Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 06:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
59c5f8df0e322c415f2ab1b58460094d05660e2fbef766e6820f65fc8ecb88fdN.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
59c5f8df0e322c415f2ab1b58460094d05660e2fbef766e6820f65fc8ecb88fdN.exe
-
Size
453KB
-
MD5
a9a3bf7ea50a25aacaf724caabf48f40
-
SHA1
c0957404600daf9e4216a297b1d710813c5b54a2
-
SHA256
59c5f8df0e322c415f2ab1b58460094d05660e2fbef766e6820f65fc8ecb88fd
-
SHA512
1077e3103cc859e7bf5b74208046205c07fe1f24d50e8ba6ac6504f4b4487413b2f2b4157fc90df48465e5df83f82d5dadf9948baa74373616d66ea78215df81
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2788-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-1261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-1298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-1576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-1733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1036 864286.exe 3088 hhhbht.exe 2996 02048.exe 5016 dvpjd.exe 752 606048.exe 4240 nnnhbt.exe 1880 thbtnh.exe 1492 m6204.exe 3996 40822.exe 2736 frxxxxf.exe 1692 4468240.exe 1044 vppjj.exe 2620 00004.exe 2624 thhbbb.exe 3972 vvddp.exe 4736 vvvjd.exe 3708 800448.exe 2368 9hnhbh.exe 1988 8286000.exe 3920 bhnnnn.exe 860 vvvpj.exe 3312 6004882.exe 4556 thhhhb.exe 4520 9vpvj.exe 3492 2688880.exe 4820 vpjjd.exe 2512 rffflff.exe 4184 rxflllf.exe 2020 8660004.exe 724 668260.exe 4444 a4288.exe 2464 btntnt.exe 1612 pjpjp.exe 4848 s8826.exe 2964 8060448.exe 3504 48262.exe 3424 06826.exe 4200 6288668.exe 3256 vjpjd.exe 3472 k88202.exe 4620 20860.exe 4420 ttbtnn.exe 1628 0626448.exe 3316 nbhbnn.exe 4680 880422.exe 3032 xxxrllf.exe 2032 fxffxxf.exe 1836 6426268.exe 2268 5fflfxx.exe 3520 486480.exe 2676 062266.exe 2100 688222.exe 5016 hbhbbb.exe 4880 pvddp.exe 1704 lllrllf.exe 4500 040400.exe 968 s4082.exe 1420 bhnhtt.exe 5116 84600.exe 3780 xlffxrl.exe 4996 06260.exe 1444 5jjdv.exe 3872 82264.exe 2736 frxrllf.exe -
resource yara_rule behavioral2/memory/2788-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-861-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-1157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-1261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-1298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-1332-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q68600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6484600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o282042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4848446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6420044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2626660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrllx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2788 wrote to memory of 1036 2788 59c5f8df0e322c415f2ab1b58460094d05660e2fbef766e6820f65fc8ecb88fdN.exe 84 PID 2788 wrote to memory of 1036 2788 59c5f8df0e322c415f2ab1b58460094d05660e2fbef766e6820f65fc8ecb88fdN.exe 84 PID 2788 wrote to memory of 1036 2788 59c5f8df0e322c415f2ab1b58460094d05660e2fbef766e6820f65fc8ecb88fdN.exe 84 PID 1036 wrote to memory of 3088 1036 864286.exe 85 PID 1036 wrote to memory of 3088 1036 864286.exe 85 PID 1036 wrote to memory of 3088 1036 864286.exe 85 PID 3088 wrote to memory of 2996 3088 hhhbht.exe 87 PID 3088 wrote to memory of 2996 3088 hhhbht.exe 87 PID 3088 wrote to memory of 2996 3088 hhhbht.exe 87 PID 