Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 00:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
38585a00e12efc5c10e7490e9161bf6376ec12a511ee713de722755a81e566d6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
38585a00e12efc5c10e7490e9161bf6376ec12a511ee713de722755a81e566d6.exe
-
Size
456KB
-
MD5
e777a5bec06039749e52a2a6779eade6
-
SHA1
7e64a631b14448ca457aa571fa05b348a493442b
-
SHA256
38585a00e12efc5c10e7490e9161bf6376ec12a511ee713de722755a81e566d6
-
SHA512
660a50a9655be3948c4d05947e52e476dcf14b27bcc88a59176c2aca3c34ccc4a6d12d35918befa9c595013b2ac93dd6a3a3088a13367a7604b486ca3cc685e7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeLV:q7Tc2NYHUrAwfMp3CDLV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1512-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/584-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-1224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-1568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1984 hbhbbt.exe 1584 nhhbhb.exe 2804 q64628.exe 4792 bbtnbt.exe 1140 2842060.exe 4196 q64620.exe 944 9tbhtn.exe 2796 82642.exe 3176 c820420.exe 1832 20426.exe 3052 8000482.exe 5032 htnbnh.exe 1004 rxrlrlx.exe 3516 0660426.exe 4084 bnnnhh.exe 3148 pvjdp.exe 3640 rfrflfr.exe 2832 ffxxrlf.exe 2384 q28224.exe 4152 20420.exe 4132 840824.exe 3940 4886082.exe 5040 8882486.exe 1752 k42648.exe 2272 vpjdv.exe 2252 822604.exe 3680 rrrfxrf.exe 228 htbttn.exe 5060 q84208.exe 724 u448642.exe 4396 hbbtht.exe 3020 dvvjv.exe 1596 26822.exe 4824 604484.exe 2848 k06604.exe 2356 jvpjj.exe 1204 2482602.exe 376 840086.exe 3432 tnhtnh.exe 3512 26020.exe 972 5pjjj.exe 584 vdddp.exe 4128 020822.exe 4672 vvvpj.exe 2868 02864.exe 1848 8220820.exe 1868 xrlfrlx.exe 3584 xlrfxfr.exe 4420 0262028.exe 4220 nbhtbn.exe 1512 240842.exe 2028 hbthth.exe 3928 6486688.exe 4952 9jjpj.exe 4884 2060448.exe 4572 flrrllf.exe 1560 vppjv.exe 2740 thnhbb.exe 3988 0028282.exe 2772 hbhbbt.exe 2144 hhthbb.exe 1028 4826604.exe 1116 88482.exe 2820 nhbtnb.exe -
resource yara_rule behavioral2/memory/1512-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/584-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/592-799-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4426662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6244226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o462682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1984 1512 38585a00e12efc5c10e7490e9161bf6376ec12a511ee713de722755a81e566d6.exe 83 PID 1512 wrote to memory of 1984 1512 38585a00e12efc5c10e7490e9161bf6376ec12a511ee713de722755a81e566d6.exe 83 PID 1512 wrote to memory of 1984 1512 38585a00e12efc5c10e7490e9161bf6376ec12a511ee713de722755a81e566d6.exe 83 PID 1984 wrote to memory of 1584 1984 hbhbbt.exe 84 PID 1984 wrote to memory of 1584 1984 hbhbbt.exe 84 PID 1984 wrote to memory of 1584 1984 hbhbbt.exe 84 PID 1584 wrote to memory of 2804 1584 nhhbhb.exe 85 PID 1584 wrote to memory of 2804 1584 nhhbhb.exe 85 PID 1584 wrote to memory of 2804 1584 nhhbhb.exe 85 PID 2804 wrote to memory of 4792 2804 q64628.exe 86 PID 2804 wrote to memory of 4792 2804 q64628.exe 86 PID 2804 wrote to memory of 4792 2804 q64628.exe 86 PID 4792 wrote to memory of 1140 4792 bbtnbt.exe 87 PID 4792 wrote to memory of 1140 4792 bbtnbt.exe 87 PID 4792 wrote to memory of 1140 4792 bbtnbt.exe 