Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 07:46
Behavioral task
behavioral1
Sample
c0801a8866247be62713d55695809680N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
General
-
Target
c0801a8866247be62713d55695809680N.exe
-
Size
46KB
-
MD5
c0801a8866247be62713d55695809680
-
SHA1
b85459a154f0f4328e0b188daa9dfa59f88bee47
-
SHA256
a17812242cbb8be51961b3ba1fce4b388e7ff5e8a3a89014bbff134978086b64
-
SHA512
1bd096175deb9574ba11cf7971ce2e11cd23c596827d8efa829deb1a5ae4d2f70f6ba11cf0bf2ed43cb8f3d7ac74c338fe7b7eeb4977fc29234a6ce30263a9ae
-
SSDEEP
768:RvQB0ESOGg1UrYShBbgrrMo98l4yOoBDqANhhY/4El6BhGUVTnbcuyD7UNxV0:RvQBeOGtrYS3srx93UBWfwC6Ggnouy8O
Malware Config
Signatures
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2344-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1392-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2848-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2344-42-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2712-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2072-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2804-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2804-58-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2804-56-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2620-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2768-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3052-95-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2908-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/832-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1664-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1960-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2052-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2404-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1840-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1616-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1616-239-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/928-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1740-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3028-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2816-338-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2876-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2644-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1112-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2012-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1640-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2472-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-518-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2412-538-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/708-545-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-576-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1596-584-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2484-590-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2608-617-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-624-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2776-645-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1188-717-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2188-845-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2884-883-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2836-1140-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1464-1255-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/448-1305-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/756-1330-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/2804-1425-0x00000000003D0000-0x00000000003F7000-memory.dmp family_blackmoon behavioral1/memory/2808-1432-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2188 hbhhtb.exe 1392 pjpjj.exe 2712 