2996 wrote to memory of 5016 2996 02048.exe 89 PID 2996 wrote to memory of 5016 2996 02048.exe 89 PID 2996 wrote to memory of 5016 2996 02048.exe 89 PID 5016 wrote to memory of 752 5016 dvpjd.exe 90 PID 5016 wrote to memory of 752 5016 dvpjd.exe 90 PID 5016 wrote to memory of 752 5016 dvpjd.exe 90 PID 752 wrote to memory of 4240 752 606048.exe 91 PID 752 wrote to memory of 4240 752 606048.exe 91 PID 752 wrote to memory of 4240 752 606048.exe 91 PID 4240 wrote to memory of 1880 4240 nnnhbt.exe 92 PID 4240 wrote to memory of 1880 4240 nnnhbt.exe 92 PID 4240 wrote to memory of 1880 4240 nnnhbt.exe 92 PID 1880 wrote to memory of 1492 1880 thbtnh.exe 93 PID 1880 wrote to memory of 1492 1880 thbtnh.exe 93 PID 1880 wrote to memory of 1492 1880 thbtnh.exe 93 PID 1492 wrote to memory of 3996 1492 m6204.exe 94 PID 1492 wrote to memory of 3996 1492 m6204.exe 94 PID 1492 wrote to memory of 3996 1492 m6204.exe 94 PID 3996 wrote to memory of 2736 3996 40822.exe 149 PID 3996 wrote to memory of 2736 3996 40822.exe 149 PID 3996 wrote to memory of 2736 3996 40822.exe 149 PID 2736 wrote to memory of 1692 2736 frxxxxf.exe 96 PID 2736 wrote to memory of 1692 2736 frxxxxf.exe 96 PID 2736 wrote to memory of 1692 2736 frxxxxf.exe 96 PID 1692 wrote to memory of 1044 1692 4468240.exe 97 PID 1692 wrote to memory of 1044 1692 4468240.exe 97 PID 1692 wrote to memory of 1044 1692 4468240.exe 97 PID 1044 wrote to memory of 2620 1044 vppjj.exe 98 PID 1044 wrote to memory of 2620 1044 vppjj.exe 98 PID 1044 wrote to memory of 2620 1044 vppjj.exe 98 PID 2620 wrote to memory of 2624 2620 00004.exe 99 PID 2620 wrote to memory of 2624 2620 00004.exe 99 PID 2620 wrote to memory of 2624 2620 00004.exe 99 PID 2624 wrote to memory of 3972 2624 thhbbb.exe 100 PID 2624 wrote to memory of 3972 2624 thhbbb.exe 100 PID 2624 wrote to memory of 3972 2624 thhbbb.exe 100 PID 3972 wrote to memory of 4736 3972 vvddp.exe 101 PID 3972 wrote to memory of 4736 3972 vvddp.exe 101 PID 3972 wrote to memory of 4736 3972 vvddp.exe 101 PID 4736 wrote to memory of 3708 4736 vvvjd.exe 102 PID 4736 wrote to memory of 3708 4736 vvvjd.exe 102 PID 4736 wrote to memory of 3708 4736 vvvjd.exe 102 PID 3708 wrote to memory of 2368 3708 800448.exe 103 PID 3708 wrote to memory of 2368 3708 800448.exe 103 PID 3708 wrote to memory of 2368 3708 800448.exe 103 PID 2368 wrote to memory of 1988 2368 9hnhbh.exe 104 PID 2368 wrote to memory of 1988 2368 9hnhbh.exe 104 PID 2368 wrote to memory of 1988 2368 9hnhbh.exe 104 PID 1988 wrote to memory of 3920 1988 8286000.exe 105 PID 1988 wrote to memory of 3920 1988 8286000.exe 105 PID 1988 wrote to memory of 3920 1988 8286000.exe 105 PID 3920 wrote to memory of 860 3920 bhnnnn.exe 106 PID 3920 wrote to memory of 860 3920 bhnnnn.exe 106 PID 3920 wrote to memory of 860 3920 bhnnnn.exe 106 PID 860 wrote to memory of 3312 860 vvvpj.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\59c5f8df0e322c415f2ab1b58460094d05660e2fbef766e6820f65fc8ecb88fdN.exe"C:\Users\Admin\AppData\Local\Temp\59c5f8df0e322c415f2ab1b58460094d05660e2fbef766e6820f65fc8ecb88fdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\864286.exec:\864286.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\hhhbht.exec:\hhhbht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\02048.exec:\02048.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\dvpjd.exec:\dvpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\606048.exec:\606048.