Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 23:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385N.exe
-
Size
452KB
-
MD5
3011ffcb62e3ef912582799da6fe10a0
-
SHA1
90b32f284407ae7e224d1b87cc7bb446c9621c77
-
SHA256
3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385
-
SHA512
fdbcb8eda628826dcd9d96a3ee07dee1162d43f562d8dd566a3f9cb871a18dfdb6675be8799c1cbeba52de47cd64f43f214c631bc70d19b43677f292895a78a0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/1996-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-35-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2848-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-77-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2748-94-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-106-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2924-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-115-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1632-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-145-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3008-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-152-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3012-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-225-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/628-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-372-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2752-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-577-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/588-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-919-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-931-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-939-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-964-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/684-971-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3028-985-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2376-1049-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2376-1048-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2004-1089-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1704 thbhtb.exe 2472 tntnbh.exe 2888 0088888.exe 2848 202066.exe 2952 llrxrfr.exe 2864 268222.exe 3048 2048428.exe 3064 1jjjj.exe 2748 6020602.exe 2452 llfrxfr.exe 2924 lrffrrx.exe 1488 6084028.exe 1632 s8062.exe 3008 tnhtbh.exe 1748 424404.exe 3012 e02442.exe 1500 rlxxxxf.exe 1780 nnhhnt.exe 2556 e00442.exe 1512 pjddj.exe 1040 vvvjp.exe 1976 7xrxxfl.exe 2508 g6864.exe 628 a2024.exe 2500 8200880.exe 1548 hnhthn.exe 2284 7vpvd.exe 2092 1pjpv.exe 2200 ntnbnt.exe 2008 60402.exe 1984 004644.exe 2024 ppdvj.exe 2548 608620.exe 1708 7jdpd.exe 1940 tthntb.exe 2472 hnhthn.exe 2812 fxlrffx.exe 2976 u606228.exe 2968 642862.exe 1916 664680.exe 2740 btnthn.exe 2504 vpjvd.exe 2816 flrffrl.exe 2752 086204.exe 2700 ttbnth.exe 2308 2600280.exe 2032 3xxrlxl.exe 588 jppdv.exe 1696 httnhb.exe 1112 600660.exe 2908 4224282.exe 3032 004028.exe 2260 264684.exe 2172 6028446.exe 1276 82080.exe 2932 xlfxlfr.exe 1500 rlflrxr.exe 2544 k42248.exe 1816 s2062.exe 2376 vdpvd.exe 2484 4480460.exe 1040 1bttbb.exe 2068 1lxxxfr.exe 2152 888046.exe -
resource yara_rule behavioral1/memory/1996-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-132-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1632-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-206-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1976-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-225-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/628-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-556-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1652-563-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/892-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/608-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-919-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-999-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-1019-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2026224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4206284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 