dpddd.exe 2848 fxlrffr.exe 2804 tthttb.exe 2072 vpvdd.exe 2768 1jvvd.exe 2620 3dvdj.exe 3052 lflxflr.exe 1716 nhtttt.exe 832 btbhhb.exe 2908 1jpdv.exe 1664 xlxfffr.exe 2668 9lxllll.exe 1960 9nbhbt.exe 1640 nbhbhn.exe 336 dvjpd.exe 2052 7lxxfxl.exe 1416 lxlrllx.exe 2264 thbhbt.exe 2404 bntbtt.exe 2296 5dddj.exe 352 rrlrxfl.exe 1840 rxfxxrx.exe 1616 5thtbb.exe 928 hbbtbb.exe 1064 fxlrrrx.exe 1740 rlrxllr.exe 324 1bhtbb.exe 1756 dvjpp.exe 2560 7vdjj.exe 3028 fxlxffl.exe 2400 xrfllrx.exe 3068 hbbbbb.exe 2508 5nbhnt.exe 2276 ddvpd.exe 2824 pdppv.exe 2816 5rffffl.exe 2876 llxflrf.exe 2780 hbbhhn.exe 2644 bbnnnt.exe 2656 3jdjd.exe 2740 pdjjj.exe 2468 rlrrllr.exe 1656 frffllx.exe 1804 9hhnbh.exe 1112 hbnhhh.exe 832 jjvjv.exe 2012 1dvvd.exe 2860 rrllrxf.exe 2920 rffllrx.exe 2660 9nttbb.exe 1960 3tbntn.exe 1640 hthhhh.exe 2132 pddjj.exe 2308 lfrrxxf.exe 576 1ntthh.exe 2472 1nbhbt.exe 1644 jdpvv.exe 2024 9jvjj.exe 2404 5lxxfxf.exe 1148 5xrxfll.exe 408 btnnnn.exe 3008 9tbbhb.exe -
resource yara_rule behavioral1/memory/2344-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000012273-5.dat upx behavioral1/memory/2188-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2344-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d39-29.dat upx behavioral1/memory/1392-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000015d22-21.dat upx behavioral1/memory/2188-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2712-33-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2848-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015d79-49.dat upx behavioral1/files/0x0007000000015d71-40.dat upx behavioral1/memory/2712-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015d81-59.dat upx behavioral1/memory/2072-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2804-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2804-56-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2620-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2768-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000015eb1-70.dat upx behavioral1/files/0x0009000000015f19-79.dat upx behavioral1/files/0x0006000000016ccd-87.dat upx behavioral1/files/0x0006000000016ceb-97.dat upx behavioral1/files/0x0006000000016d20-104.dat upx behavioral1/files/0x0006000000016d30-112.dat upx behavioral1/memory/2908-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/832-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d39-122.dat upx behavioral1/files/0x0006000000016d49-140.dat upx behavioral1/files/0x0006000000016d41-133.dat upx behavioral1/memory/1664-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1664-129-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0006000000016d5d-151.dat upx behavioral1/memory/1960-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d62-158.dat upx behavioral1/files/0x0006000000016d66-166.dat upx behavioral1/memory/2052-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d6d-176.dat upx behavioral1/memory/2052-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d89-184.dat upx behavioral1/memory/2264-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016dde-194.dat upx behavioral1/memory/2264-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2296-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2404-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016de1-202.dat upx behavioral1/files/0x0006000000016de9-212.dat upx behavioral1/memory/352-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016ec4-221.dat upx behavioral1/memory/1840-229-0x00000000003A0000-0x00000000003C7000-memory.dmp upx behavioral1/files/0x0006000000017041-231.dat upx behavioral1/memory/1840-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017487-242.dat upx