Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 11:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe
-
Size
454KB
-
MD5
5f4ef7421aec98ac002ea9afab6051c3
-
SHA1
8e86a14d1e75d83b484b85dec3a898f8abf61552
-
SHA256
00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35
-
SHA512
423b567a4a2425df73f4dc33562c5f4685498213f3d5a95c325be2580ee294560b26334dbb5faa9a1e81b48077f5eabfead4d4e442a82147d5a529dde6c9823e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2632-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-76-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-114-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1268-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-160-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2932-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-216-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1600-235-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1464-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-280-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1196-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-402-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2944-389-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2912-380-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2488-409-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/276-450-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/276-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-489-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2204-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-500-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2284-501-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1436-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-555-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1196-570-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1196-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-613-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2260-671-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2428 2644664.exe 2352 42082.exe 2524 xfrxrrl.exe 2588 s8284.exe 2968 xrxxllx.exe 2804 nnnbnn.exe 3068 bnhnbt.exe 3040 042848.exe 2812 600244.exe 2740 lrlfxxl.exe 2480 264644.exe 1268 hnnttb.exe 1008 646684.exe 1776 ffrflxx.exe 2108 djvjv.exe 1552 nbnhnn.exe 2668 1vjpj.exe 2932 860622.exe 2796 4200640.exe 2228 ttnthh.exe 1600 82406.exe 2304 24662.exe 1232 08006.exe 1560 42006.exe 1424 4802402.exe 1464 2600224.exe 2592 vpvjj.exe 2544 9bnhtt.exe 1196 840684.exe 1680 u422280.exe 612 htntth.exe 2636 dvjdp.exe 1536 0440486.exe 888 244024.exe 2608 084022.exe 2560 nbnhhb.exe 2840 c800668.exe 2588 202622.exe 1580 xrlrrlr.exe 2804 lfxrrlr.exe 2944 2068402.exe 3068 8066666.exe 2912 6084284.exe 2864 26446.exe 2868 hnbhnt.exe 2712 bntnnn.exe 2488 rllrxxr.exe 1660 i206668.exe 1712 xxrxflr.exe 1916 s8666.exe 1776 pjjpv.exe 1604 8200620.exe 276 208062.exe 856 pdpdj.exe 2892 lfxxlrx.exe 2768 9lxflrl.exe 2284 4266440.exe 2924 5xflxxx.exe 2204 lflrrxl.exe 2452 00280.exe 948 llffllr.exe 3036 088446.exe 1436 04628.exe 1004 hhbbnn.exe -