226802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2680206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1704 1996 3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385N.exe 30 PID 1996 wrote to memory of 1704 1996 3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385N.exe 30 PID 1996 wrote to memory of 1704 1996 3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385N.exe 30 PID 1996 wrote to memory of 1704 1996 3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385N.exe 30 PID 1704 wrote to memory of 2472 1704 thbhtb.exe 31 PID 1704 wrote to memory of 2472 1704 thbhtb.exe 31 PID 1704 wrote to memory of 2472 1704 thbhtb.exe 31 PID 1704 wrote to memory of 2472 1704 thbhtb.exe 31 PID 2472 wrote to memory of 2888 2472 tntnbh.exe 32 PID 2472 wrote to memory of 2888 2472 tntnbh.exe 32 PID 2472 wrote to memory of 2888 2472 tntnbh.exe 32 PID 2472 wrote to memory of 2888 2472 tntnbh.exe 32 PID 2888 wrote to memory of 2848 2888 0088888.exe 33 PID 2888 wrote to memory of 2848 2888 0088888.exe 33 PID 2888 wrote to memory of 2848 2888 0088888.exe 33 PID 2888 wrote to memory of 2848 2888 0088888.exe 33 PID 2848 wrote to memory of 2952 2848 202066.exe 34 PID 2848 wrote to memory of 2952 2848 202066.exe 34 PID 2848 wrote to memory of 2952 2848 202066.exe 34 PID 2848 wrote to memory of 2952 2848 202066.exe 34 PID 2952 wrote to memory of 2864 2952 llrxrfr.exe 35 PID 2952 wrote to memory of 2864 2952 llrxrfr.exe 35 PID 2952 wrote to memory of 2864 2952 llrxrfr.exe 35 PID 2952 wrote to memory of 2864 2952 llrxrfr.exe 35 PID 2864 wrote to memory of 3048 2864 268222.exe 36 PID 2864 wrote to memory of 3048 2864 268222.exe 36 PID 2864 wrote to memory of 3048 2864 268222.exe 36 PID 2864 wrote to memory of 3048 2864 268222.exe 36 PID 3048 wrote to memory of 3064 3048 2048428.exe 37 PID 3048 wrote to memory of 3064 3048 2048428.exe 37 PID 3048 wrote to memory of 3064 3048 2048428.exe 37 PID 3048 wrote to memory of 3064 3048 2048428.exe 37 PID 3064 wrote to memory of 2748 3064 1jjjj.exe 38 PID 3064 wrote to memory of 2748 3064 1jjjj.exe 38 PID 3064 wrote to memory of 2748 3064 1jjjj.exe 38 PID 3064 wrote to memory of 2748 3064 1jjjj.exe 38 PID 2748 wrote to memory of 2452 2748 6020602.exe 39 PID 2748 wrote to memory of 2452 2748 6020602.exe 39 PID 2748 wrote to memory of 2452 2748 6020602.exe 39 PID 2748 wrote to memory of 2452 2748 6020602.exe 39 PID 2452 wrote to memory of 2924 2452 llfrxfr.exe 40 PID 2452 wrote to memory of 2924 2452 llfrxfr.exe 40 PID 2452 wrote to memory of 2924 2452 llfrxfr.exe 40 PID 2452 wrote to memory of 2924 2452 llfrxfr.exe 40 PID 2924 wrote to memory of 1488 2924 lrffrrx.exe 41 PID 2924 wrote to memory of 1488 2924 lrffrrx.exe 41 PID 2924 wrote to memory of 1488 2924 lrffrrx.exe 41 PID 2924 wrote to memory of 1488 2924 lrffrrx.exe 41 PID 1488 wrote to memory of 1632 1488 6084028.exe 42 PID 1488 wrote to memory of 1632 1488 6084028.exe 42 PID 1488 wrote to memory of 1632 1488 6084028.exe 42 PID 1488 wrote to memory of 1632 1488 6084028.exe 42 PID 1632 wrote to memory of 3008 1632 s8062.exe 43 PID 1632 wrote to memory of 3008 1632 s8062.exe 43 PID 1632 wrote to memory of 3008 1632 s8062.exe 43 PID 1632 wrote to memory of 3008 1632 s8062.exe 43 PID 3008 wrote to memory of 1748 3008 tnhtbh.exe 44 PID 3008 wrote to memory of 1748 3008 tnhtbh.exe 44 PID 3008 wrote to memory of 1748 3008 tnhtbh.exe 44 PID 3008 wrote to memory of 1748 3008 tnhtbh.exe 44 PID 1748 wrote to memory of 3012 1748 424404.exe 45 PID 1748 wrote to memory of 3012 1748 424404.exe 45 PID 1748 wrote to memory of 3012 1748 424404.exe 45 PID 1748 wrote to memory of 3012 1748 424404.