Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 00:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a3f9af3e5542527f974d4b85b6c47fe2f1b5c50fbf4246d399c0b906efcadb6a.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a3f9af3e5542527f974d4b85b6c47fe2f1b5c50fbf4246d399c0b906efcadb6a.exe
-
Size
455KB
-
MD5
635edd3910b63ffeff1ad3b39d528e4f
-
SHA1
53ddfa7c0f53ba53ff228b4971ce24d9a0e4f226
-
SHA256
a3f9af3e5542527f974d4b85b6c47fe2f1b5c50fbf4246d399c0b906efcadb6a
-
SHA512
38eaca9916e832e10680cf5d3bcfc4c401196456cb1ecced49640a5009d97d0ad2582792f8ad065c6c29da53380e141f4e410daa2117b17baa802d299ae5ade3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRt:q7Tc2NYHUrAwfMp3CDRt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2844-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-22-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2456-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-79-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2112-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-181-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1692-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-179-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/3032-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1376-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-313-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/792-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-389-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2824-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-526-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2804-655-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-1020-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-1027-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1372-1125-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1372-1145-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1908 nhntth.exe 2456 080066.exe 2220 nbnntn.exe 1644 lfrrxxf.exe 2960 dpvpp.exe 2812 20222.exe 2012 428888.exe 2112 hhbhtb.exe 2780 86844.exe 2660 c626600.exe 2540 08664.exe 3068 vjvvv.exe 1704 080448.exe 2856 dpvdd.exe 1096 k46260.exe 536 thnttb.exe 2860 602260.exe 1692 lffxxrr.exe 2880 2084484.exe 3032 1flfffx.exe 3052 8206824.exe 2916 64666.exe 448 86888.exe 2264 2006262.exe 2592 826622.exe 1376 640066.exe 1720 g6888.exe 896 lfrrrlr.exe 1968 0466880.exe 2320 hhnbnt.exe 292 48600.exe 1028 686066.exe 2376 9flfrrr.exe 1520 6400602.exe 1628 2644044.exe 2840 rfrxffl.exe 2236 3hnnnn.exe 792 lrfrxxx.exe 2240 7xlfxrx.exe 1920 9ttthh.exe 2000 260688.exe 2988 bhbhnt.exe 2316 420244.exe 1884 046284.exe 2836 60802.exe 2952 486282.exe 2780 s0468.exe 2824 42446.exe 2524 3ttttn.exe 2692 m8084.exe 1648 826240.exe 2572 2640228.exe 1864 xrxxffl.exe 1488 224286.exe 1096 w20800.exe 1288 vpdpv.exe 1328 6422284.exe 2932 046244.exe 3044 tnhntb.exe 2076 jdjjj.exe 3032 g8660.exe 3060 bthnnh.exe 2884 llfflrx.exe 2308 k02244.exe -
resource yara_rule behavioral1/memory/2844-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-210-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2916-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-950-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-1007-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-1027-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1164-1100-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e86804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 1908 2844 a3f9af3e5542527f974d4b85b6c47fe2f1b5c50fbf4246d399c0b906efcadb6a.exe 28 PID 2844 wrote to memory of 