Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 09:43
Behavioral task
behavioral1
Sample
982f59d2ec8e12a11c573bb9d5818548dbf22762a78e400238943bd30489a9bc.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
982f59d2ec8e12a11c573bb9d5818548dbf22762a78e400238943bd30489a9bc.exe
-
Size
344KB
-
MD5
620c97e244bcfb3d324dfa549280b4c8
-
SHA1
5ce5411c88c5099db7985828a284038d3f76528b
-
SHA256
982f59d2ec8e12a11c573bb9d5818548dbf22762a78e400238943bd30489a9bc
-
SHA512
2fa57f9f95e77bfc1658d7ac946cc7389c1eb8729e1ece6b22d64e90b7cc4c6e09bf000f719ac743e95ae193692db918ef331d8b64fdd975c8c6bdcd168aa889
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYA2:R4wFHoS3WXZshJX2VGd2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1664-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4192-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2268-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3672-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/372-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4792-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/624-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1372-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3824-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4348-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1708-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2160-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2844-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4180-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4168-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4060-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3728-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1572-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/956-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4192-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/948-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1288-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-482-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-510-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-591-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-854-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2536-991-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1664 rllfffx.exe 4748 bntttn.exe 2268 pjddj.exe 1060 3pvdd.exe 1172 hbnhth.exe 3672 flrrrxf.exe 3456 pjpdd.exe 3240 tbnnnt.exe 2644 jdpdd.exe 3960 rxlrrrx.exe 1296 ddvpp.exe 4916 llxrffr.exe 2804 nhnnhh.exe 2180 rrfffll.exe 4792 tbnhhh.exe 2480 pjpjj.exe 2952 9xllflr.exe 372 pjvvd.exe 3632 rlllfrf.exe 3520 nnnttb.exe 4140 dvdvv.exe 2116 rrrrxff.exe 4828 xrxxfll.exe 2972 nnnhhh.exe 5000 jdjjj.exe 624 xffxrlx.exe 1372 tbtbht.exe 1500 tttthh.exe 4848 ffllfll.exe 5068 pvppj.exe 3824 xxrrrll.exe 1752 btbbbb.exe 3644 pvjpj.exe 3468 lflfrrf.exe 4224 nntbbb.exe 396 jjvvd.exe 4348 dvdjj.exe 4940 xxxfrrl.exe 5004 3nnnnn.exe 1092 jpjjj.exe 4564 rxrrffr.exe 3136 llrrrxx.exe 4684 nntbbn.exe 956 dpddv.exe 1708 jpjjj.exe 2604 fxlfffl.exe 2284 nbhhhb.exe 3748 thbhtn.exe 2160 vpvvp.exe 3360 lxxrrxx.exe 3872 hhhhhn.exe 5092 ttbtnt.exe 3688 pdpjd.exe 216 ffxfxff.exe 2460 xxfllrr.exe 4236 tnbhhb.exe 2300 pjvvp.exe 1828 rfxrllr.exe 912 rlfffff.exe 1172 nhbhhh.exe 2844 hhhhnn.exe 1872 jpjjp.exe 532 rrfxxxx.exe 3480 llrffff.exe -