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385N.exe"C:\Users\Admin\AppData\Local\Temp\3300cc7823aed5036615ce13d1fd6a7ad86a2a4b850bb18681253d26f27d0385N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\thbhtb.exec:\thbhtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\tntnbh.exec:\tntnbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\0088888.exec:\0088888.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\202066.exec:\202066.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\llrxrfr.exec:\llrxrfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\268222.exec:\268222.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\2048428.exec:\2048428.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\1jjjj.exec:\1jjjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\6020602.exec:\6020602.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\llfrxfr.exec:\llfrxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\lrffrrx.exec:\lrffrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\6084028.exec:\6084028.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\s8062.exec:\s8062.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\tnhtbh.exec:\tnhtbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\424404.exec:\424404.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\e02442.exec:\e02442.exe17⤵
- Executes dropped EXE
PID:3012 -
\??\c:\rlxxxxf.exec:\rlxxxxf.exe18⤵
- Executes dropped EXE
PID:1500 -
\??\c:\nnhhnt.exec:\nnhhnt.exe19⤵
- Executes dropped EXE
PID:1780 -
\??\c:\e00442.exec:\e00442.exe20⤵
- Executes dropped EXE
PID:2556 -
\??\c:\pjddj.exec:\pjddj.exe21⤵
- Executes dropped EXE
PID:1512 -
\??\c:\vvvjp.exec:\vvvjp.exe22⤵
- Executes dropped EXE
PID:1040 -
\??\c:\7xrxxfl.exec:\7xrxxfl.exe23⤵
- Executes dropped EXE
PID:1976 -
\??\c:\g6864.exec:\g6864.exe24⤵
- Executes dropped EXE
PID:2508 -
\??\c:\a2024.exec:\a2024.exe25⤵
- Executes dropped EXE
PID:628 -
\??\c:\8200880.exec:\8200880.exe26⤵
- Executes dropped EXE
PID:2500 -
\??\c:\hnhthn.exec:\hnhthn.exe27⤵
- Executes dropped EXE
PID:1548 -
\??\c:\7vpvd.exec:\7vpvd.exe28⤵
- Executes dropped EXE
PID:2284 -
\??\c:\1pjpv.exec:\1pjpv.exe29⤵
- Executes dropped EXE
PID:2092 -
\??\c:\ntnbnt.exec:\ntnbnt.exe30⤵
- Executes dropped EXE
PID:2200 -
\??\c:\60402.exec:\60402.exe31⤵
- Executes dropped EXE
PID:2008 -
\??\c:\004644.exec:\004644.exe32⤵
- Executes dropped EXE
PID:1984 -
\??\c:\ppdvj.exec:\ppdvj.exe33⤵
- Executes dropped EXE
PID:2024 -
\??\c:\608620.exec:\608620.exe34⤵
- Executes dropped EXE
PID:2548 -
\??\c:\7jdpd.exec:\7jdpd.exe35⤵
- Executes dropped EXE
PID:1708 -
\??\c:\tthntb.exec:\tthntb.exe36⤵
- Executes dropped EXE
PID:1940 -
\??\c:\hnhthn.exec:\hnhthn.exe37⤵
- Executes dropped EXE
PID:2472 -
\??\c:\fxlrffx.exec:\fxlrffx.exe38⤵
- Executes dropped EXE
PID:2812 -
\??\c:\u606228.exec:\u606228.exe39⤵
- Executes dropped EXE
PID:2976 -
\??\c:\642862.exec:\642862.exe40⤵
- Executes dropped EXE
PID:2968 -
\??\c:\664680.exec:\664680.exe41⤵
- Executes dropped EXE
PID:1916 -
\??\c:\btnthn.exec:\btnthn.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\vpjvd.exec:\vpjvd.exe43⤵
- Executes dropped EXE
PID:2504 -
\??\c:\flrffrl.exec:\flrffrl.exe44⤵
- Executes dropped EXE
PID:2816 -
\??\c:\086204.exec:\086204.exe45⤵
- Executes dropped EXE
PID:2752 -
\??\c:\ttbnth.exec:\ttbnth.exe46⤵
- Executes dropped EXE
PID:2700 -
\??\c:\2600280.exec:\2600280.exe47⤵
- Executes dropped EXE
PID:2308 -
\??\c:\3xxrlxl.exec:\3xxrlxl.exe48⤵
- Executes dropped EXE
PID:2032 -
\??\c:\jppdv.exec:\jppdv.exe49⤵
