Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2025, 06:48 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe
-
Size
456KB
-
MD5
75ecf0f1e5b5e84fd0676e4a3ce49ae7
-
SHA1
adca04000e1f81a2cf9c2f3151749e272716ead3
-
SHA256
cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c
-
SHA512
16b1931a0aa94d411c637cd95b911b5ccb9c36269181fdfec325fec439a9590d97013d913dd33d3a443d0fc34ca8ecd8b0d95a19368ec05df376912bffe6302d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/880-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-978-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-1054-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-1064-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-1080-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-1342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-1817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4412 bnntnn.exe 2948 xllfrrr.exe 3316 vppjd.exe 548 llllfff.exe 1980 pdjjj.exe 4536 9fffxxx.exe 3988 ddddv.exe 456 frrlfxr.exe 4644 lfllrll.exe 4908 9tnhbb.exe 4092 xlxxrrl.exe 4232 jdjjd.exe 3692 jddvp.exe 1524 5lxrxxf.exe 2012 hhhhbb.exe 1664 jjpjd.exe 5116 lfxrlfx.exe 3584 5ntnnn.exe 3092 tnnhbt.exe 632 hnnnhb.exe 4300 dpdvp.exe 4816 lfrrllf.exe 628 pjddd.exe 4948 rfffxrx.exe 5044 bhnhhh.exe 2736 3rrlllf.exe 1876 pjjpj.exe 4784 lfllrrx.exe 3028 pddvp.exe 3172 lfllxff.exe 844 nbbntt.exe 3596 frxlflf.exe 4788 xrfxfff.exe 3064 hbnnnh.exe 1660 djpdv.exe 4212 5ppjv.exe 1444 rllxfxf.exe 1072 thnnbb.exe 928 bthhbt.exe 924 7vvpd.exe 1512 xlxxxrr.exe 2596 nnbthb.exe 3968 tthttb.exe 3104 ppvpd.exe 1736 1dvpj.exe 5052 3rxrrlr.exe 1884 hnnbtt.exe 2320 hbbtnn.exe 2288 djjpj.exe 1620 rlrlfxr.exe 3552 tnnhtn.exe 4200 5djvj.exe 4860 lxfrlff.exe 4676 hbbbtt.exe 2572 nbhbtt.exe 2468 fffxrrl.exe 4708 9lrlflf.exe 4968 9hnbth.exe 3720 jvdvp.exe 3988 5fxxrrf.exe 1492 thhtnh.exe 868 thhbtn.exe 2472 vdpdv.exe 3120 xrxflll.exe -
resource yara_rule behavioral2/memory/880-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-959-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-1064-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 880 wrote to memory of 4412 880 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 82 PID 880 wrote to memory of 4412 880 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 82 PID 880 wrote to memory of 4412 880 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 82 PID 4412 wrote to memory of 2948 4412 bnntnn.exe 83 PID 4412 wrote to memory of 2948 4412 bnntnn.exe 83 PID 4412 wrote to memory of 2948 4412 bnntnn.exe 83 PID 2948 wrote to memory of 3316 2948 xllfrrr.exe 84 PID 2948 wrote to memory of 3316 2948 xllfrrr.exe 84 PID 2948 wrote to memory of 3316 2948 xllfrrr.exe 84 PID 3316 wrote to memory of 548 3316 vppjd.exe 85 PID 3316 wrote to memory of 548 3316 vppjd.exe 85 PID 3316 wrote to memory of 548 3316 vppjd.exe 85 PID 548 wrote to memory of 1980 548 llllfff.exe 86 PID 548 wrote to memory of 1980 548 llllfff.exe 86 PID 548 wrote to memory of 1980 548 llllfff.exe 86 PID 1980 wrote to memory of 4536 1980 pdjjj.exe 87 PID 1980 wrote to memory of 4536 1980 pdjjj.exe 87 PID 1980 wrote to memory of 4536 1980 