Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 08:55 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe
-
Size
453KB
-
MD5
53f9c062f1240d37518d3bd8f9315050
-
SHA1
aca5e95aa719d4557e67d129515d11c69e34a8e3
-
SHA256
5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314d
-
SHA512
a3f2b35bf1b876476599527614be0a1e718c1654a2ebd56deda028a27b5c62a7665c6f530a7dbe32aa5091adfa405b3ac093610424643af7f9351767a8cf0ecf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2232-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-149-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2004-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1132-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-221-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1784-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-339-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/276-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-373-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2396-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-393-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/816-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-448-0x0000000000280000-0x00000000002AA000-memory.dmp family_blackmoon behavioral1/memory/2404-456-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1984-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-758-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2168-764-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/1360-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-845-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2692 jjdjv.exe 2928 llflrrf.exe 2756 ddjpv.exe 2828 nbtntt.exe 2604 pjdjv.exe 1204 nhttbb.exe 2600 htnthh.exe 1660 jpjpd.exe 2204 hnbbnn.exe 2128 lfflxfr.exe 1356 fxlrxlx.exe 2312 llxxllx.exe 2764 lfffrxl.exe 1304 hbntbb.exe 2760 xrrlxfl.exe 2004 hbnthh.exe 264 vvpvd.exe 2184 3htbhn.exe 1720 ddvjd.exe 2444 lxflllr.exe 1132 btnnnt.exe 2424 1jddj.exe 1372 rfxflrx.exe 1716 bthtbh.exe 712 1xllxff.exe 1656 5tbhhn.exe 1784 jdpdj.exe 2236 tnhnbh.exe 272 vvvdd.exe 1008 hbtbnt.exe 1752 djdjv.exe 2120 7xrrffl.exe 2796 btbhnt.exe 2696 pjddj.exe 2824 ffrrxxl.exe 2136 btnhnt.exe 2584 vppvd.exe 2776 vvvvv.exe 2552 rlxfllf.exe 2628 5bthtt.exe 2196 dvjvd.exe 276 vjddj.exe 3012 xrllrfl.exe 2396 bnhntt.exe 2204 vpjdp.exe 2876 xxrxfff.exe 816 lllrxxl.exe 1628 hhbhtb.exe 984 jjdpj.exe 324 xlrrflx.exe 2880 tttnbb.exe 896 dvpvp.exe 1932 pjdjd.exe 1936 xlrrrrr.exe 2404 5hbbhb.exe 2192 3jpjj.exe 2328 ppvjv.exe 1984 frlrflx.exe 408 hbttht.exe 2116 pjppd.exe 1960 ddddj.exe 936 lfrxflr.exe 2432 tnnhnt.exe 2496 jjpvd.exe -
