Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 00:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe
-
Size
454KB
-
MD5
b036505ebf60c8f0230f81975d087120
-
SHA1
1c37276dd747912a29b1e5182633e5d14a02dd8a
-
SHA256
c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17df
-
SHA512
f2f292589e649088d1955158a9b7368435cb1875fa1c5e365f1530105a1aac10f84b116de5653f640ee75e074000d986b539bae76b821fb2a53f744cd364a38c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2996-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-39-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-115-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2160-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-239-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1048-250-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1048-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-278-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2360-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-328-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2704-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-381-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2376-388-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2876-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/860-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-603-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2092-689-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1340-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-923-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-994-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-1287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-1334-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2408-1341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2836 86444.exe 2808 3xlrrrf.exe 2716 8268068.exe 2968 jdpdp.exe 2724 424840.exe 2500 g0440.exe 776 m4468.exe 1652 6022880.exe 836 5xfflfl.exe 2424 20220.exe 1808 frxxlfr.exe 2160 ppddd.exe 2172 k80282.exe 3024 lfxllfl.exe 2788 rxrfrfl.exe 1628 thbnbb.exe 2008 bnnthn.exe 1768 2268660.exe 2204 hntnnh.exe 2320 5llxfxf.exe 2056 nhhnbh.exe 2652 22464.exe 1756 3ttntt.exe 1348 5flrxxx.exe 1284 xrflxrf.exe 1048 9pjjp.exe 1692 6022880.exe 2536 jvdjp.exe 2360 frfrlrx.exe 2508 hbtbhn.exe 2660 1flxxxx.exe 2984 7llrflr.exe 2816 tbtbtb.exe 3000 9jvvd.exe 2892 48224.exe 2688 k20622.exe 2856 5dppv.exe 2704 lxfxflx.exe 2620 84840.exe 816 7hnhhh.exe 1488 s2484.exe 872 hbthhh.exe 1704 tnhbhh.exe 2412 424440.exe 2376 00804.exe 1984 lxrxxxl.exe 2156 602062.exe 2248 24600.exe 2792 9frllfl.exe 2172 o084668.exe 3024 vdjdj.exe 2876 3lxxxxf.exe 668 204406.exe 1628 hbttbb.exe 2256 xlfxrll.exe 2132 rlxxxxf.exe 2192 rrlxrlf.exe 2260 0422866.exe 2100 424460.exe 984 rflllfr.exe 1332 a2062.exe 1660 k80622.exe 372 8640282.exe 1348 hbtbnn.exe -
resource yara_rule behavioral1/memory/2996-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-39-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2724-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-967-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-987-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-1008-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-1040-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-1274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-1341-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e64460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2836 2996 c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe 30 PID 2996 wrote to memory of 2836 2996 c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe 30 PID 2996 wrote to memory of 2836 2996 c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe 30 PID 2996 wrote to memory of 2836 2996 c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe 30 PID 2836 wrote to memory of 2808 2836 86444.exe 31 PID 2836 wrote to memory of 2808 2836 86444.exe 31 PID 2836 wrote to memory of 2808 2836 86444.exe 31 PID 2836 wrote to memory of 2808 2836 86444.exe 31 PID 2808 wrote to memory of 2716 2808 3xlrrrf.exe 32 PID 2808 wrote to memory of 2716 2808 3xlrrrf.exe 32 PID 2808 wrote to memory of 2716 2808 3xlrrrf.exe 32 PID 2808 wrote to memory of 2716 2808 3xlrrrf.exe 32 PID 2716 wrote to memory of 2968 2716 8268068.exe 33 PID 2716 wrote to memory of 2968 2716 8268068.exe 33 PID 2716 wrote to memory of 2968 2716 8268068.exe 33 PID 2716 wrote to memory of 2968 2716 8268068.exe 33 PID 2968 wrote to memory of 2724 2968 jdpdp.exe 34 PID 2968 wrote to memory of 2724 2968 jdpdp.exe 34 PID 2968 wrote to memory of 2724 2968 jdpdp.exe 34 PID 2968 wrote to memory of 2724 2968 jdpdp.exe 34 PID 2724 wrote to memory of 2500 2724 424840.exe 35 PID 2724 wrote to memory of 2500 2724 424840.exe 35 PID 2724 wrote to memory of 2500 2724 424840.exe 35 PID 2724 wrote to memory of 2500 2724 424840.exe 35 PID 2500 wrote to memory of 776 2500 g0440.exe 36 PID 2500 wrote to memory of 776 2500 g0440.exe 36 PID 2500 wrote to memory of 776 2500 g0440.exe 36 PID 2500 wrote to memory of 776 2500 g0440.exe 36 PID 776 wrote to memory of 1652 776 m4468.exe 37 PID 776 wrote to memory of 1652 776 m4468.exe 37 PID 776 wrote to memory of 1652 776 m4468.exe 37 PID 776 wrote to memory of 1652 776 m4468.exe 37 PID 1652 wrote to memory of 836 1652 6022880.exe 38 PID 1652 wrote to memory of 836 1652 6022880.exe 38 PID 1652 wrote to memory of 836 1652 6022880.exe 38 PID 1652 wrote to memory of 836 1652 6022880.exe 38 PID 836 wrote to memory of 2424 836 5xfflfl.exe 39 PID 836 wrote to memory of 2424 836 5xfflfl.exe 39 PID 836 wrote to memory of 2424 836 5xfflfl.exe 39 PID 836 wrote to memory of 2424 836 5xfflfl.exe 39 PID 2424 wrote to memory of 1808 2424 20220.exe 40 PID 2424 wrote to memory of 1808 2424 20220.exe 40 PID 2424 wrote to memory of 1808 2424 20220.exe 40 PID 2424 wrote to memory of 1808 2424 20220.exe 40 PID 1808 wrote to memory of 2160 1808 frxxlfr.exe 41 PID 1808 wrote to memory of 2160 1808 frxxlfr.exe 41 PID 1808 wrote to memory of 2160 1808 frxxlfr.exe 41 PID 1808 wrote to memory of 2160 1808 frxxlfr.exe 41 PID 2160 wrote to memory of 2172 2160 ppddd.exe 42 PID 2160 wrote to memory of 2172 2160 ppddd.exe 42 PID 2160 wrote to memory of 2172 2160 ppddd.exe 42 PID 2160 wrote to memory of 2172 2160 ppddd.exe 42 PID 2172 wrote to memory of 3024 2172 k80282.exe 43 PID 2172 wrote to memory of 3024 2172 k80282.exe 43 PID 2172 wrote to memory of 3024 2172 k80282.exe 43 PID 2172 wrote to memory of 3024 2172 k80282.exe 43 PID 3024 wrote to memory of 2788 3024 lfxllfl.exe 44 PID 3024 wrote to memory of 2788 3024 lfxllfl.exe 44 PID 3024 wrote to memory of 2788 3024 lfxllfl.exe 44 PID 3024 wrote to memory of 2788 3024 lfxllfl.exe 44 PID 2788 wrote to memory of 1628 2788 rxrfrfl.exe 45 PID 2788 wrote to memory of 1628 2788 rxrfrfl.exe 45 PID 2788 wrote to memory of 1628 2788 rxrfrfl.exe 45 PID 2788 wrote to memory of 1628 2788 rxrfrfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe"C:\Users\Admin\AppData\Local\Temp\c5779802aca41ef6c4cd82a3ad75ec4e45b56e3de30c5785dea0e0050fee17dfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\86444.exec:\86444.