87 PID 1140 wrote to memory of 4196 1140 2842060.exe 88 PID 1140 wrote to memory of 4196 1140 2842060.exe 88 PID 1140 wrote to memory of 4196 1140 2842060.exe 88 PID 4196 wrote to memory of 944 4196 q64620.exe 89 PID 4196 wrote to memory of 944 4196 q64620.exe 89 PID 4196 wrote to memory of 944 4196 q64620.exe 89 PID 944 wrote to memory of 2796 944 9tbhtn.exe 90 PID 944 wrote to memory of 2796 944 9tbhtn.exe 90 PID 944 wrote to memory of 2796 944 9tbhtn.exe 90 PID 2796 wrote to memory of 3176 2796 82642.exe 91 PID 2796 wrote to memory of 3176 2796 82642.exe 91 PID 2796 wrote to memory of 3176 2796 82642.exe 91 PID 3176 wrote to memory of 1832 3176 c820420.exe 92 PID 3176 wrote to memory of 1832 3176 c820420.exe 92 PID 3176 wrote to memory of 1832 3176 c820420.exe 92 PID 1832 wrote to memory of 3052 1832 20426.exe 93 PID 1832 wrote to memory of 3052 1832 20426.exe 93 PID 1832 wrote to memory of 3052 1832 20426.exe 93 PID 3052 wrote to memory of 5032 3052 8000482.exe 94 PID 3052 wrote to memory of 5032 3052 8000482.exe 94 PID 3052 wrote to memory of 5032 3052 8000482.exe 94 PID 5032 wrote to memory of 1004 5032 htnbnh.exe 95 PID 5032 wrote to memory of 1004 5032 htnbnh.exe 95 PID 5032 wrote to memory of 1004 5032 htnbnh.exe 95 PID 1004 wrote to memory of 3516 1004 rxrlrlx.exe 96 PID 1004 wrote to memory of 3516 1004 rxrlrlx.exe 96 PID 1004 wrote to memory of 3516 1004 rxrlrlx.exe 96 PID 3516 wrote to memory of 4084 3516 0660426.exe 97 PID 3516 wrote to memory of 4084 3516 0660426.exe 97 PID 3516 wrote to memory of 4084 3516 0660426.exe 97 PID 4084 wrote to memory of 3148 4084 bnnnhh.exe 98 PID 4084 wrote to memory of 3148 4084 bnnnhh.exe 98 PID 4084 wrote to memory of 3148 4084 bnnnhh.exe 98 PID 3148 wrote to memory of 3640 3148 pvjdp.exe 99 PID 3148 wrote to memory of 3640 3148 pvjdp.exe 99 PID 3148 wrote to memory of 3640 3148 pvjdp.exe 99 PID 3640 wrote to memory of 2832 3640 rfrflfr.exe 100 PID 3640 wrote to memory of 2832 3640 rfrflfr.exe 100 PID 3640 wrote to memory of 2832 3640 rfrflfr.exe 100 PID 2832 wrote to memory of 2384 2832 ffxxrlf.exe 101 PID 2832 wrote to memory of 2384 2832 ffxxrlf.exe 101 PID 2832 wrote to memory of 2384 2832 ffxxrlf.exe 101 PID 2384 wrote to memory of 4152 2384 q28224.exe 102 PID 2384 wrote to memory of 4152 2384 q28224.exe 102 PID 2384 wrote to memory of 4152 2384 q28224.exe 102 PID 4152 wrote to memory of 4132 4152 20420.exe 103 PID 4152 wrote to memory of 4132 4152 20420.exe 103 PID 4152 wrote to memory of 4132 4152 20420.exe 103 PID 4132 wrote to memory of 3940 4132 840824.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\38585a00e12efc5c10e7490e9161bf6376ec12a511ee713de722755a81e566d6.exe"C:\Users\Admin\AppData\Local\Temp\38585a00e12efc5c10e7490e9161bf6376ec12a511ee713de722755a81e566d6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\hbhbbt.exec:\hbhbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\nhhbhb.exec:\nhhbhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\q64628.exec:\q64628.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\bbtnbt.exec:\bbtnbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\2842060.exec:\2842060.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\q64620.exec:\q64620.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\9tbhtn.exec:\9tbhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\82642.exec:\82642.