resource yara_rule behavioral1/memory/2232-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-764-0x00000000001C0000-0x00000000001EA000-memory.dmp upx behavioral1/memory/1360-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-893-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-900-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-920-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-927-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2692 2232 5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe 30 PID 2232 wrote to memory of 2692 2232 5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe 30 PID 2232 wrote to memory of 2692 2232 5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe 30 PID 2232 wrote to memory of 2692 2232 5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe 30 PID 2692 wrote to memory of 2928 2692 jjdjv.exe 31 PID 2692 wrote to memory of 2928 2692 jjdjv.exe 31 PID 2692 wrote to memory of 2928 2692 jjdjv.exe 31 PID 2692 wrote to memory of 2928 2692 jjdjv.exe 31 PID 2928 wrote to memory of 2756 2928 llflrrf.exe 32 PID 2928 wrote to memory of 2756 2928 llflrrf.exe 32 PID 2928 wrote to memory of 2756 2928 llflrrf.exe 32 PID 2928 wrote to memory of 2756 2928 llflrrf.exe 32 PID 2756 wrote to memory of 2828 2756 ddjpv.exe 33 PID 2756 wrote to memory of 2828 2756 ddjpv.exe 33 PID 2756 wrote to memory of 2828 2756 ddjpv.exe 33 PID 2756 wrote to memory of 2828 2756 ddjpv.exe 33 PID 2828 wrote to memory of 2604 2828 nbtntt.exe 34 PID 2828 wrote to memory of 2604 2828 nbtntt.exe 34 PID 2828 wrote to memory of 2604 2828 nbtntt.exe 34 PID 2828 wrote to memory of 2604 2828 nbtntt.exe 34 PID 2604 wrote to memory of 1204 2604 pjdjv.exe 35 PID 2604 wrote to memory of 1204 2604 pjdjv.exe 35 PID 2604 wrote to memory of 1204 2604 pjdjv.exe 35 PID 2604 wrote to memory of 1204 2604 pjdjv.exe 35 PID 1204 wrote to memory of 2600 1204 nhttbb.exe 36 PID 1204 wrote to memory of 2600 1204 nhttbb.exe 36 PID 1204 wrote to memory of 2600 1204 nhttbb.exe 36 PID 1204 wrote to memory of 2600 1204 nhttbb.exe 36 PID 2600 wrote to memory of 1660 2600 htnthh.exe 37 PID 2600 wrote to memory of 1660 2600 htnthh.exe 37 PID 2600 wrote to memory of 1660 2600 htnthh.exe 37 PID 2600 wrote to memory of 1660 2600 htnthh.exe 37 PID 1660 wrote to memory of 2204 1660 jpjpd.exe 38 PID 1660 wrote to memory of 2204 1660 jpjpd.exe 38 PID 1660 wrote to memory of 2204 1660 jpjpd.exe 38 PID 1660 wrote to memory of 2204 1660 jpjpd.exe 38 PID 2204 wrote to memory of 2128 2204 hnbbnn.exe 39 PID 2204 wrote to memory of 2128 2204 hnbbnn.exe 39 PID 2204 wrote to memory of 2128 2204 hnbbnn.exe 39 PID 2204 wrote to memory of 2128 2204 hnbbnn.exe 39 PID 2128 wrote to memory of 1356 2128 lfflxfr.exe 40 PID 2128 wrote to memory of 1356 2128 lfflxfr.exe 40 PID 2128 wrote to memory of 1356 2128 lfflxfr.exe 40 PID 2128 