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\3xlrrrf.exec:\3xlrrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\8268068.exec:\8268068.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\jdpdp.exec:\jdpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\424840.exec:\424840.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\g0440.exec:\g0440.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\m4468.exec:\m4468.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\6022880.exec:\6022880.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\5xfflfl.exec:\5xfflfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\20220.exec:\20220.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\frxxlfr.exec:\frxxlfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\ppddd.exec:\ppddd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\k80282.exec:\k80282.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\lfxllfl.exec:\lfxllfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\rxrfrfl.exec:\rxrfrfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\thbnbb.exec:\thbnbb.exe17⤵
- Executes dropped EXE
PID:1628 -
\??\c:\bnnthn.exec:\bnnthn.exe18⤵
- Executes dropped EXE
PID:2008 -
\??\c:\2268660.exec:\2268660.exe19⤵
- Executes dropped EXE
PID:1768 -
\??\c:\hntnnh.exec:\hntnnh.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204 -
\??\c:\5llxfxf.exec:\5llxfxf.exe21⤵
- Executes dropped EXE
PID:2320 -
\??\c:\nhhnbh.exec:\nhhnbh.exe22⤵
- Executes dropped EXE
PID:2056 -
\??\c:\22464.exec:\22464.exe23⤵
- Executes dropped EXE
PID:2652 -
\??\c:\3ttntt.exec:\3ttntt.exe24⤵
- Executes dropped EXE
PID:1756 -
\??\c:\5flrxxx.exec:\5flrxxx.exe25⤵
- Executes dropped EXE
PID:1348 -
\??\c:\xrflxrf.exec:\xrflxrf.exe26⤵
- Executes dropped EXE
PID:1284 -
\??\c:\9pjjp.exec:\9pjjp.exe27⤵
- Executes dropped EXE
PID:1048 -
\??\c:\6022880.exec:\6022880.exe28⤵
- Executes dropped EXE
PID:1692 -
\??\c:\jvdjp.exec:\jvdjp.exe29⤵
- Executes dropped EXE
PID:2536 -
\??\c:\frfrlrx.exec:\frfrlrx.exe30⤵
- Executes dropped EXE
PID:2360 -
\??\c:\hbtbhn.exec:\hbtbhn.exe31⤵
- Executes dropped EXE
PID:2508 -
\??\c:\1flxxxx.exec:\1flxxxx.exe32⤵
- Executes dropped EXE
PID:2660 -
\??\c:\7llrflr.exec:\7llrflr.exe33⤵
- Executes dropped EXE
PID:2984 -
\??\c:\tbtbtb.exec:\tbtbtb.exe34⤵
- Executes dropped EXE
PID:2816 -
\??\c:\9jvvd.exec:\9jvvd.exe35⤵
- Executes dropped EXE
PID:3000 -
\??\c:\48224.exec:\48224.exe36⤵
- Executes dropped EXE
PID:2892 -
\??\c:\k20622.exec:\k20622.exe37⤵
- Executes dropped EXE
PID:2688 -
\??\c:\5dppv.exec:\5dppv.exe38⤵
- Executes dropped EXE
PID:2856 -
\??\c:\lxfxflx.exec:\lxfxflx.exe39⤵
- Executes dropped EXE
PID:2704 -
\??\c:\84840.exec:\84840.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
\??\c:\7hnhhh.exec:\7hnhhh.exe41⤵
- Executes dropped EXE
PID:816 -
\??\c:\s2484.exec:\s2484.exe42⤵
- Executes dropped EXE
PID:1488 -
\??\c:\hbthhh.exec:\hbthhh.exe43⤵
- Executes dropped EXE
PID:872 -
\??\c:\tnhbhh.exec:\tnhbhh.exe44⤵
- Executes dropped EXE
PID:1704 -
\??\c:\424440.exec:\424440.exe45⤵
- Executes dropped EXE
PID:2412 -
\??\c:\00804.exec:\00804.exe46⤵
- Executes dropped EXE
PID:2376 -
\??\c:\lxrxxxl.exec:\lxrxxxl.exe47⤵
- Executes dropped EXE
PID:1984 -
\??\c:\602062.exec:\602062.exe48⤵
- Executes dropped EXE
PID:2156 -
\??\c:\24600.exec:\24600.exe49⤵
- Executes dropped EXE
PID:2248 -
\??\c:\9frllfl.exec:\9frllfl.exe50⤵
- Executes dropped EXE
PID:2792 -