pdjjj.exe 87 PID 4536 wrote to memory of 3988 4536 9fffxxx.exe 88 PID 4536 wrote to memory of 3988 4536 9fffxxx.exe 88 PID 4536 wrote to memory of 3988 4536 9fffxxx.exe 88 PID 3988 wrote to memory of 456 3988 ddddv.exe 89 PID 3988 wrote to memory of 456 3988 ddddv.exe 89 PID 3988 wrote to memory of 456 3988 ddddv.exe 89 PID 456 wrote to memory of 4644 456 frrlfxr.exe 90 PID 456 wrote to memory of 4644 456 frrlfxr.exe 90 PID 456 wrote to memory of 4644 456 frrlfxr.exe 90 PID 4644 wrote to memory of 4908 4644 lfllrll.exe 91 PID 4644 wrote to memory of 4908 4644 lfllrll.exe 91 PID 4644 wrote to memory of 4908 4644 lfllrll.exe 91 PID 4908 wrote to memory of 4092 4908 9tnhbb.exe 92 PID 4908 wrote to memory of 4092 4908 9tnhbb.exe 92 PID 4908 wrote to memory of 4092 4908 9tnhbb.exe 92 PID 4092 wrote to memory of 4232 4092 xlxxrrl.exe 93 PID 4092 wrote to memory of 4232 4092 xlxxrrl.exe 93 PID 4092 wrote to memory of 4232 4092 xlxxrrl.exe 93 PID 4232 wrote to memory of 3692 4232 jdjjd.exe 94 PID 4232 wrote to memory of 3692 4232 jdjjd.exe 94 PID 4232 wrote to memory of 3692 4232 jdjjd.exe 94 PID 3692 wrote to memory of 1524 3692 jddvp.exe 95 PID 3692 wrote to memory of 1524 3692 jddvp.exe 95 PID 3692 wrote to memory of 1524 3692 jddvp.exe 95 PID 1524 wrote to memory of 2012 1524 5lxrxxf.exe 96 PID 1524 wrote to memory of 2012 1524 5lxrxxf.exe 96 PID 1524 wrote to memory of 2012 1524 5lxrxxf.exe 96 PID 2012 wrote to memory of 1664 2012 hhhhbb.exe 97 PID 2012 wrote to memory of 1664 2012 hhhhbb.exe 97 PID 2012 wrote to memory of 1664 2012 hhhhbb.exe 97 PID 1664 wrote to memory of 5116 1664 jjpjd.exe 98 PID 1664 wrote to memory of 5116 1664 jjpjd.exe 98 PID 1664 wrote to memory of 5116 1664 jjpjd.exe 98 PID 5116 wrote to memory of 3584 5116 lfxrlfx.exe 99 PID 5116 wrote to memory of 3584 5116 lfxrlfx.exe 99 PID 5116 wrote to memory of 3584 5116 lfxrlfx.exe 99 PID 3584 wrote to memory of 3092 3584 5ntnnn.exe 100 PID 3584 wrote to memory of 3092 3584 5ntnnn.exe 100 PID 3584 wrote to memory of 3092 3584 5ntnnn.exe 100 PID 3092 wrote to memory of 632 3092 tnnhbt.exe 101 PID 3092 wrote to memory of 632 3092 tnnhbt.exe 101 PID 3092 wrote to memory of 632 3092 tnnhbt.exe 101 PID 632 wrote to memory of 4300 632 hnnnhb.exe 102 PID 632 wrote to memory of 4300 632 hnnnhb.exe 102 PID 632 wrote to memory of 4300 632 hnnnhb.exe 102 PID 4300 wrote to memory of 4816 4300 dpdvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe"C:\Users\Admin\AppData\Local\Temp\cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\bnntnn.exec:\bnntnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\xllfrrr.exec:\xllfrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\vppjd.exec:\vppjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\llllfff.exec:\llllfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\pdjjj.exec:\pdjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\9fffxxx.exec:\9fffxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\ddddv.exec:\ddddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\frrlfxr.exec:\frrlfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\lfllrll.exec:\lfllrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