wrote to memory of 1356 2128 lfflxfr.exe 40 PID 1356 wrote to memory of 2312 1356 fxlrxlx.exe 41 PID 1356 wrote to memory of 2312 1356 fxlrxlx.exe 41 PID 1356 wrote to memory of 2312 1356 fxlrxlx.exe 41 PID 1356 wrote to memory of 2312 1356 fxlrxlx.exe 41 PID 2312 wrote to memory of 2764 2312 llxxllx.exe 42 PID 2312 wrote to memory of 2764 2312 llxxllx.exe 42 PID 2312 wrote to memory of 2764 2312 llxxllx.exe 42 PID 2312 wrote to memory of 2764 2312 llxxllx.exe 42 PID 2764 wrote to memory of 1304 2764 lfffrxl.exe 43 PID 2764 wrote to memory of 1304 2764 lfffrxl.exe 43 PID 2764 wrote to memory of 1304 2764 lfffrxl.exe 43 PID 2764 wrote to memory of 1304 2764 lfffrxl.exe 43 PID 1304 wrote to memory of 2760 1304 hbntbb.exe 44 PID 1304 wrote to memory of 2760 1304 hbntbb.exe 44 PID 1304 wrote to memory of 2760 1304 hbntbb.exe 44 PID 1304 wrote to memory of 2760 1304 hbntbb.exe 44 PID 2760 wrote to memory of 2004 2760 xrrlxfl.exe 45 PID 2760 wrote to memory of 2004 2760 xrrlxfl.exe 45 PID 2760 wrote to memory of 2004 2760 xrrlxfl.exe 45 PID 2760 wrote to memory of 2004 2760 xrrlxfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe"C:\Users\Admin\AppData\Local\Temp\5f453599f137d7601eb24fad49e5e9a1503926d991de9588e6645a69b99c314dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\jjdjv.exec:\jjdjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\llflrrf.exec:\llflrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\ddjpv.exec:\ddjpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\nbtntt.exec:\nbtntt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\pjdjv.exec:\pjdjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\nhttbb.exec:\nhttbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\htnthh.exec:\htnthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\jpjpd.exec:\jpjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\hnbbnn.exec:\hnbbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\lfflxfr.exec:\lfflxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\fxlrxlx.exec:\fxlrxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\llxxllx.exec:\llxxllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\lfffrxl.exec:\lfffrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\hbntbb.exec:\hbntbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\xrrlxfl.exec:\xrrlxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\hbnthh.exec:\hbnthh.exe17⤵
- Executes dropped EXE
PID:2004 -
\??\c:\vvpvd.exec:\vvpvd.exe18⤵
- Executes dropped EXE
PID:264 -
\??\c:\3htbhn.exec:\3htbhn.exe19⤵
- Executes dropped EXE
PID:2184 -
\??\c:\ddvjd.exec:\ddvjd.exe20⤵
- Executes dropped EXE
PID:1720 -
\??\c:\lxflllr.exec:\lxflllr.exe21⤵
- Executes dropped EXE
PID:2444 -
\??\c:\btnnnt.exec:\btnnnt.exe22⤵