1908 2844 a3f9af3e5542527f974d4b85b6c47fe2f1b5c50fbf4246d399c0b906efcadb6a.exe 28 PID 2844 wrote to memory of 1908 2844 a3f9af3e5542527f974d4b85b6c47fe2f1b5c50fbf4246d399c0b906efcadb6a.exe 28 PID 2844 wrote to memory of 1908 2844 a3f9af3e5542527f974d4b85b6c47fe2f1b5c50fbf4246d399c0b906efcadb6a.exe 28 PID 1908 wrote to memory of 2456 1908 nhntth.exe 29 PID 1908 wrote to memory of 2456 1908 nhntth.exe 29 PID 1908 wrote to memory of 2456 1908 nhntth.exe 29 PID 1908 wrote to memory of 2456 1908 nhntth.exe 29 PID 2456 wrote to memory of 2220 2456 080066.exe 30 PID 2456 wrote to memory of 2220 2456 080066.exe 30 PID 2456 wrote to memory of 2220 2456 080066.exe 30 PID 2456 wrote to memory of 2220 2456 080066.exe 30 PID 2220 wrote to memory of 1644 2220 nbnntn.exe 31 PID 2220 wrote to memory of 1644 2220 nbnntn.exe 31 PID 2220 wrote to memory of 1644 2220 nbnntn.exe 31 PID 2220 wrote to memory of 1644 2220 nbnntn.exe 31 PID 1644 wrote to memory of 2960 1644 lfrrxxf.exe 32 PID 1644 wrote to memory of 2960 1644 lfrrxxf.exe 32 PID 1644 wrote to memory of 2960 1644 lfrrxxf.exe 32 PID 1644 wrote to memory of 2960 1644 lfrrxxf.exe 32 PID 2960 wrote to memory of 2812 2960 dpvpp.exe 33 PID 2960 wrote to memory of 2812 2960 dpvpp.exe 33 PID 2960 wrote to memory of 2812 2960 dpvpp.exe 33 PID 2960 wrote to memory of 2812 2960 dpvpp.exe 33 PID 2812 wrote to memory of 2012 2812 20222.exe 34 PID 2812 wrote to memory of 2012 2812 20222.exe 34 PID 2812 wrote to memory of 2012 2812 20222.exe 34 PID 2812 wrote to memory of 2012 2812 20222.exe 34 PID 2012 wrote to memory of 2112 2012 428888.exe 35 PID 2012 wrote to memory of 2112 2012 428888.exe 35 PID 2012 wrote to memory of 2112 2012 428888.exe 35 PID 2012 wrote to memory of 2112 2012 428888.exe 35 PID 2112 wrote to memory of 2780 2112 hhbhtb.exe 36 PID 2112 wrote to memory of 2780 2112 hhbhtb.exe 36 PID 2112 wrote to memory of 2780 2112 hhbhtb.exe 36 PID 2112 wrote to memory of 2780 2112 hhbhtb.exe 36 PID 2780 wrote to memory of 2660 2780 86844.exe 37 PID 2780 wrote to memory of 2660 2780 86844.exe 37 PID 2780 wrote to memory of 2660 2780 86844.exe 37 PID 2780 wrote to memory of 2660 2780 86844.exe 37 PID 2660 wrote to memory of 2540 2660 c626600.exe 38 PID 2660 wrote to memory of 2540 2660 c626600.exe 38 PID 2660 wrote to memory of 2540 2660 c626600.exe 38 PID 2660 wrote to memory of 2540 2660 c626600.exe 38 PID 2540 wrote to memory of 3068 2540 08664.exe 39 PID 2540 wrote to memory of 3068 2540 08664.exe 39 PID 2540 wrote to memory of 3068 2540 08664.exe 39 PID 2540 wrote to memory of 3068 2540 08664.exe 39 PID 3068 wrote to memory of 1704 3068 vjvvv.exe 40 PID 3068 wrote to memory of 1704 3068 vjvvv.exe 40 PID 3068 wrote to memory of 1704 3068 vjvvv.exe 40 PID 3068 wrote to memory of 1704 3068 vjvvv.exe 40 PID 1704 wrote to memory of 2856 1704 080448.exe 41 PID 1704 wrote to memory of 2856 1704 080448.exe 41 PID 1704 wrote to memory of 2856 1704 080448.exe 41 PID 1704 wrote to memory of 2856 1704 080448.exe 41 PID 2856 wrote to memory of 1096 2856 dpvdd.exe 42 PID 2856 wrote to memory of 1096 2856 dpvdd.exe 42 PID 2856 wrote to memory of 1096 2856 dpvdd.exe 42 PID 2856 wrote to memory of 1096 2856 dpvdd.exe 42 PID 1096 wrote to memory of 536 1096 k46260.exe 43 PID 1096 wrote to memory of 536 1096 k46260.exe 43 PID 1096 wrote to memory of 536 1096 k46260.exe 43 PID 1096 wrote to memory of 536 1096 k46260.