behavioral1/memory/1616-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017491-251.dat upx behavioral1/memory/928-250-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174ca-259.dat upx behavioral1/files/0x0009000000018671-268.dat upx behavioral1/memory/1740-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001867d-275.dat upx behavioral1/files/0x00050000000186de-284.dat upx behavioral1/memory/2560-285-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186e4-293.dat upx behavioral1/memory/3028-301-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2188 2344 c0801a8866247be62713d55695809680N.exe 30 PID 2344 wrote to memory of 2188 2344 c0801a8866247be62713d55695809680N.exe 30 PID 2344 wrote to memory of 2188 2344 c0801a8866247be62713d55695809680N.exe 30 PID 2344 wrote to memory of 2188 2344 c0801a8866247be62713d55695809680N.exe 30 PID 2188 wrote to memory of 1392 2188 hbhhtb.exe 31 PID 2188 wrote to memory of 1392 2188 hbhhtb.exe 31 PID 2188 wrote to memory of 1392 2188 hbhhtb.exe 31 PID 2188 wrote to memory of 1392 2188 hbhhtb.exe 31 PID 1392 wrote to memory of 2712 1392 pjpjj.exe 32 PID 1392 wrote to memory of 2712 1392 pjpjj.exe 32 PID 1392 wrote to memory of 2712 1392 pjpjj.exe 32 PID 1392 wrote to memory of 2712 1392 pjpjj.exe 32 PID 2712 wrote to memory of 2848 2712 dpddd.exe 33 PID 2712 wrote to memory of 2848 2712 dpddd.exe 33 PID 2712 wrote to memory of 2848 2712 dpddd.exe 33 PID 2712 wrote to memory of 2848 2712 dpddd.exe 33 PID 2848 wrote to memory of 2804 2848 fxlrffr.exe 34 PID 2848 wrote to memory of 2804 2848 fxlrffr.exe 34 PID 2848 wrote to memory of 2804 2848 fxlrffr.exe 34 PID 2848 wrote to memory of 2804 2848 fxlrffr.exe 34 PID 2804 wrote to memory of 2072 2804 tthttb.exe 35 PID 2804 wrote to memory of 2072 2804 tthttb.exe 35 PID 2804 wrote to memory of 2072 2804 tthttb.exe 35 PID 2804 wrote to memory of 2072 2804 tthttb.exe 35 PID 2072 wrote to memory of 2768 2072 vpvdd.exe 36 PID 2072 wrote to memory of 2768 2072 vpvdd.exe 36 PID 2072 wrote to memory of 2768 2072 vpvdd.exe 36 PID 2072 wrote to memory of 2768 2072 vpvdd.exe 36 PID 2768 wrote to memory of 2620 2768 1jvvd.exe 37 PID 2768 wrote to memory of 2620 2768 1jvvd.exe 37 PID 2768 wrote to memory of 2620 2768 1jvvd.exe 37 PID 2768 wrote to memory of 2620 2768 1jvvd.exe 37 PID 2620 wrote to memory of 3052 2620 3dvdj.exe 38 PID 2620 wrote to memory of 3052 2620 3dvdj.exe 38 PID 2620 wrote to memory of 3052 2620 3dvdj.exe 38 PID 2620 wrote to memory of 3052 2620 3dvdj.exe 38 PID 3052 wrote to memory of 1716 3052 lflxflr.exe 39 PID 3052 wrote to memory of 1716 3052 lflxflr.exe 39 PID 3052 wrote to memory of 1716 3052 lflxflr.exe 39 PID 3052 wrote to memory of 1716 3052 lflxflr.exe 39 PID 1716 wrote to memory of 832 1716 nhtttt.exe 40 PID 1716 wrote to memory of 832 1716 nhtttt.exe 40 PID 1716 wrote to memory of 832 1716 nhtttt.exe 40 PID 1716 wrote to memory of 832 1716 nhtttt.exe 40 PID 832 wrote to memory of 2908 832 btbhhb.exe 41 PID 832 wrote to memory of 2908 832 btbhhb.exe 41 PID 832 wrote to memory of 2908 832 btbhhb.exe 41 PID 832 wrote to memory of 2908 832 btbhhb.exe 41 PID 2908 wrote to memory of 1664 2908 1jpdv.exe 42 PID 2908 wrote to memory of 1664 2908 1jpdv.exe 42 PID 2908 wrote to memory of 1664 2908 1jpdv.exe 42 PID 2908 wrote to memory of 1664 2908 1jpdv.exe 42 PID 1664 wrote to memory of 2668 1664 xlxfffr.exe 43 PID 1664 wrote to memory of 2668 1664 xlxfffr.exe 43 PID 1664 wrote to memory of 2668 1664 xlxfffr.exe 43 PID 1664 wrote to memory of 2668 1664 xlxfffr.exe 43 PID 2668 wrote to memory of 1960 2668 9lxllll.exe 44 PID 2668 wrote to memory of 1960 2668 9lxllll.exe 44 PID 2668 wrote to memory of 1960 2668 9lxllll.exe 44 PID 2668 wrote to memory of 1960 2668 9lxllll.exe 44 PID 1960 