resource yara_rule behavioral2/memory/4192-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b90-3.dat upx behavioral2/memory/1664-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4192-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c83-10.dat upx behavioral2/memory/4748-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c87-12.dat upx behavioral2/memory/4748-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-19.dat upx behavioral2/memory/2268-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-24.dat upx behavioral2/memory/1060-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-29.dat upx behavioral2/memory/1172-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8c-34.dat upx behavioral2/memory/3672-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-39.dat upx behavioral2/memory/3456-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8f-44.dat upx behavioral2/memory/3240-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-50.dat upx behavioral2/memory/2644-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-54.dat upx behavioral2/memory/1296-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3960-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-61.dat upx behavioral2/memory/4916-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1296-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-67.dat upx behavioral2/memory/2804-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-74.dat upx behavioral2/memory/2180-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-85.dat upx behavioral2/files/0x0007000000023c96-89.dat upx behavioral2/memory/2480-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-94.dat upx behavioral2/memory/372-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-99.dat upx behavioral2/memory/2180-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4792-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c84-79.dat upx behavioral2/memory/2804-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4916-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-103.dat upx behavioral2/memory/3632-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-107.dat upx behavioral2/files/0x0007000000023c9b-111.dat upx behavioral2/memory/4140-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-115.dat upx behavioral2/files/0x0007000000023c9d-120.dat upx behavioral2/memory/4828-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-125.dat upx behavioral2/files/0x0007000000023c9f-129.dat upx behavioral2/files/0x0007000000023ca0-133.dat upx behavioral2/memory/624-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1372-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-138.dat upx behavioral2/files/0x0007000000023ca2-143.dat upx behavioral2/memory/1500-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-148.dat upx behavioral2/files/0x0007000000023ca4-152.dat upx behavioral2/files/0x0007000000023ca5-156.dat upx behavioral2/memory/3824-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3468-165-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4192 wrote to memory of 1664 4192 982f59d2ec8e12a11c573bb9d5818548dbf22762a78e400238943bd30489a9bc.exe 82 PID 4192 wrote to memory of 1664 4192 982f59d2ec8e12a11c573bb9d5818548dbf22762a78e400238943bd30489a9bc.exe 82 PID 4192 wrote to memory of 1664 4192 982f59d2ec8e12a11c573bb9d5818548dbf22762a78e400238943bd30489a9bc.exe 82 PID 1664 wrote to memory of 4748 1664 rllfffx.exe 83 PID 1664 wrote to memory of 4748 1664 rllfffx.exe 83 PID 1664 wrote to memory of 4748 1664 