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\c820420.exec:\c820420.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\20426.exec:\20426.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\8000482.exec:\8000482.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\htnbnh.exec:\htnbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\rxrlrlx.exec:\rxrlrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\0660426.exec:\0660426.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\bnnnhh.exec:\bnnnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\pvjdp.exec:\pvjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\rfrflfr.exec:\rfrflfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\ffxxrlf.exec:\ffxxrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\q28224.exec:\q28224.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\20420.exec:\20420.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\840824.exec:\840824.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\4886082.exec:\4886082.exe23⤵
- Executes dropped EXE
PID:3940 -
\??\c:\8882486.exec:\8882486.exe24⤵
- Executes dropped EXE
PID:5040 -
\??\c:\k42648.exec:\k42648.exe25⤵
- Executes dropped EXE
PID:1752 -
\??\c:\vpjdv.exec:\vpjdv.exe26⤵
- Executes dropped EXE
PID:2272 -
\??\c:\822604.exec:\822604.exe27⤵
- Executes dropped EXE
PID:2252 -
\??\c:\rrrfxrf.exec:\rrrfxrf.exe28⤵
- Executes dropped EXE
PID:3680 -
\??\c:\htbttn.exec:\htbttn.exe29⤵
- Executes dropped EXE
PID:228 -
\??\c:\q84208.exec:\q84208.exe30⤵
- Executes dropped EXE
PID:5060 -
\??\c:\u448642.exec:\u448642.exe31⤵
- Executes dropped EXE
PID:724 -
\??\c:\hbbtht.exec:\hbbtht.exe32⤵
- Executes dropped EXE
PID:4396 -
\??\c:\dvvjv.exec:\dvvjv.exe33⤵
- Executes dropped EXE
PID:3020 -
\??\c:\26822.exec:\26822.exe34⤵
- Executes dropped EXE
PID:1596 -
\??\c:\604484.exec:\604484.exe35⤵
- Executes dropped EXE
PID:4824 -
\??\c:\k06604.exec:\k06604.exe36⤵
- Executes dropped EXE
PID:2848 -
\??\c:\jvpjj.exec:\jvpjj.exe37⤵
- Executes dropped EXE
PID:2356 -
\??\c:\2482602.exec:\2482602.exe38⤵
- Executes dropped EXE
PID:1204 -
\??\c:\840086.exec:\840086.exe39⤵
- Executes dropped EXE
PID:376 -
\??\c:\tnhtnh.exec:\tnhtnh.exe40⤵
- Executes dropped EXE
PID:3432 -
\??\c:\26020.exec:\26020.exe41⤵
- Executes dropped EXE
PID:3512 -
\??\c:\5pjjj.exec:\5pjjj.exe42⤵
- Executes dropped EXE
PID:972 -
\??\c:\vdddp.exec:\vdddp.exe43⤵
- Executes dropped EXE
PID:584 -
\??\c:\020822.exec:\020822.exe44⤵
- Executes dropped EXE
PID:4128 -
\??\c:\vvvpj.exec:\vvvpj.exe45⤵
- Executes dropped EXE
PID:4672 -
\??\c:\02864.exec:\02864.exe46⤵
- Executes dropped EXE
PID:2868 -
\??\c:\8220820.exec:\8220820.exe47⤵
- Executes dropped EXE
PID:1848 -
\??\c:\xrlfrlx.exec:\xrlfrlx.exe48⤵
- Executes dropped EXE
PID:1868 -
\??\c:\xlrfxfr.exec:\xlrfxfr.exe49⤵
- Executes dropped EXE
PID:3584 -
\??\c:\0262028.exec:\0262028.exe50⤵
- Executes dropped EXE
PID:4420 -
\??\c:\nbhtbn.exec:\nbhtbn.exe51⤵
- Executes dropped EXE
PID:4220 -
\??\c:\240842.exec:\240842.exe52⤵
- Executes dropped EXE
PID:1512 -
\??\c:\hbthth.exec:\hbthth.exe53⤵
- Executes dropped EXE
PID:2028 -
\??\c:\6486688.exec:\6486688.exe54⤵
- Executes dropped EXE
PID:3928 -
\??\c:\9jjpj.exec:\9jjpj.exe55⤵
- Executes dropped EXE
PID:4952 -
\??\c:\2060448.exec:\2060448.exe56⤵