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f9af3e5542527f974d4b85b6c47fe2f1b5c50fbf4246d399c0b906efcadb6a.exe"C:\Users\Admin\AppData\Local\Temp\a3f9af3e5542527f974d4b85b6c47fe2f1b5c50fbf4246d399c0b906efcadb6a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\nhntth.exec:\nhntth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\080066.exec:\080066.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\nbnntn.exec:\nbnntn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\dpvpp.exec:\dpvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\20222.exec:\20222.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\428888.exec:\428888.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\hhbhtb.exec:\hhbhtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\86844.exec:\86844.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\c626600.exec:\c626600.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\08664.exec:\08664.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\vjvvv.exec:\vjvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\080448.exec:\080448.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\dpvdd.exec:\dpvdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\k46260.exec:\k46260.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\thnttb.exec:\thnttb.exe17⤵
- Executes dropped EXE
PID:536 -
\??\c:\602260.exec:\602260.exe18⤵
- Executes dropped EXE
PID:2860 -
\??\c:\lffxxrr.exec:\lffxxrr.exe19⤵
- Executes dropped EXE
PID:1692 -
\??\c:\2084484.exec:\2084484.exe20⤵
- Executes dropped EXE
PID:2880 -
\??\c:\1flfffx.exec:\1flfffx.exe21⤵
- Executes dropped EXE
PID:3032 -
\??\c:\8206824.exec:\8206824.exe22⤵
- Executes dropped EXE
PID:3052 -
\??\c:\64666.exec:\64666.exe23⤵
- Executes dropped EXE
PID:2916 -
\??\c:\86888.exec:\86888.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\2006262.exec:\2006262.exe25⤵
- Executes dropped EXE
PID:2264 -
\??\c:\826622.exec:\826622.exe26⤵
- Executes dropped EXE
PID:2592 -
\??\c:\640066.exec:\640066.exe27⤵
- Executes dropped EXE
PID:1376 -
\??\c:\g6888.exec:\g6888.exe28⤵
- Executes dropped EXE
PID:1720 -
\??\c:\lfrrrlr.exec:\lfrrrlr.exe29⤵
- Executes dropped EXE
PID:896 -
\??\c:\0466880.exec:\0466880.exe30⤵
- Executes dropped EXE
PID:1968 -
\??\c:\hhnbnt.exec:\hhnbnt.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\48600.exec:\48600.exe32⤵
- Executes dropped EXE
PID:292 -
\??\c:\686066.exec:\686066.exe33⤵
- Executes dropped EXE
PID:1028 -
\??\c:\9flfrrr.exec:\9flfrrr.exe34⤵
- Executes dropped EXE
PID:2376 -
\??\c:\6400602.exec:\6400602.exe35⤵
- Executes dropped EXE
PID:1520 -
\??\c:\2644044.exec:\2644044.exe36⤵
- Executes dropped EXE
PID:1628 -
\??\c:\rfrxffl.exec:\rfrxffl.exe37⤵
- Executes dropped EXE
PID:2840 -
\??\c:\3hnnnn.exec:\3hnnnn.exe38⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lrfrxxx.exec:\lrfrxxx.exe39⤵
- Executes dropped EXE
PID:792 -
\??\c:\7xlfxrx.exec:\7xlfxrx.exe40⤵
- Executes dropped EXE
PID:2240 -
\??\c:\9ttthh.exec:\9ttthh.exe41⤵
- Executes dropped EXE
PID:1920 -
\??\c:\260688.exec:\260688.exe42⤵
- Executes dropped EXE
PID:2000 -
\??\c:\bhbhnt.exec:\bhbhnt.exe43⤵
- Executes dropped EXE
PID:2988 -
\??\c:\420244.exec:\420244.exe44⤵
- Executes dropped EXE
PID:2316 -
\??\c:\046284.exec:\046284.exe45⤵
- Executes dropped EXE
PID:1884 -
\??\c:\60802.exec:\60802.exe46⤵
- Executes dropped EXE
PID:2836 -
\??\c:\486282.exec:\486282.exe47⤵
- Executes dropped EXE
PID:2952 -
\??\c:\s0468.exec:\s0468.exe48⤵
- Executes dropped EXE
PID:2780 -
\??\c:\42446.exec:\42446.exe49⤵
- Executes dropped EXE
PID:2824 -
\??\c:\3ttttn.exec:\3ttttn.exe50⤵
- Executes dropped EXE
PID:2524 -
\??\c:\m8084.exec:\m8084.exe51⤵
- Executes dropped EXE
PID:2692 -
\??\c:\826240.exec:\826240.exe52⤵