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\nnnhbt.exec:\nnnhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\thbtnh.exec:\thbtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\m6204.exec:\m6204.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\40822.exec:\40822.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\frxxxxf.exec:\frxxxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\4468240.exec:\4468240.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\vppjj.exec:\vppjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\00004.exec:\00004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\thhbbb.exec:\thhbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\vvddp.exec:\vvddp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\vvvjd.exec:\vvvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\800448.exec:\800448.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\9hnhbh.exec:\9hnhbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\8286000.exec:\8286000.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\bhnnnn.exec:\bhnnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\vvvpj.exec:\vvvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\6004882.exec:\6004882.exe23⤵
- Executes dropped EXE
PID:3312 -
\??\c:\thhhhb.exec:\thhhhb.exe24⤵
- Executes dropped EXE
PID:4556 -
\??\c:\9vpvj.exec:\9vpvj.exe25⤵
- Executes dropped EXE
PID:4520 -
\??\c:\2688880.exec:\2688880.exe26⤵
- Executes dropped EXE
PID:3492 -
\??\c:\vpjjd.exec:\vpjjd.exe27⤵
- Executes dropped EXE
PID:4820 -
\??\c:\rffflff.exec:\rffflff.exe28⤵
- Executes dropped EXE
PID:2512 -
\??\c:\rxflllf.exec:\rxflllf.exe29⤵
- Executes dropped EXE
PID:4184 -
\??\c:\8660004.exec:\8660004.exe30⤵
- Executes dropped EXE
PID:2020 -
\??\c:\668260.exec:\668260.exe31⤵
- Executes dropped EXE
PID:724 -
\??\c:\a4288.exec:\a4288.exe32⤵
- Executes dropped EXE
PID:4444 -
\??\c:\btntnt.exec:\btntnt.exe33⤵
- Executes dropped EXE
PID:2464 -
\??\c:\pjpjp.exec:\pjpjp.exe34⤵
- Executes dropped EXE
PID:1612 -
\??\c:\s8826.exec:\s8826.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4848 -
\??\c:\8060448.exec:\8060448.exe36⤵
- Executes dropped EXE
PID:2964 -
\??\c:\48262.exec:\48262.exe37⤵
- Executes dropped EXE
PID:3504 -
\??\c:\06826.exec:\06826.exe38⤵
- Executes dropped EXE
PID:3424 -
\??\c:\6288668.exec:\6288668.exe39⤵
- Executes dropped EXE
PID:4200 -
\??\c:\vjpjd.exec:\vjpjd.exe40⤵
- Executes dropped EXE
PID:3256 -
\??\c:\k88202.exec:\k88202.exe41⤵
- Executes dropped EXE
PID:3472 -
\??\c:\20860.exec:\20860.exe42⤵
- Executes dropped EXE
PID:4620 -
\??\c:\ttbtnn.exec:\ttbtnn.exe43⤵
- Executes dropped EXE
PID:4420 -
\??\c:\0626448.exec:\0626448.exe44⤵
- Executes dropped EXE
PID:1628 -
\??\c:\nbhbnn.exec:\nbhbnn.exe45⤵
- Executes dropped EXE
PID:3316 -
\??\c:\880422.exec:\880422.exe46⤵
- Executes dropped EXE
PID:4680 -
\??\c:\xxxrllf.exec:\xxxrllf.exe47⤵
- Executes dropped EXE
PID:3032 -
\??\c:\fxffxxf.exec:\fxffxxf.exe48⤵
- Executes dropped EXE
PID:2032 -
\??\c:\6426268.exec:\6426268.exe49⤵
- Executes dropped EXE
PID:1836 -
\??\c:\5fflfxx.exec:\5fflfxx.exe50⤵
- Executes dropped EXE
PID:2268 -
\??\c:\486480.exec:\486480.exe51⤵
- Executes dropped EXE
PID:3520 -
\??\c:\062266.exec:\062266.exe52⤵
- Executes dropped EXE
PID:2676 -
\??\c:\688222.exec:\688222.exe53⤵
- Executes dropped EXE
PID:2100 -
\??\c:\hbhbbb.exec:\hbhbbb.exe54⤵
- Executes dropped EXE
PID:5016 -