rllfffx.exe 83 PID 4748 wrote to memory of 2268 4748 bntttn.exe 84 PID 4748 wrote to memory of 2268 4748 bntttn.exe 84 PID 4748 wrote to memory of 2268 4748 bntttn.exe 84 PID 2268 wrote to memory of 1060 2268 pjddj.exe 85 PID 2268 wrote to memory of 1060 2268 pjddj.exe 85 PID 2268 wrote to memory of 1060 2268 pjddj.exe 85 PID 1060 wrote to memory of 1172 1060 3pvdd.exe 86 PID 1060 wrote to memory of 1172 1060 3pvdd.exe 86 PID 1060 wrote to memory of 1172 1060 3pvdd.exe 86 PID 1172 wrote to memory of 3672 1172 hbnhth.exe 87 PID 1172 wrote to memory of 3672 1172 hbnhth.exe 87 PID 1172 wrote to memory of 3672 1172 hbnhth.exe 87 PID 3672 wrote to memory of 3456 3672 flrrrxf.exe 88 PID 3672 wrote to memory of 3456 3672 flrrrxf.exe 88 PID 3672 wrote to memory of 3456 3672 flrrrxf.exe 88 PID 3456 wrote to memory of 3240 3456 pjpdd.exe 89 PID 3456 wrote to memory of 3240 3456 pjpdd.exe 89 PID 3456 wrote to memory of 3240 3456 pjpdd.exe 89 PID 3240 wrote to memory of 2644 3240 tbnnnt.exe 90 PID 3240 wrote to memory of 2644 3240 tbnnnt.exe 90 PID 3240 wrote to memory of 2644 3240 tbnnnt.exe 90 PID 2644 wrote to memory of 3960 2644 jdpdd.exe 91 PID 2644 wrote to memory of 3960 2644 jdpdd.exe 91 PID 2644 wrote to memory of 3960 2644 jdpdd.exe 91 PID 3960 wrote to memory of 1296 3960 rxlrrrx.exe 92 PID 3960 wrote to memory of 1296 3960 rxlrrrx.exe 92 PID 3960 wrote to memory of 1296 3960 rxlrrrx.exe 92 PID 1296 wrote to memory of 4916 1296 ddvpp.exe 93 PID 1296 wrote to memory of 4916 1296 ddvpp.exe 93 PID 1296 wrote to memory of 4916 1296 ddvpp.exe 93 PID 4916 wrote to memory of 2804 4916 llxrffr.exe 94 PID 4916 wrote to memory of 2804 4916 llxrffr.exe 94 PID 4916 wrote to memory of 2804 4916 llxrffr.exe 94 PID 2804 wrote to memory of 2180 2804 nhnnhh.exe 95 PID 2804 wrote to memory of 2180 2804 nhnnhh.exe 95 PID 2804 wrote to memory of 2180 2804 nhnnhh.exe 95 PID 2180 wrote to memory of 4792 2180 rrfffll.exe 96 PID 2180 wrote to memory of 4792 2180 rrfffll.exe 96 PID 2180 wrote to memory of 4792 2180 rrfffll.exe 96 PID 4792 wrote to memory of 2480 4792 tbnhhh.exe 97 PID 4792 wrote to memory of 2480 4792 tbnhhh.exe 97 PID 4792 wrote to memory of 2480 4792 tbnhhh.exe 97 PID 2480 wrote to memory of 2952 2480 pjpjj.exe 98 PID 2480 wrote to memory of 2952 2480 pjpjj.exe 98 PID 2480 wrote to memory of 2952 2480 pjpjj.exe 98 PID 2952 wrote to memory of 372 2952 9xllflr.exe 99 PID 2952 wrote to memory of 372 2952 9xllflr.exe 99 PID 2952 wrote to memory of 372 2952 9xllflr.exe 99 PID 372 wrote to memory of 3632 372 pjvvd.exe 100 PID 372 wrote to memory of 3632 372 pjvvd.exe 100 PID 372 wrote to memory of 3632 372 pjvvd.exe 100 PID 3632 wrote to memory of 3520 3632 rlllfrf.exe 101 PID 3632 wrote to memory of 3520 3632 rlllfrf.exe 101 PID 3632 wrote to memory of 3520 3632 rlllfrf.exe 101 PID 3520 wrote to memory of 4140 3520 nnnttb.exe 102 PID 3520 wrote to memory of 4140 3520 nnnttb.exe 102 PID 3520 wrote to memory of 4140 3520 nnnttb.exe 102 PID 4140 wrote to memory of 2116 4140 dvdvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\982f59d2ec8e12a11c573bb9d5818548dbf22762a78e400238943bd30489a9bc.exe"C:\Users\Admin\AppData\Local\Temp\982f59d2ec8e12a11c573bb9d5818548dbf22762a78e400238943bd30489a9bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\rllfffx.exec:\rllfffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\bntttn.exec:\bntttn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\pjddj.exec:\pjddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\3pvdd.exec:\3pvdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\hbnhth.exec:\hbnhth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\flrrrxf.exec:\flrrrxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\pjpdd.exec:\pjpdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\tbnnnt.exec:\tbnnnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\jdpdd.exec:\jdpdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\rxlrrrx.exec:\rxlrrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\ddvpp.exec:\ddvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\llxrffr.exec:\llxrffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\nhnnhh.exec:\nhnnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\rrfffll.exec:\rrfffll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\tbnhhh.exec:\tbnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\pjpjj.exec:\pjpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\9xllflr.exec:\9xllflr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\pjvvd.exec:\pjvvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\rlllfrf.exec:\rlllfrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\nnnttb.exec:\nnnttb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\dvdvv.exec:\dvdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\rrrrxff.exec:\rrrrxff.exe23⤵
- Executes dropped EXE
PID:2116 -
\??\c:\xrxxfll.exec:\xrxxfll.exe24⤵
- Executes dropped EXE
PID:4828 -
\??\c:\nnnhhh.exec:\nnnhhh.exe25⤵
- Executes dropped EXE
PID:2972 -
\??\c:\jdjjj.exec:\jdjjj.exe26⤵
- Executes dropped EXE
PID:5000 -
\??\c:\xffxrlx.exec:\xffxrlx.exe27⤵
- Executes dropped EXE
PID:624 -
\??\c:\tbtbht.exec:\tbtbht.exe28⤵
- Executes dropped EXE
PID:1372 -
\??\c:\tttthh.exec:\tttthh.exe29⤵
- Executes dropped EXE
PID:1500 -
\??\c:\ffllfll.exec:\ffllfll.exe30⤵
- Executes dropped EXE
PID:4848 -
\??\c:\pvppj.exec:\pvppj.exe31⤵
- Executes dropped EXE
PID:5068 -
\??\c:\xxrrrll.exec:\xxrrrll.exe32⤵
- Executes dropped EXE
PID:3824 -
\??\c:\btbbbb.exec:\btbbbb.exe33⤵
- Executes dropped EXE
PID:1752 -
\??\c:\pvjpj.exec:\pvjpj.exe34⤵
- Executes dropped EXE
PID:3644 -
\??\c:\lflfrrf.exec:\lflfrrf.exe35⤵
- Executes dropped EXE
PID:3468 -
\??\c:\nntbbb.exec:\nntbbb.exe36⤵
- Executes dropped EXE
PID:4224 -
\??\c:\jjvvd.exec:\jjvvd.exe37⤵
- Executes dropped EXE
PID:396 -
\??\c:\dvdjj.exec:\dvdjj.exe38⤵
- Executes dropped EXE
PID:4348 -
\??\c:\xxxfrrl.exec:\xxxfrrl.exe39⤵
- Executes dropped EXE
PID:4940 -
\??\c:\3nnnnn.exec:\3nnnnn.exe40⤵
- Executes dropped EXE
PID:5004 -
\??\c:\jpjjj.exec:\jpjjj.exe41⤵
- Executes dropped EXE
PID:1092 -
\??\c:\rxrrffr.exec:\rxrrffr.exe42⤵
- Executes dropped EXE
PID:4564 -
\??\c:\llrrrxx.exec:\llrrrxx.exe43⤵
- Executes dropped EXE
PID:3136 -
\??\c:\nntbbn.exec:\nntbbn.exe44⤵
- Executes dropped EXE
PID:4684 -
\??\c:\dpddv.exec:\dpddv.exe45⤵
- Executes dropped EXE
PID:956 -
\??\c:\jpjjj.exec:\jpjjj.exe46⤵
- Executes dropped EXE
PID:1708 -
\??\c:\fxlfffl.exec:\fxlfffl.exe47⤵
- Executes dropped EXE
PID:2604 -
\??\c:\nbhhhb.exec:\nbhhhb.exe48⤵
- Executes dropped EXE
PID:2284 -
\??\c:\thbhtn.exec:\thbhtn.exe49⤵
- Executes dropped EXE
PID:3748 -
\??\c:\vpvvp.exec:\vpvvp.exe50⤵
- Executes dropped EXE
PID:2160 -
\??\c:\lxxrrxx.exec:\lxxrrxx.exe51⤵
- Executes dropped EXE
PID:3360 -
\??\c:\hhhhhn.exec:\hhhhhn.exe52⤵
- Executes dropped EXE
PID:3872 -