- Executes dropped EXE
PID:4884 -
\??\c:\flrrllf.exec:\flrrllf.exe57⤵
- Executes dropped EXE
PID:4572 -
\??\c:\vppjv.exec:\vppjv.exe58⤵
- Executes dropped EXE
PID:1560 -
\??\c:\thnhbb.exec:\thnhbb.exe59⤵
- Executes dropped EXE
PID:2740 -
\??\c:\0028282.exec:\0028282.exe60⤵
- Executes dropped EXE
PID:3988 -
\??\c:\hbhbbt.exec:\hbhbbt.exe61⤵
- Executes dropped EXE
PID:2772 -
\??\c:\hhthbb.exec:\hhthbb.exe62⤵
- Executes dropped EXE
PID:2144 -
\??\c:\4826604.exec:\4826604.exe63⤵
- Executes dropped EXE
PID:1028 -
\??\c:\88482.exec:\88482.exe64⤵
- Executes dropped EXE
PID:1116 -
\??\c:\nhbtnb.exec:\nhbtnb.exe65⤵
- Executes dropped EXE
PID:2820 -
\??\c:\vpdvd.exec:\vpdvd.exe66⤵PID:1936
-
\??\c:\642060.exec:\642060.exe67⤵PID:4712
-
\??\c:\g0042.exec:\g0042.exe68⤵PID:4044
-
\??\c:\6244226.exec:\6244226.exe69⤵
- System Location Discovery: System Language Discovery
PID:4296 -
\??\c:\0488448.exec:\0488448.exe70⤵PID:1704
-
\??\c:\46282.exec:\46282.exe71⤵PID:4216
-
\??\c:\fxxrffx.exec:\fxxrffx.exe72⤵PID:4924
-
\??\c:\06226.exec:\06226.exe73⤵PID:224
-
\??\c:\frxrllf.exec:\frxrllf.exe74⤵PID:5012
-
\??\c:\3lrlrrr.exec:\3lrlrrr.exe75⤵PID:3684
-
\??\c:\48044.exec:\48044.exe76⤵PID:4948
-
\??\c:\lxxrffx.exec:\lxxrffx.exe77⤵PID:4404
-
\??\c:\084260.exec:\084260.exe78⤵PID:4116
-
\??\c:\rxfxxlf.exec:\rxfxxlf.exe79⤵PID:4956
-
\??\c:\2406448.exec:\2406448.exe80⤵PID:928
-
\??\c:\pjpjd.exec:\pjpjd.exe81⤵PID:880
-
\??\c:\thnhhh.exec:\thnhhh.exe82⤵PID:1420
-
\??\c:\frfxllf.exec:\frfxllf.exe83⤵PID:1700
-
\??\c:\82664.exec:\82664.exe84⤵PID:3940
-
\??\c:\bntnhb.exec:\bntnhb.exe85⤵PID:1068
-
\??\c:\hnnhtt.exec:\hnnhtt.exe86⤵PID:1752
-
\??\c:\bthbhh.exec:\bthbhh.exe87⤵PID:4912
-
\??\c:\84044.exec:\84044.exe88⤵PID:4192
-
\??\c:\m6860.exec:\m6860.exe89⤵PID:4720
-
\??\c:\btbtth.exec:\btbtth.exe90⤵PID:3400
-
\??\c:\rxlfrrf.exec:\rxlfrrf.exe91⤵PID:2516
-
\??\c:\606040.exec:\606040.exe92⤵PID:5112
-
\??\c:\5bbnnn.exec:\5bbnnn.exe93⤵PID:1840
-
\??\c:\tntnbt.exec:\tntnbt.exe94⤵PID:3368
-
\??\c:\xlxllfx.exec:\xlxllfx.exe95⤵PID:1020
-
\??\c:\84048.exec:\84048.exe96⤵PID:368
-
\??\c:\62082.exec:\62082.exe97⤵PID:3628
-
\??\c:\802660.exec:\802660.exe98⤵PID:1672
-
\??\c:\6848266.exec:\6848266.exe99⤵PID:4824
-
\??\c:\vpppj.exec:\vpppj.exe100⤵PID:2848
-
\??\c:\66604.exec:\66604.exe101⤵PID:2356
-
\??\c:\vvjdv.exec:\vvjdv.exe102⤵PID:1204
-
\??\c:\2248844.exec:\2248844.exe103⤵PID:4772
-
\??\c:\3bbttt.exec:\3bbttt.exe104⤵PID:1800
-
\??\c:\82220.exec:\82220.exe105⤵PID:592
-
\??\c:\o682600.exec:\o682600.exe106⤵PID:1452
-
\??\c:\ppjdd.exec:\ppjdd.exe107⤵PID:3648
-
\??\c:\lffxrrl.exec:\lffxrrl.exe108⤵PID:1092
-
\??\c:\nhnnhh.exec:\nhnnhh.exe109⤵PID:772
-
\??\c:\5bhbtb.exec:\5bhbtb.exe110⤵PID:4636
-
\??\c:\0686008.exec:\0686008.exe111⤵PID:2280
-
\??\c:\088268.exec:\088268.exe112⤵PID:3644
-
\??\c:\42048.exec:\42048.exe113⤵PID:4428
-
\??\c:\httnnh.exec:\httnnh.exe114⤵PID:860
-
\??\c:\jpvpj.exec:\jpvpj.exe115⤵PID:2300
-
\??\c:\vdjdv.exec:\vdjdv.exe116⤵
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\7pvvd.exec:\7pvvd.exe117⤵PID:1588
-
\??\c:\vpjjd.exec:\vpjjd.exe118⤵PID:1548
-
\??\c:\1xfxrrl.exec:\1xfxrrl.exe119⤵PID:2116
-
\??\c:\5ntthn.exec:\5ntthn.exe120⤵PID:1760
-
\??\c:\40260.exec:\40260.exe121⤵
- System Location Discovery: System Language Discovery
PID:3596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-