\9tnhbb.exec:\9tnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\xlxxrrl.exec:\xlxxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\jdjjd.exec:\jdjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\jddvp.exec:\jddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\5lxrxxf.exec:\5lxrxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\hhhhbb.exec:\hhhhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\jjpjd.exec:\jjpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\5ntnnn.exec:\5ntnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\tnnhbt.exec:\tnnhbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\hnnnhb.exec:\hnnnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\dpdvp.exec:\dpdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\lfrrllf.exec:\lfrrllf.exe23⤵
- Executes dropped EXE
PID:4816 -
\??\c:\pjddd.exec:\pjddd.exe24⤵
- Executes dropped EXE
PID:628 -
\??\c:\rfffxrx.exec:\rfffxrx.exe25⤵
- Executes dropped EXE
PID:4948 -
\??\c:\bhnhhh.exec:\bhnhhh.exe26⤵
- Executes dropped EXE
PID:5044 -
\??\c:\3rrlllf.exec:\3rrlllf.exe27⤵
- Executes dropped EXE
PID:2736 -
\??\c:\pjjpj.exec:\pjjpj.exe28⤵
- Executes dropped EXE
PID:1876 -
\??\c:\lfllrrx.exec:\lfllrrx.exe29⤵
- Executes dropped EXE
PID:4784 -
\??\c:\pddvp.exec:\pddvp.exe30⤵
- Executes dropped EXE
PID:3028 -
\??\c:\lfllxff.exec:\lfllxff.exe31⤵
- Executes dropped EXE
PID:3172 -
\??\c:\nbbntt.exec:\nbbntt.exe32⤵
- Executes dropped EXE
PID:844 -
\??\c:\frxlflf.exec:\frxlflf.exe33⤵
- Executes dropped EXE
PID:3596 -
\??\c:\xrfxfff.exec:\xrfxfff.exe34⤵
- Executes dropped EXE
PID:4788 -
\??\c:\hbnnnh.exec:\hbnnnh.exe35⤵
- Executes dropped EXE
PID:3064 -
\??\c:\djpdv.exec:\djpdv.exe36⤵
- Executes dropped EXE
PID:1660 -
\??\c:\5ppjv.exec:\5ppjv.exe37⤵
- Executes dropped EXE
PID:4212 -
\??\c:\rllxfxf.exec:\rllxfxf.exe38⤵
- Executes dropped EXE
PID:1444 -
\??\c:\thnnbb.exec:\thnnbb.exe39⤵
- Executes dropped EXE
PID:1072 -
\??\c:\bthhbt.exec:\bthhbt.exe40⤵
- Executes dropped EXE
PID:928 -
\??\c:\7vvpd.exec:\7vvpd.exe41⤵
- Executes dropped EXE
PID:924 -
\??\c:\xlxxxrr.exec:\xlxxxrr.exe42⤵
- Executes dropped EXE
PID:1512 -
\??\c:\nnbthb.exec:\nnbthb.exe43⤵
- Executes dropped EXE
PID:2596 -
\??\c:\tthttb.exec:\tthttb.exe44⤵
- Executes dropped EXE
PID:3968 -
\??\c:\ppvpd.exec:\ppvpd.exe45⤵
- Executes dropped EXE
PID:3104 -
\??\c:\1dvpj.exec:\1dvpj.exe46⤵
- Executes dropped EXE
PID:1736 -
\??\c:\3rxrrlr.exec:\3rxrrlr.exe47⤵
- Executes dropped EXE
PID:5052 -
\??\c:\hnnbtt.exec:\hnnbtt.exe48⤵
- Executes dropped EXE
PID:1884 -
\??\c:\hbbtnn.exec:\hbbtnn.exe49⤵
- Executes dropped EXE
PID:2320 -
\??\c:\djjpj.exec:\djjpj.exe50⤵
- Executes dropped EXE
PID:2288 -
\??\c:\fxxxxrl.exec:\fxxxxrl.exe51⤵PID:4432
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe52⤵
- Executes dropped EXE
PID:1620 -
\??\c:\tnnhtn.exec:\tnnhtn.exe53⤵
- Executes dropped EXE
PID:3552 -
\??\c:\5djvj.exec:\5djvj.exe54⤵
- Executes dropped EXE
PID:4200 -
\??\c:\lxfrlff.exec:\lxfrlff.exe55⤵
- Executes dropped EXE
PID:4860 -
\??\c:\hbbbtt.exec:\hbbbtt.exe56⤵
- Executes dropped EXE
PID:4676 -
\??\c:\nbhbtt.exec:\nbhbtt.exe57⤵
- Executes dropped EXE