\??\c:\ttbtnt.exec:\ttbtnt.exe53⤵
- Executes dropped EXE
PID:5092 -
\??\c:\pdpjd.exec:\pdpjd.exe54⤵
- Executes dropped EXE
PID:3688 -
\??\c:\ffxfxff.exec:\ffxfxff.exe55⤵
- Executes dropped EXE
PID:216 -
\??\c:\xxfllrr.exec:\xxfllrr.exe56⤵
- Executes dropped EXE
PID:2460 -
\??\c:\tnbhhb.exec:\tnbhhb.exe57⤵
- Executes dropped EXE
PID:4236 -
\??\c:\pjvvp.exec:\pjvvp.exe58⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rfxrllr.exec:\rfxrllr.exe59⤵
- Executes dropped EXE
PID:1828 -
\??\c:\rlfffff.exec:\rlfffff.exe60⤵
- Executes dropped EXE
PID:912 -
\??\c:\nhbhhh.exec:\nhbhhh.exe61⤵
- Executes dropped EXE
PID:1172 -
\??\c:\hhhhnn.exec:\hhhhnn.exe62⤵
- Executes dropped EXE
PID:2844 -
\??\c:\jpjjp.exec:\jpjjp.exe63⤵
- Executes dropped EXE
PID:1872 -
\??\c:\rrfxxxx.exec:\rrfxxxx.exe64⤵
- Executes dropped EXE
PID:532 -
\??\c:\llrffff.exec:\llrffff.exe65⤵
- Executes dropped EXE
PID:3480 -
\??\c:\nhtttb.exec:\nhtttb.exe66⤵PID:1004
-
\??\c:\5vjjv.exec:\5vjjv.exe67⤵PID:1396
-
\??\c:\jdppp.exec:\jdppp.exe68⤵PID:3364
-
\??\c:\lrxlrrf.exec:\lrxlrrf.exe69⤵PID:3960
-
\??\c:\lllxxxx.exec:\lllxxxx.exe70⤵PID:4568
-
\??\c:\bnhhbh.exec:\bnhhbh.exe71⤵PID:3076
-
\??\c:\ppddj.exec:\ppddj.exe72⤵PID:2056
-
\??\c:\rlrrllr.exec:\rlrrllr.exe73⤵PID:2804
-
\??\c:\lflfffx.exec:\lflfffx.exe74⤵PID:3032
-
\??\c:\tthnhb.exec:\tthnhb.exe75⤵PID:436
-
\??\c:\vjjjd.exec:\vjjjd.exe76⤵PID:4180
-
\??\c:\jddjp.exec:\jddjp.exe77⤵PID:3884
-
\??\c:\xrllfff.exec:\xrllfff.exe78⤵PID:2060
-
\??\c:\ttttnn.exec:\ttttnn.exe79⤵PID:2212
-
\??\c:\tbbttt.exec:\tbbttt.exe80⤵PID:4168
-
\??\c:\dpjjj.exec:\dpjjj.exe81⤵PID:2828
-
\??\c:\rfrrlrx.exec:\rfrrlrx.exe82⤵PID:372
-
\??\c:\hhhhhh.exec:\hhhhhh.exe83⤵PID:2024
-
\??\c:\pdppp.exec:\pdppp.exe84⤵PID:3236
-
\??\c:\jvpjd.exec:\jvpjd.exe85⤵PID:4060
-
\??\c:\llxrlxx.exec:\llxrlxx.exe86⤵PID:4140
-
\??\c:\tnbttb.exec:\tnbttb.exe87⤵PID:2608
-
\??\c:\bhtnhh.exec:\bhtnhh.exe88⤵PID:3576
-
\??\c:\jjvdv.exec:\jjvdv.exe89⤵PID:3984
-
\??\c:\lfrxxff.exec:\lfrxxff.exe90⤵PID:320
-
\??\c:\nnbnhb.exec:\nnbnhb.exe91⤵PID:1300
-
\??\c:\bbhtnh.exec:\bbhtnh.exe92⤵PID:4692
-
\??\c:\pjvvp.exec:\pjvvp.exe93⤵PID:4844
-
\??\c:\lfffxff.exec:\lfffxff.exe94⤵PID:2568
-
\??\c:\tnhhtt.exec:\tnhhtt.exe95⤵PID:4476
-
\??\c:\bbbtnt.exec:\bbbtnt.exe96⤵PID:1500
-
\??\c:\jjdjp.exec:\jjdjp.exe97⤵PID:4848
-
\??\c:\flxflxf.exec:\flxflxf.exe98⤵PID:2512
-
\??\c:\xrffxff.exec:\xrffxff.exe99⤵PID:4492
-
\??\c:\3nttnt.exec:\3nttnt.exe100⤵PID:2468
-
\??\c:\jdvvp.exec:\jdvvp.exe101⤵PID:3636
-
\??\c:\pdvvp.exec:\pdvvp.exe102⤵PID:3516
-
\??\c:\xfrllrr.exec:\xfrllrr.exe103⤵PID:3728
-
\??\c:\llxllrr.exec:\llxllrr.exe104⤵PID:4980
-
\??\c:\nhtbhn.exec:\nhtbhn.exe105⤵PID:3224
-
\??\c:\ddpvv.exec:\ddpvv.exe106⤵PID:5108
-
\??\c:\vvpjd.exec:\vvpjd.exe107⤵PID:3448
-
\??\c:\1frrxxl.exec:\1frrxxl.exe108⤵PID:1924
-
\??\c:\ttnhbb.exec:\ttnhbb.exe109⤵PID:4984
-
\??\c:\hhnhhh.exec:\hhnhhh.exe110⤵PID:392
-
\??\c:\pvddp.exec:\pvddp.exe111⤵PID:1572
-
\??\c:\llfxrrl.exec:\llfxrrl.exe112⤵PID:1016
-
\??\c:\nbtttt.exec:\nbtttt.exe113⤵PID:4496
-
\??\c:\hbtnnn.exec:\hbtnnn.exe114⤵PID:3276
-
\??\c:\jjpjv.exec:\jjpjv.exe115⤵PID:232
-
\??\c:\fflfffr.exec:\fflfffr.exe116⤵PID:956
-
\??\c:\fxxrlll.exec:\fxxrlll.exe117⤵PID:1708
-
\??\c:\thtbbb.exec:\thtbbb.exe118⤵PID:3980
-
\??\c:\vjppp.exec:\vjppp.exe119⤵PID:5080
-
\??\c:\flrflll.exec:\flrflll.exe120⤵PID:2196
-
\??\c:\ffllrrl.exec:\ffllrrl.exe121⤵PID:1768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-