\??\c:\pvddp.exec:\pvddp.exe55⤵
- Executes dropped EXE
PID:4880 -
\??\c:\lllrllf.exec:\lllrllf.exe56⤵
- Executes dropped EXE
PID:1704 -
\??\c:\040400.exec:\040400.exe57⤵
- Executes dropped EXE
PID:4500 -
\??\c:\s4082.exec:\s4082.exe58⤵
- Executes dropped EXE
PID:968 -
\??\c:\bhnhtt.exec:\bhnhtt.exe59⤵
- Executes dropped EXE
PID:1420 -
\??\c:\84600.exec:\84600.exe60⤵
- Executes dropped EXE
PID:5116 -
\??\c:\xlffxrl.exec:\xlffxrl.exe61⤵
- Executes dropped EXE
PID:3780 -
\??\c:\06260.exec:\06260.exe62⤵
- Executes dropped EXE
PID:4996 -
\??\c:\5jjdv.exec:\5jjdv.exe63⤵
- Executes dropped EXE
PID:1444 -
\??\c:\82264.exec:\82264.exe64⤵
- Executes dropped EXE
PID:3872 -
\??\c:\frxrllf.exec:\frxrllf.exe65⤵
- Executes dropped EXE
PID:2736 -
\??\c:\7tnnhh.exec:\7tnnhh.exe66⤵PID:4144
-
\??\c:\9ddpj.exec:\9ddpj.exe67⤵PID:3468
-
\??\c:\606088.exec:\606088.exe68⤵PID:2620
-
\??\c:\6048226.exec:\6048226.exe69⤵PID:4512
-
\??\c:\xlllrrl.exec:\xlllrrl.exe70⤵PID:2028
-
\??\c:\s6866.exec:\s6866.exe71⤵PID:3836
-
\??\c:\440600.exec:\440600.exe72⤵PID:3868
-
\??\c:\84048.exec:\84048.exe73⤵PID:3508
-
\??\c:\88042.exec:\88042.exe74⤵PID:2120
-
\??\c:\844888.exec:\844888.exe75⤵PID:3788
-
\??\c:\k00444.exec:\k00444.exe76⤵PID:3484
-
\??\c:\2660482.exec:\2660482.exe77⤵PID:4660
-
\??\c:\btnhhh.exec:\btnhhh.exe78⤵PID:4116
-
\??\c:\4886400.exec:\4886400.exe79⤵PID:4812
-
\??\c:\nhttbb.exec:\nhttbb.exe80⤵PID:412
-
\??\c:\dddjd.exec:\dddjd.exe81⤵PID:4708
-
\??\c:\1pjdv.exec:\1pjdv.exe82⤵
- System Location Discovery: System Language Discovery
PID:1732 -
\??\c:\60266.exec:\60266.exe83⤵PID:1264
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe84⤵
- System Location Discovery: System Language Discovery
PID:1000 -
\??\c:\lfrrrxr.exec:\lfrrrxr.exe85⤵PID:1612
-
\??\c:\lxflllf.exec:\lxflllf.exe86⤵PID:2652
-
\??\c:\6288224.exec:\6288224.exe87⤵PID:2784
-
\??\c:\0066008.exec:\0066008.exe88⤵PID:3424
-
\??\c:\8660482.exec:\8660482.exe89⤵PID:1548
-
\??\c:\2606626.exec:\2606626.exe90⤵PID:2568
-
\??\c:\440044.exec:\440044.exe91⤵PID:3740
-
\??\c:\20484.exec:\20484.exe92⤵PID:2356
-
\??\c:\9xfxrrr.exec:\9xfxrrr.exe93⤵PID:3456
-
\??\c:\pdjdv.exec:\pdjdv.exe94⤵PID:768
-
\??\c:\htbttn.exec:\htbttn.exe95⤵PID:2608
-
\??\c:\nnbtnn.exec:\nnbtnn.exe96⤵PID:2016
-
\??\c:\btnhnh.exec:\btnhnh.exe97⤵PID:1844
-
\??\c:\u226044.exec:\u226044.exe98⤵PID:4416
-
\??\c:\2426044.exec:\2426044.exe99⤵PID:2996
-
\??\c:\nbnthb.exec:\nbnthb.exe100⤵PID:3636
-
\??\c:\jjppv.exec:\jjppv.exe101⤵PID:920
-
\??\c:\k00400.exec:\k00400.exe102⤵PID:952
-
\??\c:\lxfxllf.exec:\lxfxllf.exe103⤵PID:4800
-
\??\c:\4488642.exec:\4488642.exe104⤵PID:3036
-
\??\c:\pdjjd.exec:\pdjjd.exe105⤵PID:1720
-
\??\c:\2626448.exec:\2626448.exe106⤵PID:836
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe107⤵PID:1704
-
\??\c:\jdjdd.exec:\jdjdd.exe108⤵PID:4640
-
\??\c:\428884.exec:\428884.exe109⤵PID:832
-
\??\c:\5jjjj.exec:\5jjjj.exe110⤵PID:752
-
\??\c:\lffxllf.exec:\lffxllf.exe111⤵PID:4740
-
\??\c:\jpvjp.exec:\jpvjp.exe112⤵PID:5012
-
\??\c:\4006260.exec:\4006260.exe113⤵PID:4704
-
\??\c:\djjdp.exec:\djjdp.exe114⤵PID:3780
-
\??\c:\i066004.exec:\i066004.exe115⤵PID:4196
-
\??\c:\8062224.exec:\8062224.exe116⤵PID:3948
-
\??\c:\jpvpj.exec:\jpvpj.exe117⤵PID:3572
-
\??\c:\frxrrlf.exec:\frxrrlf.exe118⤵PID:380
-
\??\c:\bbttnb.exec:\bbttnb.exe119⤵PID:3148
-
\??\c:\nhtnnn.exec:\nhtnnn.exe120⤵PID:4284
-
\??\c:\s0660.exec:\s0660.exe121⤵PID:4224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-