PID:2572 -
\??\c:\fffxrrl.exec:\fffxrrl.exe58⤵
- Executes dropped EXE
PID:2468 -
\??\c:\9lrlflf.exec:\9lrlflf.exe59⤵
- Executes dropped EXE
PID:4708 -
\??\c:\9hnbth.exec:\9hnbth.exe60⤵
- Executes dropped EXE
PID:4968 -
\??\c:\jvdvp.exec:\jvdvp.exe61⤵
- Executes dropped EXE
PID:3720 -
\??\c:\5fxxrrf.exec:\5fxxrrf.exe62⤵
- Executes dropped EXE
PID:3988 -
\??\c:\thhtnh.exec:\thhtnh.exe63⤵
- Executes dropped EXE
PID:1492 -
\??\c:\thhbtn.exec:\thhbtn.exe64⤵
- Executes dropped EXE
PID:868 -
\??\c:\vdpdv.exec:\vdpdv.exe65⤵
- Executes dropped EXE
PID:2472 -
\??\c:\xrxflll.exec:\xrxflll.exe66⤵
- Executes dropped EXE
PID:3120 -
\??\c:\nhnbtb.exec:\nhnbtb.exe67⤵PID:2388
-
\??\c:\9vvpj.exec:\9vvpj.exe68⤵PID:4908
-
\??\c:\pdpvd.exec:\pdpvd.exe69⤵PID:2520
-
\??\c:\fllffxx.exec:\fllffxx.exe70⤵PID:3544
-
\??\c:\bbnbtt.exec:\bbnbtt.exe71⤵PID:2008
-
\??\c:\pvvpd.exec:\pvvpd.exe72⤵PID:1148
-
\??\c:\3dvvp.exec:\3dvvp.exe73⤵PID:1464
-
\??\c:\xfffxxr.exec:\xfffxxr.exe74⤵PID:1972
-
\??\c:\7hhbbb.exec:\7hhbbb.exe75⤵PID:3748
-
\??\c:\jjjjp.exec:\jjjjp.exe76⤵PID:612
-
\??\c:\9vvpp.exec:\9vvpp.exe77⤵PID:3408
-
\??\c:\lxffxxx.exec:\lxffxxx.exe78⤵PID:4876
-
\??\c:\5ttnnn.exec:\5ttnnn.exe79⤵PID:4580
-
\??\c:\9ppjv.exec:\9ppjv.exe80⤵PID:812
-
\??\c:\jjvpj.exec:\jjvpj.exe81⤵PID:1276
-
\??\c:\lffxrlf.exec:\lffxrlf.exe82⤵PID:3508
-
\??\c:\hthbtt.exec:\hthbtt.exe83⤵PID:3528
-
\??\c:\vjjdd.exec:\vjjdd.exe84⤵PID:628
-
\??\c:\5lxrlll.exec:\5lxrlll.exe85⤵PID:840
-
\??\c:\rlffxxx.exec:\rlffxxx.exe86⤵PID:3628
-
\??\c:\ntbtnh.exec:\ntbtnh.exe87⤵PID:4596
-
\??\c:\vjpjj.exec:\vjpjj.exe88⤵PID:4576
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe89⤵PID:1336
-
\??\c:\rrxrlff.exec:\rrxrlff.exe90⤵PID:3928
-
\??\c:\5nhhbh.exec:\5nhhbh.exe91⤵PID:4752
-
\??\c:\7ddvp.exec:\7ddvp.exe92⤵PID:4376
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe93⤵PID:3028
-
\??\c:\tntnhb.exec:\tntnhb.exe94⤵PID:2964
-
\??\c:\3hnhhn.exec:\3hnhhn.exe95⤵PID:2460
-
\??\c:\3jpdp.exec:\3jpdp.exe96⤵PID:2804
-
\??\c:\ffxrfxx.exec:\ffxrfxx.exe97⤵PID:428
-
\??\c:\tbbnhb.exec:\tbbnhb.exe98⤵PID:4804
-
\??\c:\vdpdv.exec:\vdpdv.exe99⤵PID:3276
-
\??\c:\lflfxrl.exec:\lflfxrl.exe100⤵PID:1680
-
\??\c:\bbhbhh.exec:\bbhbhh.exe101⤵PID:2396
-
\??\c:\pppjd.exec:\pppjd.exe102⤵PID:4824
-
\??\c:\lffxlfr.exec:\lffxlfr.exe103⤵PID:3776
-
\??\c:\xfxlfxx.exec:\xfxlfxx.exe104⤵PID:2784
-
\??\c:\nbtnhh.exec:\nbtnhh.exe105⤵PID:816
-
\??\c:\9jpjd.exec:\9jpjd.exe106⤵PID:924
-
\??\c:\1rrlxxr.exec:\1rrlxxr.exe107⤵PID:1512
-
\??\c:\1nbnth.exec:\1nbnth.exe108⤵PID:3512
-
\??\c:\7hnbhh.exec:\7hnbhh.exe109⤵PID:2664
-
\??\c:\vpjdv.exec:\vpjdv.exe110⤵PID:4044
-
\??\c:\xxrlffx.exec:\xxrlffx.exe111⤵PID:1224
-
\??\c:\dppdp.exec:\dppdp.exe112⤵PID:1552
-
\??\c:\vpjvp.exec:\vpjvp.exe113⤵PID:2972
-
\??\c:\5rrlxrl.exec:\5rrlxrl.exe114⤵PID:4436
-
\??\c:\7hnbtn.exec:\7hnbtn.exe115⤵PID:2288
-
\??\c:\jvpjv.exec:\jvpjv.exe116⤵PID:880
-
\??\c:\rllffff.exec:\rllffff.exe117⤵PID:920
-
\??\c:\xflffxx.exec:\xflffxx.exe118⤵PID:4416
-
\??\c:\9bthbb.exec:\9bthbb.exe119⤵PID:464
-
\??\c:\vjvpd.exec:\vjvpd.exe120⤵PID:4684
-
\??\c:\fflfrlf.exec:\fflfrlf.exe121⤵PID:4664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-