wrote to memory of 1640 1960 9nbhbt.exe 45 PID 1960 wrote to memory of 1640 1960 9nbhbt.exe 45 PID 1960 wrote to memory of 1640 1960 9nbhbt.exe 45 PID 1960 wrote to memory of 1640 1960 9nbhbt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0801a8866247be62713d55695809680N.exe"C:\Users\Admin\AppData\Local\Temp\c0801a8866247be62713d55695809680N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\hbhhtb.exec:\hbhhtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\pjpjj.exec:\pjpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\dpddd.exec:\dpddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\fxlrffr.exec:\fxlrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\tthttb.exec:\tthttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\vpvdd.exec:\vpvdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\1jvvd.exec:\1jvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\3dvdj.exec:\3dvdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\lflxflr.exec:\lflxflr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\nhtttt.exec:\nhtttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\btbhhb.exec:\btbhhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\1jpdv.exec:\1jpdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\xlxfffr.exec:\xlxfffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\9lxllll.exec:\9lxllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\9nbhbt.exec:\9nbhbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\nbhbhn.exec:\nbhbhn.exe17⤵
- Executes dropped EXE
PID:1640 -
\??\c:\dvjpd.exec:\dvjpd.exe18⤵
- Executes dropped EXE
PID:336 -
\??\c:\7lxxfxl.exec:\7lxxfxl.exe19⤵
- Executes dropped EXE
PID:2052 -
\??\c:\lxlrllx.exec:\lxlrllx.exe20⤵
- Executes dropped EXE
PID:1416 -
\??\c:\thbhbt.exec:\thbhbt.exe21⤵
- Executes dropped EXE
PID:2264 -
\??\c:\bntbtt.exec:\bntbtt.exe22⤵
- Executes dropped EXE
PID:2404 -
\??\c:\5dddj.exec:\5dddj.exe23⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rrlrxfl.exec:\rrlrxfl.exe24⤵
- Executes dropped EXE
PID:352 -
\??\c:\rxfxxrx.exec:\rxfxxrx.exe25⤵
- Executes dropped EXE
PID:1840 -
\??\c:\5thtbb.exec:\5thtbb.exe26⤵
- Executes dropped EXE
PID:1616 -
\??\c:\hbbtbb.exec:\hbbtbb.exe27⤵
- Executes dropped EXE
PID:928 -
\??\c:\fxlrrrx.exec:\fxlrrrx.exe28⤵
- Executes dropped EXE
PID:1064 -
\??\c:\rlrxllr.exec:\rlrxllr.exe29⤵
- Executes dropped EXE
PID:1740 -
\??\c:\1bhtbb.exec:\1bhtbb.exe30⤵
- Executes dropped EXE
PID:324 -
\??\c:\dvjpp.exec:\dvjpp.exe31⤵
- Executes dropped EXE
PID:1756 -
\??\c:\7vdjj.exec:\7vdjj.exe32⤵
- Executes dropped EXE
PID:2560 -
\??\c:\fxlxffl.exec:\fxlxffl.exe33⤵
- Executes dropped EXE
PID:3028 -
\??\c:\xrfllrx.exec:\xrfllrx.exe34⤵
- Executes dropped EXE
PID:2400 -
\??\c:\hbbbbb.exec:\hbbbbb.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
\??\c:\5nbhnt.exec:\5nbhnt.exe36⤵
- Executes dropped EXE
PID:2508 -
\??\c:\ddvpd.exec:\ddvpd.exe37⤵
- Executes dropped EXE
PID:2276 -
\??\c:\pdppv.exec:\pdppv.exe38⤵
- Executes dropped EXE
PID:2824 -
\??\c:\5rffffl.exec:\5rffffl.exe39⤵
- Executes dropped EXE
PID:2816 -
\??\c:\llxflrf.exec:\llxflrf.exe40⤵
- Executes dropped EXE
PID:2876 -
\??\c:\hbbhhn.exec:\hbbhhn.exe41⤵
- Executes dropped EXE
PID:2780 -
\??\c:\bbnnnt.exec:\bbnnnt.exe42⤵
- Executes dropped EXE
PID:2644 -
\??\c:\3jdjd.exec:\3jdjd.exe43⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pdjjj.exec:\pdjjj.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\rlrrllr.exec:\rlrrllr.exe45⤵
- Executes dropped EXE
PID:2468 -
\??\c:\frffllx.exec:\frffllx.exe46⤵
- Executes dropped EXE
PID:1656 -
\??\c:\9hhnbh.exec:\9hhnbh.exe47⤵
- Executes dropped EXE
PID:1804 -
\??\c:\hbnhhh.exec:\hbnhhh.exe48⤵
- Executes dropped EXE
PID:1112 -
\??\c:\jjvjv.exec:\jjvjv.exe49⤵