- Executes dropped EXE
PID:1132 -
\??\c:\1jddj.exec:\1jddj.exe23⤵
- Executes dropped EXE
PID:2424 -
\??\c:\rfxflrx.exec:\rfxflrx.exe24⤵
- Executes dropped EXE
PID:1372 -
\??\c:\bthtbh.exec:\bthtbh.exe25⤵
- Executes dropped EXE
PID:1716 -
\??\c:\1xllxff.exec:\1xllxff.exe26⤵
- Executes dropped EXE
PID:712 -
\??\c:\5tbhhn.exec:\5tbhhn.exe27⤵
- Executes dropped EXE
PID:1656 -
\??\c:\jdpdj.exec:\jdpdj.exe28⤵
- Executes dropped EXE
PID:1784 -
\??\c:\tnhnbh.exec:\tnhnbh.exe29⤵
- Executes dropped EXE
PID:2236 -
\??\c:\vvvdd.exec:\vvvdd.exe30⤵
- Executes dropped EXE
PID:272 -
\??\c:\hbtbnt.exec:\hbtbnt.exe31⤵
- Executes dropped EXE
PID:1008 -
\??\c:\djdjv.exec:\djdjv.exe32⤵
- Executes dropped EXE
PID:1752 -
\??\c:\7xrrffl.exec:\7xrrffl.exe33⤵
- Executes dropped EXE
PID:2120 -
\??\c:\btbhnt.exec:\btbhnt.exe34⤵
- Executes dropped EXE
PID:2796 -
\??\c:\pjddj.exec:\pjddj.exe35⤵
- Executes dropped EXE
PID:2696 -
\??\c:\ffrrxxl.exec:\ffrrxxl.exe36⤵
- Executes dropped EXE
PID:2824 -
\??\c:\btnhnt.exec:\btnhnt.exe37⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vppvd.exec:\vppvd.exe38⤵
- Executes dropped EXE
PID:2584 -
\??\c:\vvvvv.exec:\vvvvv.exe39⤵
- Executes dropped EXE
PID:2776 -
\??\c:\rlxfllf.exec:\rlxfllf.exe40⤵
- Executes dropped EXE
PID:2552 -
\??\c:\5bthtt.exec:\5bthtt.exe41⤵
- Executes dropped EXE
PID:2628 -
\??\c:\dvjvd.exec:\dvjvd.exe42⤵
- Executes dropped EXE
PID:2196 -
\??\c:\vjddj.exec:\vjddj.exe43⤵
- Executes dropped EXE
PID:276 -
\??\c:\xrllrfl.exec:\xrllrfl.exe44⤵
- Executes dropped EXE
PID:3012 -
\??\c:\bnhntt.exec:\bnhntt.exe45⤵
- Executes dropped EXE
PID:2396 -
\??\c:\vpjdp.exec:\vpjdp.exe46⤵
- Executes dropped EXE
PID:2204 -
\??\c:\xxrxfff.exec:\xxrxfff.exe47⤵
- Executes dropped EXE
PID:2876 -
\??\c:\lllrxxl.exec:\lllrxxl.exe48⤵
- Executes dropped EXE
PID:816 -
\??\c:\hhbhtb.exec:\hhbhtb.exe49⤵
- Executes dropped EXE
PID:1628 -
\??\c:\jjdpj.exec:\jjdpj.exe50⤵
- Executes dropped EXE
PID:984 -
\??\c:\xlrrflx.exec:\xlrrflx.exe51⤵
- Executes dropped EXE
PID:324 -
\??\c:\tttnbb.exec:\tttnbb.exe52⤵
- Executes dropped EXE
PID:2880 -
\??\c:\dvpvp.exec:\dvpvp.exe53⤵
- Executes dropped EXE
PID:896 -
\??\c:\pjdjd.exec:\pjdjd.exe54⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe55⤵
- Executes dropped EXE
PID:1936 -
\??\c:\5hbbhb.exec:\5hbbhb.exe56⤵
- Executes dropped EXE
PID:2404 -
\??\c:\3jpjj.exec:\3jpjj.exe57⤵
- Executes dropped EXE
PID:2192 -
\??\c:\ppvjv.exec:\ppvjv.exe58⤵
- Executes dropped EXE
PID:2328 -
\??\c:\frlrflx.exec:\frlrflx.exe59⤵
- Executes dropped EXE
PID:1984 -
\??\c:\hbttht.exec:\hbttht.exe60⤵
- Executes dropped EXE
PID:408 -
\??\c:\pjppd.exec:\pjppd.exe61⤵
- Executes dropped EXE
PID:2116 -
\??\c:\ddddj.exec:\ddddj.exe62⤵
- Executes dropped EXE
PID:1960 -
