe96⤵PID:4300
-
\??\c:\djvpj.exec:\djvpj.exe97⤵PID:3592
-
\??\c:\rflrrll.exec:\rflrrll.exe98⤵PID:2460
-
\??\c:\tnbtnn.exec:\tnbtnn.exe99⤵PID:1200
-
\??\c:\djvvd.exec:\djvvd.exe100⤵PID:448
-
\??\c:\fflxlfx.exec:\fflxlfx.exe101⤵PID:4304
-
\??\c:\nhbbbh.exec:\nhbbbh.exe102⤵PID:1912
-
\??\c:\vpjdv.exec:\vpjdv.exe103⤵PID:4564
-
\??\c:\pjjdv.exec:\pjjdv.exe104⤵PID:4144
-
\??\c:\9rrrrxf.exec:\9rrrrxf.exe105⤵PID:1760
-
\??\c:\bnhhbt.exec:\bnhhbt.exe106⤵PID:4720
-
\??\c:\jddvj.exec:\jddvj.exe107⤵PID:888
-
\??\c:\lfrxfff.exec:\lfrxfff.exe108⤵PID:2712
-
\??\c:\thtnbb.exec:\thtnbb.exe109⤵PID:3412
-
\??\c:\1ddvp.exec:\1ddvp.exe110⤵PID:1860
-
\??\c:\lllflfx.exec:\lllflfx.exe111⤵PID:1876
-
\??\c:\nbnhbt.exec:\nbnhbt.exe112⤵PID:2556
-
\??\c:\jdvjv.exec:\jdvjv.exe113⤵PID:1892
-
\??\c:\pdpjd.exec:\pdpjd.exe114⤵PID:988
-
\??\c:\5xfffll.exec:\5xfffll.exe115⤵PID:2596
-
\??\c:\btbttt.exec:\btbttt.exe116⤵PID:1896
-
\??\c:\nnhhtb.exec:\nnhhtb.exe117⤵PID:5060
-
\??\c:\pjdvp.exec:\pjdvp.exe118⤵PID:3564
-
\??\c:\fxxrlfr.exec:\fxxrlfr.exe119⤵PID:3760
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe120⤵PID:1744
-
\??\c:\tbnhbh.exec:\tbnhbh.exe121⤵PID:2560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-