resource yara_rule behavioral1/memory/2428-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-555-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2520-556-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/1196-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-681-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6462880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4824606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xffllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2428 2632 00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe 30 PID 2632 wrote to memory of 2428 2632 00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe 30 PID 2632 wrote to memory of 2428 2632 00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe 30 PID 2632 wrote to memory of 2428 2632 00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe 30 PID 2428 wrote to memory of 2352 2428 2644664.exe 31 PID 2428 wrote to memory of 2352 2428 2644664.exe 31 PID 2428 wrote to memory of 2352 2428 2644664.exe 31 PID 2428 wrote to memory of 2352 2428 2644664.exe 31 PID 2352 wrote to memory of 2524 2352 42082.exe 32 PID 2352 wrote to memory of 2524 2352 42082.exe 32 PID 2352 wrote to memory of 2524 2352 42082.exe 32 PID 2352 wrote to memory of 2524 2352 42082.exe 32 PID 2524 wrote to memory of 2588 2524 xfrxrrl.exe 33 PID 2524 wrote to memory of 2588 2524 xfrxrrl.exe 33 PID 2524 wrote to memory of 2588 2524 xfrxrrl.exe 33 PID 2524 wrote to memory of 2588 2524 xfrxrrl.exe 33 PID 2588 wrote to memory of 2968 2588 s8284.exe 34 PID 2588 wrote to memory of 2968 2588 s8284.exe 34 PID 2588 wrote to memory of 2968 2588 s8284.exe 34 PID 2588 wrote to memory of 2968 2588 s8284.exe 34 PID 2968 wrote to memory of 2804 2968 xrxxllx.exe 69 PID 2968 wrote to memory of 2804 2968 xrxxllx.exe 69 PID 2968 wrote to memory of 2804 2968 xrxxllx.exe 69 PID 2968 wrote to memory of 2804 2968 xrxxllx.exe 69 PID 2804 wrote to memory of 3068 2804 nnnbnn.exe 71 PID 2804 wrote to memory of 3068 2804 nnnbnn.exe 71 PID 2804 wrote to memory of 3068 2804 nnnbnn.exe 71 PID 2804 wrote to memory of 3068 2804 nnnbnn.exe 71 PID 3068 wrote to memory of 3040 3068 bnhnbt.exe 37 PID 3068 wrote to memory of 3040 3068 bnhnbt.exe 37 PID 3068 wrote to memory of 3040 3068 bnhnbt.exe 37 PID 3068 wrote to memory of 3040 3068 bnhnbt.exe 37 PID 3040 wrote to memory of 2812 3040 042848.exe 38 PID 3040 wrote to memory of 2812 3040 042848.exe 38 PID 3040 wrote to memory of 2812 3040 042848.exe 38 PID 3040 wrote to memory of 2812 3040 042848.exe 38 PID 2812 wrote to memory of 2740 2812 600244.exe 39 PID 2812 wrote to memory of 2740 2812 600244.exe 39 PID 2812 wrote to memory of 2740 2812 600244.exe 39 PID 2812 wrote to memory of 2740 2812 600244.exe 39 PID 2740 wrote to memory of 2480 2740 lrlfxxl.exe 40 PID 2740 wrote to memory of 2480 2740 lrlfxxl.exe 40 PID 2740 wrote to memory of 2480 2740 lrlfxxl.exe 40 PID 2740 wrote to memory of 2480 2740 lrlfxxl.exe 40 PID 2480 wrote to memory of 1268 2480 264644.exe 41 PID 2480 wrote to memory of 1268 2480 264644.exe 41 PID 2480 wrote to memory of 1268 2480 264644.exe 41 PID 2480 wrote to memory of 1268 2480 264644.exe 41 PID 1268 wrote to memory of 1008 1268 hnnttb.exe 42 PID 1268 wrote to memory of 1008 1268 hnnttb.exe 42 PID 1268 wrote to memory of 1008 1268 hnnttb.exe 42 PID 1268 wrote to memory of 1008 1268 hnnttb.exe 42 PID 1008 wrote to memory of 1776 1008 646684.exe 80 PID 1008 wrote to memory of 1776 1008 646684.exe 80 PID 1008 wrote to memory of 1776 1008 646684.exe 80 PID 1008 wrote to memory of 1776 1008 646684.exe 80 PID 1776 wrote to memory of 2108 1776 ffrflxx.exe 44 PID 1776 wrote to memory of 2108 1776 ffrflxx.exe 44 PID 1776 wrote to memory of 2108 1776 ffrflxx.exe 44 PID 1776 wrote to memory of 2108 1776 ffrflxx.exe 44 PID 2108 wrote to memory of 1552 2108 djvjv.exe 45 PID 2108 wrote to memory of 1552 2108 djvjv.exe 45 PID 2108 wrote to memory of 1552 2108 djvjv.exe 45 PID 2108 wrote to memory of 1552 2108 djvjv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe"C:\Users\Admin\AppData\Local\Temp\00efcbe3225b570b6e185cf7167eb3fbfcdce25c56fd5f204e82bd096ceb3d35.