- Executes dropped EXE
PID:832 -
\??\c:\1dvvd.exec:\1dvvd.exe50⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rrllrxf.exec:\rrllrxf.exe51⤵
- Executes dropped EXE
PID:2860 -
\??\c:\rffllrx.exec:\rffllrx.exe52⤵
- Executes dropped EXE
PID:2920 -
\??\c:\9nttbb.exec:\9nttbb.exe53⤵
- Executes dropped EXE
PID:2660 -
\??\c:\3tbntn.exec:\3tbntn.exe54⤵
- Executes dropped EXE
PID:1960 -
\??\c:\hthhhh.exec:\hthhhh.exe55⤵
- Executes dropped EXE
PID:1640 -
\??\c:\pddjj.exec:\pddjj.exe56⤵
- Executes dropped EXE
PID:2132 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe57⤵
- Executes dropped EXE
PID:2308 -
\??\c:\1ntthh.exec:\1ntthh.exe58⤵
- Executes dropped EXE
PID:576 -
\??\c:\1nbhbt.exec:\1nbhbt.exe59⤵
- Executes dropped EXE
PID:2472 -
\??\c:\jdpvv.exec:\jdpvv.exe60⤵
- Executes dropped EXE
PID:1644 -
\??\c:\9jvjj.exec:\9jvjj.exe61⤵
- Executes dropped EXE
PID:2024 -
\??\c:\5lxxfxf.exec:\5lxxfxf.exe62⤵
- Executes dropped EXE
PID:2404 -
\??\c:\5xrxfll.exec:\5xrxfll.exe63⤵
- Executes dropped EXE
PID:1148 -
\??\c:\btnnnn.exec:\btnnnn.exe64⤵
- Executes dropped EXE
PID:408 -
\??\c:\9tbbhb.exec:\9tbbhb.exe65⤵
- Executes dropped EXE
PID:3008 -
\??\c:\jvvdj.exec:\jvvdj.exe66⤵PID:1956
-
\??\c:\vdpdj.exec:\vdpdj.exe67⤵PID:2136
-
\??\c:\xrrrxff.exec:\xrrrxff.exe68⤵PID:2940
-
\??\c:\7xrlrrr.exec:\7xrlrrr.exe69⤵PID:2420
-
\??\c:\hthnnn.exec:\hthnnn.exe70⤵PID:984
-
\??\c:\9hhnth.exec:\9hhnth.exe71⤵PID:2412
-
\??\c:\9pppj.exec:\9pppj.exe72⤵PID:708
-
\??\c:\pjdjv.exec:\pjdjv.exe73⤵PID:1764
-
\??\c:\lxrxxxr.exec:\lxrxxxr.exe74⤵PID:1836
-
\??\c:\frfrxlx.exec:\frfrxlx.exe75⤵PID:3016
-
\??\c:\lxllxxx.exec:\lxllxxx.exe76⤵PID:2360
-
\??\c:\bthhhh.exec:\bthhhh.exe77⤵PID:2188
-
\??\c:\pvvpv.exec:\pvvpv.exe78⤵PID:1596
-
\??\c:\5dppp.exec:\5dppp.exe79⤵PID:2484
-
\??\c:\7lrlllf.exec:\7lrlllf.exe80⤵PID:2508
-
\??\c:\lfllxrx.exec:\lfllxrx.exe81⤵PID:2708
-
\??\c:\3thhnn.exec:\3thhnn.exe82⤵PID:2160
-
\??\c:\1nhtbb.exec:\1nhtbb.exe83⤵PID:2608
-
\??\c:\9dvjp.exec:\9dvjp.exe84⤵PID:2776
-
\??\c:\pjvdd.exec:\pjvdd.exe85⤵PID:2672
-
\??\c:\3vdvv.exec:\3vdvv.exe86⤵PID:2600
-
\??\c:\rllrrxx.exec:\rllrrxx.exe87⤵PID:3060
-
\??\c:\lxxfxrf.exec:\lxxfxrf.exe88⤵PID:2724
-
\??\c:\nhntbt.exec:\nhntbt.exe89⤵PID:1996
-
\??\c:\nbbbhh.exec:\nbbbhh.exe90⤵PID:2100
-
\??\c:\pdddd.exec:\pdddd.exe91⤵PID:1368
-
\??\c:\vpppj.exec:\vpppj.exe92⤵PID:2932
-
\??\c:\frlflfl.exec:\frlflfl.exe93⤵PID:2036
-
\??\c:\fxfrrxf.exec:\fxfrrxf.exe94⤵PID:2668
-
\??\c:\bntntn.exec:\bntntn.exe95⤵PID:1976
-
\??\c:\7nbbbh.exec:\7nbbbh.exe96⤵PID:2020
-
\??\c:\jdjvv.exec:\jdjvv.exe97⤵PID:1924
-
\??\c:\7dpvv.exec:\7dpvv.exe98⤵PID:1204
-
\??\c:\rlxllfr.exec:\rlxllfr.exe99⤵PID:1188
-
\??\c:\5frffff.exec:\5frffff.exe100⤵PID:2132
-
\??\c:\hbnttb.exec:\hbnttb.exe101⤵PID:688
-
\??\c:\5hbbnh.exec:\5hbbnh.exe102⤵PID:1632
-
\??\c:\jvdjp.exec:\jvdjp.exe103⤵PID:2264
-
\??\c:\dvddp.exec:\dvddp.exe104⤵PID:2528
-
\??\c:\9lrffxx.exec:\9lrffxx.exe105⤵PID:652
-
\??\c:\rfrrrrf.exec:\rfrrrrf.exe106⤵PID:2792
-
\??\c:\5xffllr.exec:\5xffllr.exe107⤵PID:692
-
\??\c:\hbtttt.exec:\hbtttt.exe108⤵PID:468
-
\??\c:\ththhb.exec:\ththhb.exe109⤵PID:1616
-
\??\c:\dpppv.exec:\dpppv.exe110⤵PID:1792
-
\??\c:\1vpdd.exec:\1vpdd.exe111⤵
- System Location Discovery: System Language Discovery
PID:2028 -
\??\c:\xlrlllf.exec:\xlrlllf.exe112⤵PID:3036
-
\??\c:\9lxrrrx.exec:\9lxrrrx.exe113⤵PID:2988
-
\??\c:\3lxflrx.exec:\3lxflrx.exe114⤵PID:1056
-
\??\c:\btbnnn.exec:\btbnnn.exe115⤵PID:800
-
\??\c:\7hhbtt.exec:\7hhbtt.exe116⤵PID:324
-
\??\c:\ddpdd.exec:\ddpdd.exe117⤵PID:1756
-
\??\c:\pdddd.exec:\pdddd.exe118⤵PID:1844
-
\??\c:\rfllrlr.exec:\rfllrlr.exe119⤵PID:1704
-
\??\c:\3lfllfl.exec:\3lfllfl.exe120⤵PID:1980
-
\??\c:\btbbhh.exec:\btbbhh.exe121⤵PID:2188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-