- Executes dropped EXE
PID:1648 -
\??\c:\2640228.exec:\2640228.exe53⤵
- Executes dropped EXE
PID:2572 -
\??\c:\xrxxffl.exec:\xrxxffl.exe54⤵
- Executes dropped EXE
PID:1864 -
\??\c:\224286.exec:\224286.exe55⤵
- Executes dropped EXE
PID:1488 -
\??\c:\w20800.exec:\w20800.exe56⤵
- Executes dropped EXE
PID:1096 -
\??\c:\vpdpv.exec:\vpdpv.exe57⤵
- Executes dropped EXE
PID:1288 -
\??\c:\6422284.exec:\6422284.exe58⤵
- Executes dropped EXE
PID:1328 -
\??\c:\046244.exec:\046244.exe59⤵
- Executes dropped EXE
PID:2932 -
\??\c:\tnhntb.exec:\tnhntb.exe60⤵
- Executes dropped EXE
PID:3044 -
\??\c:\jdjjj.exec:\jdjjj.exe61⤵
- Executes dropped EXE
PID:2076 -
\??\c:\g8660.exec:\g8660.exe62⤵
- Executes dropped EXE
PID:3032 -
\??\c:\bthnnh.exec:\bthnnh.exe63⤵
- Executes dropped EXE
PID:3060 -
\??\c:\llfflrx.exec:\llfflrx.exe64⤵
- Executes dropped EXE
PID:2884 -
\??\c:\k02244.exec:\k02244.exe65⤵
- Executes dropped EXE
PID:2308 -
\??\c:\ffxxffl.exec:\ffxxffl.exe66⤵PID:604
-
\??\c:\tnhtht.exec:\tnhtht.exe67⤵PID:328
-
\??\c:\ppvdp.exec:\ppvdp.exe68⤵PID:1304
-
\??\c:\pjddp.exec:\pjddp.exe69⤵PID:940
-
\??\c:\1tntbn.exec:\1tntbn.exe70⤵PID:1376
-
\??\c:\a4624.exec:\a4624.exe71⤵PID:1264
-
\??\c:\btbntt.exec:\btbntt.exe72⤵PID:772
-
\??\c:\pjjdp.exec:\pjjdp.exe73⤵PID:1016
-
\??\c:\086244.exec:\086244.exe74⤵PID:1876
-
\??\c:\3vjjj.exec:\3vjjj.exe75⤵PID:2400
-
\??\c:\o084444.exec:\o084444.exe76⤵PID:1856
-
\??\c:\42028.exec:\42028.exe77⤵PID:2392
-
\??\c:\9bnnbh.exec:\9bnnbh.exe78⤵PID:2272
-
\??\c:\6000220.exec:\6000220.exe79⤵PID:2248
-
\??\c:\hbbbtb.exec:\hbbbtb.exe80⤵PID:2844
-
\??\c:\hhbnnb.exec:\hhbnnb.exe81⤵PID:1908
-
\??\c:\xrflxxl.exec:\xrflxxl.exe82⤵PID:352
-
\??\c:\64446.exec:\64446.exe83⤵PID:2232
-
\??\c:\608866.exec:\608866.exe84⤵PID:2228
-
\??\c:\pvjpv.exec:\pvjpv.exe85⤵PID:2220
-
\??\c:\428840.exec:\428840.exe86⤵PID:2668
-
\??\c:\6422406.exec:\6422406.exe87⤵PID:2804
-
\??\c:\2620228.exec:\2620228.exe88⤵PID:2832
-
\??\c:\vppdp.exec:\vppdp.exe89⤵PID:1952
-
\??\c:\6466228.exec:\6466228.exe90⤵PID:2972
-
\??\c:\8644606.exec:\8644606.exe91⤵PID:2012
-
\??\c:\448082.exec:\448082.exe92⤵PID:2952
-
\??\c:\042840.exec:\042840.exe93⤵PID:2636
-
\??\c:\4268402.exec:\4268402.exe94⤵PID:2544
-
\??\c:\w20060.exec:\w20060.exe95⤵PID:2128
-
\??\c:\1lxxlrr.exec:\1lxxlrr.exe96⤵PID:2068
-
\??\c:\9nbtnt.exec:\9nbtnt.exe97⤵PID:1660
-
\??\c:\420288.exec:\420288.exe98⤵PID:1452
-
\??\c:\820840.exec:\820840.exe99⤵PID:1652
-
\??\c:\w82806.exec:\w82806.exe100⤵PID:1624
-
\??\c:\4802446.exec:\4802446.exe101⤵PID:1896
-
\??\c:\0484624.exec:\0484624.exe102⤵PID:1248
-
\??\c:\nbnntt.exec:\nbnntt.exe103⤵PID:2908
-
\??\c:\llfxflx.exec:\llfxflx.exe104⤵PID:2900
-
\??\c:\vdvjv.exec:\vdvjv.exe105⤵PID:2872
-
\??\c:\04280.exec:\04280.exe106⤵
- System Location Discovery: System Language Discovery
PID:2396 -
\??\c:\48284.exec:\48284.exe107⤵PID:2164
-
\??\c:\860628.exec:\860628.exe108⤵PID:2124
-
\??\c:\pjpjv.exec:\pjpjv.exe109⤵PID:276
-
\??\c:\7bnnnh.exec:\7bnnnh.exe110⤵PID:1840
-
\??\c:\nhthhh.exec:\nhthhh.exe111⤵PID:324
-
\??\c:\82684.exec:\82684.exe112⤵PID:1700
-
\??\c:\hbttbh.exec:\hbttbh.exe113⤵PID:328
-
\??\c:\s0846.exec:\s0846.exe114⤵PID:936
-
\??\c:\482844.exec:\482844.exe115⤵PID:2072
-
\??\c:\tnbhnn.exec:\tnbhnn.exe116⤵PID:1376
-
\??\c:\0484206.exec:\0484206.exe117⤵PID:1904
-
\??\c:\nhbntb.exec:\nhbntb.exe118⤵PID:636
-
\??\c:\m6468.exec:\m6468.exe119⤵
- System Location Discovery: System Language Discovery
PID:2276 -
\??\c:\djdpv.exec:\djdpv.exe120⤵PID:2288
-
\??\c:\u480220.exec:\u480220.exe121⤵PID:2008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-