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\2644664.exec:\2644664.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\42082.exec:\42082.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\xfrxrrl.exec:\xfrxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\s8284.exec:\s8284.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\xrxxllx.exec:\xrxxllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\nnnbnn.exec:\nnnbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\bnhnbt.exec:\bnhnbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\042848.exec:\042848.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\600244.exec:\600244.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\lrlfxxl.exec:\lrlfxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\264644.exec:\264644.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\hnnttb.exec:\hnnttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\646684.exec:\646684.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\ffrflxx.exec:\ffrflxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\djvjv.exec:\djvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\nbnhnn.exec:\nbnhnn.exe17⤵
- Executes dropped EXE
PID:1552 -
\??\c:\1vjpj.exec:\1vjpj.exe18⤵
- Executes dropped EXE
PID:2668 -
\??\c:\860622.exec:\860622.exe19⤵
- Executes dropped EXE
PID:2932 -
\??\c:\4200640.exec:\4200640.exe20⤵
- Executes dropped EXE
PID:2796 -
\??\c:\ttnthh.exec:\ttnthh.exe21⤵
- Executes dropped EXE
PID:2228 -
\??\c:\82406.exec:\82406.exe22⤵
- Executes dropped EXE
PID:1600 -
\??\c:\24662.exec:\24662.exe23⤵
- Executes dropped EXE
PID:2304 -
\??\c:\08006.exec:\08006.exe24⤵
- Executes dropped EXE
PID:1232 -
\??\c:\42006.exec:\42006.exe25⤵
- Executes dropped EXE
PID:1560 -
\??\c:\4802402.exec:\4802402.exe26⤵
- Executes dropped EXE
PID:1424 -
\??\c:\2600224.exec:\2600224.exe27⤵
- Executes dropped EXE
PID:1464 -
\??\c:\vpvjj.exec:\vpvjj.exe28⤵
- Executes dropped EXE
PID:2592 -
\??\c:\9bnhtt.exec:\9bnhtt.exe29⤵
- Executes dropped EXE
PID:2544 -
\??\c:\840684.exec:\840684.exe30⤵
- Executes dropped EXE
PID:1196 -
\??\c:\u422280.exec:\u422280.exe31⤵
- Executes dropped EXE
PID:1680 -
\??\c:\htntth.exec:\htntth.exe32⤵
- Executes dropped EXE
PID:612 -
\??\c:\dvjdp.exec:\dvjdp.exe33⤵
- Executes dropped EXE
PID:2636 -
\??\c:\0440486.exec:\0440486.exe34⤵
- Executes dropped EXE
PID:1536 -
\??\c:\244024.exec:\244024.exe35⤵
- Executes dropped EXE
PID:888 -
\??\c:\084022.exec:\084022.exe36⤵
- Executes dropped EXE
PID:2608 -
\??\c:\nbnhhb.exec:\nbnhhb.exe37⤵
- Executes dropped EXE
PID:2560 -
\??\c:\c800668.exec:\c800668.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\202622.exec:\202622.exe39⤵
- Executes dropped EXE
PID:2588 -
\??\c:\xrlrrlr.exec:\xrlrrlr.exe40⤵
- Executes dropped EXE
PID:1580 -
\??\c:\lfxrrlr.exec:\lfxrrlr.exe41⤵
- Executes dropped EXE
PID:2804 -
\??\c:\2068402.exec:\2068402.exe42⤵
- Executes dropped EXE
PID:2944 -
\??\c:\8066666.exec:\8066666.exe43⤵
- Executes dropped EXE
PID:3068 -
\??\c:\6084284.exec:\6084284.exe44⤵
- Executes dropped EXE
PID:2912 -
\??\c:\26446.exec:\26446.exe45⤵
- Executes dropped EXE
PID:2864 -
\??\c:\hnbhnt.exec:\hnbhnt.exe46⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bntnnn.exec:\bntnnn.exe47⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rllrxxr.exec:\rllrxxr.exe48⤵
- Executes dropped EXE
PID:2488 -
\??\c:\i206668.exec:\i206668.exe49⤵
- Executes dropped EXE
PID:1660 -
\??\c:\xxrxflr.exec:\xxrxflr.exe50⤵
- Executes dropped EXE
PID:1712 -
\??\c:\s8666.exec:\s8666.exe51⤵