\??\c:\o084668.exec:\o084668.exe51⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vdjdj.exec:\vdjdj.exe52⤵
- Executes dropped EXE
PID:3024 -
\??\c:\3lxxxxf.exec:\3lxxxxf.exe53⤵
- Executes dropped EXE
PID:2876 -
\??\c:\204406.exec:\204406.exe54⤵
- Executes dropped EXE
PID:668 -
\??\c:\hbttbb.exec:\hbttbb.exe55⤵
- Executes dropped EXE
PID:1628 -
\??\c:\xlfxrll.exec:\xlfxrll.exe56⤵
- Executes dropped EXE
PID:2256 -
\??\c:\rlxxxxf.exec:\rlxxxxf.exe57⤵
- Executes dropped EXE
PID:2132 -
\??\c:\rrlxrlf.exec:\rrlxrlf.exe58⤵
- Executes dropped EXE
PID:2192 -
\??\c:\0422866.exec:\0422866.exe59⤵
- Executes dropped EXE
PID:2260 -
\??\c:\424460.exec:\424460.exe60⤵
- Executes dropped EXE
PID:2100 -
\??\c:\rflllfr.exec:\rflllfr.exe61⤵
- Executes dropped EXE
PID:984 -
\??\c:\a2062.exec:\a2062.exe62⤵
- Executes dropped EXE
PID:1332 -
\??\c:\k80622.exec:\k80622.exe63⤵
- Executes dropped EXE
PID:1660 -
\??\c:\8640282.exec:\8640282.exe64⤵
- Executes dropped EXE
PID:372 -
\??\c:\hbtbnn.exec:\hbtbnn.exe65⤵
- Executes dropped EXE
PID:1348 -
\??\c:\64868.exec:\64868.exe66⤵PID:860
-
\??\c:\864848.exec:\864848.exe67⤵PID:700
-
\??\c:\jjdjp.exec:\jjdjp.exe68⤵PID:2512
-
\??\c:\lxlllff.exec:\lxlllff.exe69⤵PID:2584
-
\??\c:\3bnnnh.exec:\3bnnnh.exe70⤵PID:1764
-
\??\c:\g8668.exec:\g8668.exe71⤵PID:1508
-
\??\c:\9pvdj.exec:\9pvdj.exe72⤵PID:2380
-
\??\c:\7ntntn.exec:\7ntntn.exe73⤵PID:2848
-
\??\c:\bthhtt.exec:\bthhtt.exe74⤵PID:2980
-
\??\c:\2084262.exec:\2084262.exe75⤵PID:1584
-
\??\c:\nhbbnt.exec:\nhbbnt.exe76⤵PID:2700
-
\??\c:\046262.exec:\046262.exe77⤵PID:3068
-
\??\c:\tnbhnt.exec:\tnbhnt.exe78⤵PID:2964
-
\??\c:\86846.exec:\86846.exe79⤵PID:2744
-
\??\c:\88802.exec:\88802.exe80⤵PID:2812
-
\??\c:\nbtbhh.exec:\nbtbhh.exe81⤵PID:2564
-
\??\c:\m6624.exec:\m6624.exe82⤵PID:2468
-
\??\c:\tbthtb.exec:\tbthtb.exe83⤵PID:532
-
\??\c:\a0840.exec:\a0840.exe84⤵PID:936
-
\??\c:\frxllff.exec:\frxllff.exe85⤵PID:2164
-
\??\c:\486624.exec:\486624.exe86⤵PID:1860
-
\??\c:\2606846.exec:\2606846.exe87⤵PID:1296
-
\??\c:\jdddp.exec:\jdddp.exe88⤵PID:2676
-
\??\c:\m0468.exec:\m0468.exe89⤵PID:1808
-
\??\c:\60424.exec:\60424.exe90⤵PID:2304
-
\??\c:\ffxxffx.exec:\ffxxffx.exe91⤵PID:2160
-
\??\c:\3lrrfrx.exec:\3lrrfrx.exe92⤵PID:2928
-
\??\c:\fflfrfr.exec:\fflfrfr.exe93⤵PID:2092
-
\??\c:\2602406.exec:\2602406.exe94⤵PID:3032
-
\??\c:\2686844.exec:\2686844.exe95⤵PID:1564
-
\??\c:\llxlrrx.exec:\llxlrrx.exe96⤵PID:1724
-
\??\c:\8206402.exec:\8206402.exe97⤵PID:1044
-
\??\c:\fxfllrx.exec:\fxfllrx.exe98⤵PID:2216
-
\??\c:\8268406.exec:\8268406.exe99⤵PID:2256
-
\??\c:\7frlrlr.exec:\7frlrlr.exe100⤵PID:2144
-
\??\c:\bhbhtt.exec:\bhbhtt.exe101⤵PID:2244
-
\??\c:\jjjvj.exec:\jjjvj.exe102⤵PID:2232
-
\??\c:\s8862.exec:\s8862.exe103⤵PID:2072
-
\??\c:\pjpjp.exec:\pjpjp.exe104⤵PID:1340
-
\??\c:\9ttbnt.exec:\9ttbnt.exe105⤵PID:1948
-
\??\c:\8228462.exec:\8228462.exe106⤵PID:2284
-
\??\c:\bbnbhh.exec:\bbnbhh.exe107⤵PID:1032
-
\??\c:\0404624.exec:\0404624.exe108⤵PID:1672
-
\??\c:\86420.exec:\86420.exe109⤵PID:568
-
\??\c:\04460.exec:\04460.exe110⤵PID:1412
-
\??\c:\7dddd.exec:\7dddd.exe111⤵PID:1692
-
\??\c:\pjjdj.exec:\pjjdj.exe112⤵PID:2408
-
\??\c:\c662840.exec:\c662840.exe113⤵PID:1864
-
\??\c:\88064.exec:\88064.exe114⤵PID:1804
-
\??\c:\bnnntt.exec:\bnnntt.exe115⤵PID:876
-
\??\c:\60284.exec:\60284.exe116⤵PID:1820
-
\??\c:\88264.exec:\88264.exe117⤵PID:1992
-
\??\c:\02484.exec:\02484.exe118⤵PID:1588
-
\??\c:\ffxxxxl.exec:\ffxxxxl.exe119⤵PID:2416
-
\??\c:\hbnnbb.exec:\hbnnbb.exe120⤵PID:2884
-
\??\c:\jdvpd.exec:\jdvpd.exe121⤵PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-