- Executes dropped EXE
PID:588 -
\??\c:\httnhb.exec:\httnhb.exe50⤵
- Executes dropped EXE
PID:1696 -
\??\c:\600660.exec:\600660.exe51⤵
- Executes dropped EXE
PID:1112 -
\??\c:\4224282.exec:\4224282.exe52⤵
- Executes dropped EXE
PID:2908 -
\??\c:\004028.exec:\004028.exe53⤵
- Executes dropped EXE
PID:3032 -
\??\c:\264684.exec:\264684.exe54⤵
- Executes dropped EXE
PID:2260 -
\??\c:\6028446.exec:\6028446.exe55⤵
- Executes dropped EXE
PID:2172 -
\??\c:\82080.exec:\82080.exe56⤵
- Executes dropped EXE
PID:1276 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe57⤵
- Executes dropped EXE
PID:2932 -
\??\c:\rlflrxr.exec:\rlflrxr.exe58⤵
- Executes dropped EXE
PID:1500 -
\??\c:\k42248.exec:\k42248.exe59⤵
- Executes dropped EXE
PID:2544 -
\??\c:\s2062.exec:\s2062.exe60⤵
- Executes dropped EXE
PID:1816 -
\??\c:\vdpvd.exec:\vdpvd.exe61⤵
- Executes dropped EXE
PID:2376 -
\??\c:\4480460.exec:\4480460.exe62⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1bttbb.exec:\1bttbb.exe63⤵
- Executes dropped EXE
PID:1040 -
\??\c:\1lxxxfr.exec:\1lxxxfr.exe64⤵
- Executes dropped EXE
PID:2068 -
\??\c:\888046.exec:\888046.exe65⤵
- Executes dropped EXE
PID:2152 -
\??\c:\4244042.exec:\4244042.exe66⤵PID:2508
-
\??\c:\5jvpp.exec:\5jvpp.exe67⤵PID:2396
-
\??\c:\rrlrflx.exec:\rrlrflx.exe68⤵PID:1064
-
\??\c:\pdpvj.exec:\pdpvj.exe69⤵PID:1636
-
\??\c:\1hhhbb.exec:\1hhhbb.exe70⤵PID:2428
-
\??\c:\080662.exec:\080662.exe71⤵PID:552
-
\??\c:\7tntbt.exec:\7tntbt.exe72⤵PID:2616
-
\??\c:\6040224.exec:\6040224.exe73⤵PID:1652
-
\??\c:\20246.exec:\20246.exe74⤵PID:892
-
\??\c:\8684606.exec:\8684606.exe75⤵PID:1892
-
\??\c:\0860886.exec:\0860886.exe76⤵PID:2592
-
\??\c:\c284224.exec:\c284224.exe77⤵PID:1600
-
\??\c:\k08466.exec:\k08466.exe78⤵PID:1256
-
\??\c:\3hbbhb.exec:\3hbbhb.exe79⤵
- System Location Discovery: System Language Discovery
PID:2528 -
\??\c:\g0448.exec:\g0448.exe80⤵PID:2796
-
\??\c:\s2624.exec:\s2624.exe81⤵PID:2948
-
\??\c:\642466.exec:\642466.exe82⤵PID:3040
-
\??\c:\260280.exec:\260280.exe83⤵PID:2860
-
\??\c:\280400.exec:\280400.exe84⤵PID:2968
-
\??\c:\0480842.exec:\0480842.exe85⤵PID:2564
-
\??\c:\1bhnbb.exec:\1bhnbb.exe86⤵PID:3052
-
\??\c:\1jdpv.exec:\1jdpv.exe87⤵PID:2504
-
\??\c:\fxrxflx.exec:\fxrxflx.exe88⤵PID:2816
-
\??\c:\rrlrxfx.exec:\rrlrxfx.exe89⤵PID:608
-
\??\c:\446042.exec:\446042.exe90⤵PID:2872
-
\??\c:\5pvjj.exec:\5pvjj.exe91⤵PID:2656
-
\??\c:\rlxxfxr.exec:\rlxxfxr.exe92⤵PID:684
-
\??\c:\lllrflx.exec:\lllrflx.exe93⤵PID:588
-
\??\c:\g6468.exec:\g6468.exe94⤵PID:2940
-
\??\c:\8640886.exec:\8640886.exe95⤵PID:2904
-
\??\c:\fflxrxl.exec:\fflxrxl.exe96⤵PID:2908
-
\??\c:\9fxffll.exec:\9fxffll.exe97⤵PID:3032
-
\??\c:\84240.exec:\84240.exe98⤵PID:2884
-
\??\c:\22640.exec:\22640.exe99⤵PID:1680
-
\??\c:\tnntbh.exec:\tnntbh.exe100⤵PID:1044
-
\??\c:\008484.exec:\008484.exe101⤵PID:2932
-
\??\c:\flrrfxl.exec:\flrrfxl.exe102⤵PID:2612
-
\??\c:\2286420.exec:\2286420.exe103⤵PID:2644
-
\??\c:\824628.exec:\824628.exe104⤵PID:2080
-
\??\c:\04402.exec:\04402.exe105⤵PID:2668
-
\??\c:\tbtbtn.exec:\tbtbtn.exe106⤵PID:2480
-
\??\c:\hbbbnh.exec:\hbbbnh.exe107⤵PID:1976
-
\??\c:\60082.exec:\60082.exe108⤵PID:1836
-
\??\c:\264466.exec:\264466.exe109⤵PID:2152
-
\??\c:\djdpv.exec:\djdpv.exe110⤵PID:2508
-
\??\c:\822002.exec:\822002.exe111⤵PID:2396
-
\??\c:\7rlrlxl.exec:\7rlrlxl.exe112⤵PID:1548
-
\??\c:\004242.exec:\004242.exe113⤵PID:2476
-
\??\c:\ttntbh.exec:\ttntbh.exe114⤵PID:2020
-
\??\c:\djjpp.exec:\djjpp.exe115⤵PID:624
-
\??\c:\ppjvd.exec:\ppjvd.exe116⤵PID:2624
-
\??\c:\0428024.exec:\0428024.exe117⤵PID:1156
-
\??\c:\e48640.exec:\e48640.exe118⤵PID:1640
-
\??\c:\m2620.exec:\m2620.exe119⤵PID:2444
-
\??\c:\xfflrrf.exec:\xfflrrf.exe120⤵PID:2440
-
\??\c:\7nhntt.exec:\7nhntt.exe121⤵PID:2592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-