- Executes dropped EXE
PID:1916 -
\??\c:\pjjpv.exec:\pjjpv.exe52⤵
- Executes dropped EXE
PID:1776 -
\??\c:\8200620.exec:\8200620.exe53⤵
- Executes dropped EXE
PID:1604 -
\??\c:\208062.exec:\208062.exe54⤵
- Executes dropped EXE
PID:276 -
\??\c:\pdpdj.exec:\pdpdj.exe55⤵
- Executes dropped EXE
PID:856 -
\??\c:\lfxxlrx.exec:\lfxxlrx.exe56⤵
- Executes dropped EXE
PID:2892 -
\??\c:\9lxflrl.exec:\9lxflrl.exe57⤵
- Executes dropped EXE
PID:2768 -
\??\c:\4266440.exec:\4266440.exe58⤵
- Executes dropped EXE
PID:2284 -
\??\c:\5xflxxx.exec:\5xflxxx.exe59⤵
- Executes dropped EXE
PID:2924 -
\??\c:\lflrrxl.exec:\lflrrxl.exe60⤵
- Executes dropped EXE
PID:2204 -
\??\c:\00280.exec:\00280.exe61⤵
- Executes dropped EXE
PID:2452 -
\??\c:\llffllr.exec:\llffllr.exe62⤵
- Executes dropped EXE
PID:948 -
\??\c:\088446.exec:\088446.exe63⤵
- Executes dropped EXE
PID:3036 -
\??\c:\04628.exec:\04628.exe64⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hhbbnn.exec:\hhbbnn.exe65⤵
- Executes dropped EXE
PID:1004 -
\??\c:\g0468.exec:\g0468.exe66⤵PID:772
-
\??\c:\608022.exec:\608022.exe67⤵PID:1248
-
\??\c:\xfxlrxl.exec:\xfxlrxl.exe68⤵PID:2784
-
\??\c:\0440268.exec:\0440268.exe69⤵PID:2520
-
\??\c:\bbnnnt.exec:\bbnnnt.exe70⤵PID:2468
-
\??\c:\8208684.exec:\8208684.exe71⤵PID:1196
-
\??\c:\xxllxfx.exec:\xxllxfx.exe72⤵PID:768
-
\??\c:\6428624.exec:\6428624.exe73⤵PID:1508
-
\??\c:\7bbhnt.exec:\7bbhnt.exe74⤵
- System Location Discovery: System Language Discovery
PID:2636 -
\??\c:\1tnnbh.exec:\1tnnbh.exe75⤵PID:2428
-
\??\c:\rfrxfff.exec:\rfrxfff.exe76⤵PID:2352
-
\??\c:\rrlfrrf.exec:\rrlfrrf.exe77⤵PID:2624
-
\??\c:\jvjjj.exec:\jvjjj.exe78⤵PID:2564
-
\??\c:\o462888.exec:\o462888.exe79⤵PID:3060
-
\??\c:\jdddj.exec:\jdddj.exe80⤵PID:2588
-
\??\c:\20442.exec:\20442.exe81⤵PID:2852
-
\??\c:\xxllxxl.exec:\xxllxxl.exe82⤵PID:3004
-
\??\c:\0600668.exec:\0600668.exe83⤵PID:2980
-
\??\c:\fxrxlrx.exec:\fxrxlrx.exe84⤵PID:2856
-
\??\c:\2602406.exec:\2602406.exe85⤵PID:2692
-
\??\c:\xlxrlrr.exec:\xlxrlrr.exe86⤵PID:2260
-
\??\c:\e64800.exec:\e64800.exe87⤵PID:2760
-
\??\c:\tnbbhn.exec:\tnbbhn.exe88⤵PID:1788
-
\??\c:\824088.exec:\824088.exe89⤵PID:1888
-
\??\c:\xrlffrl.exec:\xrlffrl.exe90⤵PID:1724
-
\??\c:\062004.exec:\062004.exe91⤵PID:752
-
\??\c:\nnhhnt.exec:\nnhhnt.exe92⤵PID:1800
-
\??\c:\4806806.exec:\4806806.exe93⤵PID:1856
-
\??\c:\dpddj.exec:\dpddj.exe94⤵PID:2144
-
\??\c:\2022406.exec:\2022406.exe95⤵PID:1604
-
\??\c:\28240.exec:\28240.exe96⤵PID:592
-
\??\c:\pdppv.exec:\pdppv.exe97⤵PID:2916
-
\??\c:\w86026.exec:\w86026.exe98⤵PID:1896
-
\??\c:\2022666.exec:\2022666.exe99⤵PID:284
-
\??\c:\llflrrr.exec:\llflrrr.exe100⤵PID:1224
-
\??\c:\m2482.exec:\m2482.exe101⤵PID:2888
-
\??\c:\xlxflll.exec:\xlxflll.exe102⤵PID:716
-
\??\c:\3nbbnn.exec:\3nbbnn.exe103⤵PID:684
-
\??\c:\jvdjv.exec:\jvdjv.exe104⤵PID:448
-
\??\c:\600628.exec:\600628.exe105⤵PID:1736
-
\??\c:\20846.exec:\20846.exe106⤵PID:3036
-
\??\c:\g0828.exec:\g0828.exe107⤵PID:984
-
\??\c:\4282266.exec:\4282266.exe108⤵PID:1424
-
\??\c:\jdjjp.exec:\jdjjp.exe109⤵PID:696
-
\??\c:\48066.exec:\48066.exe110⤵PID:2576
-
\??\c:\nnttbb.exec:\nnttbb.exe111⤵PID:3032
-
\??\c:\646282.exec:\646282.exe112⤵PID:1924
-
\??\c:\6084068.exec:\6084068.exe113⤵PID:1440
-
\??\c:\lxfffxf.exec:\lxfffxf.exe114⤵PID:1680
-
\??\c:\22826.exec:\22826.exe115⤵PID:396
-
\??\c:\040048.exec:\040048.exe116⤵PID:3064
-
\??\c:\vdvdp.exec:\vdvdp.exe117⤵PID:1532
-
\??\c:\vdjpp.exec:\vdjpp.exe118⤵PID:1648
-
\??\c:\c622228.exec:\c622228.exe119⤵PID:1748
-
\??\c:\640622.exec:\640622.exe120⤵PID:2572
-
\??\c:\220282.exec:\220282.exe121⤵PID:2508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-