\??\c:\lfrxflr.exec:\lfrxflr.exe63⤵
- Executes dropped EXE
PID:936 -
\??\c:\tnnhnt.exec:\tnnhnt.exe64⤵
- Executes dropped EXE
PID:2432 -
\??\c:\jjpvd.exec:\jjpvd.exe65⤵
- Executes dropped EXE
PID:2496 -
\??\c:\3pddd.exec:\3pddd.exe66⤵PID:1756
-
\??\c:\xxrxllr.exec:\xxrxllr.exe67⤵PID:1440
-
\??\c:\7btntt.exec:\7btntt.exe68⤵PID:1980
-
\??\c:\vppdj.exec:\vppdj.exe69⤵PID:1784
-
\??\c:\ddjdd.exec:\ddjdd.exe70⤵PID:992
-
\??\c:\frrrxxf.exec:\frrrxxf.exe71⤵PID:1736
-
\??\c:\tnhhnt.exec:\tnhhnt.exe72⤵PID:1944
-
\??\c:\jvjjj.exec:\jvjjj.exe73⤵PID:2520
-
\??\c:\9vddj.exec:\9vddj.exe74⤵PID:2124
-
\??\c:\xlffrxf.exec:\xlffrxf.exe75⤵PID:2784
-
\??\c:\hbnnhh.exec:\hbnnhh.exe76⤵PID:2800
-
\??\c:\3dvdj.exec:\3dvdj.exe77⤵PID:2692
-
\??\c:\pvppv.exec:\pvppv.exe78⤵PID:2832
-
\??\c:\rrllrfr.exec:\rrllrfr.exe79⤵PID:2684
-
\??\c:\nhbhtt.exec:\nhbhtt.exe80⤵PID:2872
-
\??\c:\bhbnth.exec:\bhbnth.exe81⤵PID:2808
-
\??\c:\dvppv.exec:\dvppv.exe82⤵PID:2568
-
\??\c:\xrflxrr.exec:\xrflxrr.exe83⤵PID:2580
-
\??\c:\5hbbnt.exec:\5hbbnt.exe84⤵PID:2724
-
\??\c:\5hnnnn.exec:\5hnnnn.exe85⤵PID:1280
-
\??\c:\vpjpv.exec:\vpjpv.exe86⤵PID:2976
-
\??\c:\lxrxflx.exec:\lxrxflx.exe87⤵PID:3012
-
\??\c:\lxrrffl.exec:\lxrrffl.exe88⤵PID:2396
-
\??\c:\btnttt.exec:\btnttt.exe89⤵PID:620
-
\??\c:\7dppv.exec:\7dppv.exe90⤵PID:2060
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe91⤵PID:344
-
\??\c:\rlxrffl.exec:\rlxrffl.exe92⤵PID:1704
-
\??\c:\tnttbh.exec:\tnttbh.exe93⤵PID:1676
-
\??\c:\pppvd.exec:\pppvd.exe94⤵PID:1732
-
\??\c:\rllrxfl.exec:\rllrxfl.exe95⤵PID:2888
-
\??\c:\lfrxffx.exec:\lfrxffx.exe96⤵PID:1680
-
\??\c:\nbtthh.exec:\nbtthh.exe97⤵PID:1760
-
\??\c:\9jdvp.exec:\9jdvp.exe98⤵PID:3060
-
\??\c:\dvvpv.exec:\dvvpv.exe99⤵PID:1936
-
\??\c:\7xlfffl.exec:\7xlfffl.exe100⤵PID:2184
-
\??\c:\thtbnt.exec:\thtbnt.exe101⤵PID:1156
-
\??\c:\7nnntb.exec:\7nnntb.exe102⤵PID:2456
-
\??\c:\jjvvd.exec:\jjvvd.exe103⤵PID:2108
-
\??\c:\rfxxffx.exec:\rfxxffx.exe104⤵PID:2168
-
\??\c:\1hbhhn.exec:\1hbhhn.exe105⤵PID:1348
-
\??\c:\nhbnnt.exec:\nhbnnt.exe106⤵PID:1372
-
\??\c:\vpvdj.exec:\vpvdj.exe107⤵PID:760
-
\??\c:\flrffff.exec:\flrffff.exe108⤵PID:568
-
\??\c:\nhbhnn.exec:\nhbhnn.exe109⤵PID:1360
-
\??\c:\5tbttt.exec:\5tbttt.exe110⤵PID:1816
-
\??\c:\jdpvv.exec:\jdpvv.exe111⤵PID:2392
-
\??\c:\xrflrxf.exec:\xrflrxf.exe112⤵PID:2236
-
\??\c:\bbttbt.exec:\bbttbt.exe113⤵PID:2288
-
\??\c:\1btbtb.exec:\1btbtb.exe114⤵PID:2452
-
\??\c:\vpvvd.exec:\vpvvd.exe115⤵PID:2428
-
\??\c:\7fxrrrr.exec:\7fxrrrr.exe116⤵PID:3048
-
\??\c:\xrxflfl.exec:\xrxflfl.exe117⤵PID:2120
-
\??\c:\7nhnhh.exec:\7nhnhh.exe118⤵PID:2708
-
\??\c:\pdpvv.exec:\pdpvv.exe119⤵PID:1560
-
\??\c:\ppvpp.exec:\ppvpp.exe120⤵PID:2744
-
\??\c:\9rrxfxx.exec:\9rrxfxx.exe121⤵PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-