Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 00:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b58a5533cfad11ecb27998d91f80f633941a303ca3d5e7897d41bd2f9c1820f9.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b58a5533cfad11ecb27998d91f80f633941a303ca3d5e7897d41bd2f9c1820f9.exe
-
Size
456KB
-
MD5
a0682084762c8b43e2b90c401f22143f
-
SHA1
a4058f7ec326914611cf8081a70187f017b6c74c
-
SHA256
b58a5533cfad11ecb27998d91f80f633941a303ca3d5e7897d41bd2f9c1820f9
-
SHA512
c51285661f46543e219d584525a98f0d17b57656b0535f5336d79dd889a7a7c7113ee7b5e9e3e702555ac1f03d6eb94f34882ac16a3d9e933e4425196bc9156d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRx:q7Tc2NYHUrAwfMp3CDRx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2752-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-964-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-1085-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 692 4266668.exe 4504 nbhnht.exe 2024 hbbnhb.exe 3664 u660860.exe 4868 tnnbnb.exe 2724 nhbbbb.exe 3376 88482.exe 1924 nhbntn.exe 5116 22826.exe 1364 04622.exe 2916 862060.exe 5080 4408264.exe 2432 7jdpd.exe 2500 4226420.exe 1660 206048.exe 5024 5nnbnh.exe 4488 2664208.exe 2560 9xrlxrf.exe 4756 tbbtht.exe 3672 644206.exe 2960 08068.exe 4660 86260.exe 2064 jvdvv.exe 736 rrxrxxf.exe 1548 9ppjd.exe 4072 fflfxrl.exe 1508 068406.exe 4324 5nhhbb.exe 1320 tnhtbb.exe 3436 bnhbtn.exe 2448 4060448.exe 404 xlllffx.exe 1540 44444.exe 3944 tnbtbb.exe 3652 886488.exe 4608 8244440.exe 1584 424044.exe 3108 1rxxlfx.exe 2640 xrfxxxf.exe 5108 jvddv.exe 4456 04448.exe 1448 60028.exe 3020 lffxrxr.exe 1216 pdddp.exe 4676 llrfrfx.exe 4552 600044.exe 2480 jpvdp.exe 468 3jvpd.exe 2084 llrrrrx.exe 1304 9lrlrlr.exe 4244 llrfxrl.exe 3236 jvvpd.exe 1960 dpvpj.exe 412 m8202.exe 4868 2420080.exe 544 jjpjv.exe 4916 4666448.exe 464 206044.exe 2300 268288.exe 5116 fxfrlfx.exe 1956 20604.exe 1192 84482.exe 3476 bhnbtn.exe 3304 84608.exe -
resource yara_rule behavioral2/memory/2752-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-964-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k40208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0884260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w60208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xffxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4286048.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 692 2752 b58a5533cfad11ecb27998d91f80f633941a303ca3d5e7897d41bd2f9c1820f9.exe 83 PID 2752 wrote to memory of 692 2752 b58a5533cfad11ecb27998d91f80f633941a303ca3d5e7897d41bd2f9c1820f9.exe 83 PID 2752 wrote to memory of 692 2752 b58a5533cfad11ecb27998d91f80f633941a303ca3d5e7897d41bd2f9c1820f9.exe 83 PID 692 wrote to memory of 4504 692 4266668.exe 84 PID 692 wrote to memory of 4504 692 4266668.exe 84 PID 692 wrote to memory of 4504 692 4266668.exe 84 PID 4504 wrote to memory of 2024 4504 nbhnht.exe 85 PID 4504 wrote to memory of 2024 4504 nbhnht.exe 85 PID 4504 wrote to memory of 2024 4504 nbhnht.exe 85 PID 2024 wrote to memory of 3664 2024 hbbnhb.exe 86 PID 2024 wrote to memory of 3664 2024 hbbnhb.exe 86 PID 2024 wrote to memory of 3664 2024 hbbnhb.exe 86 PID 3664 wrote to memory of 4868 3664 u660860.exe 87 PID 3664 wrote to memory of 4868 3664 u660860.exe 87 PID 3664 wrote to memory of 4868 3664 u660860.exe 87 PID 4868 wrote to memory of 2724 4868 tnnbnb.exe 88 PID 4868 wrote to memory of 2724 4868 tnnbnb.exe 88 PID 4868 wrote to memory of 2724 4868 tnnbnb.exe 88 PID 2724 wrote to memory of 3376 2724 nhbbbb.exe 89 PID 2724 wrote to memory of 3376 2724 nhbbbb.exe 89 PID 2724 wrote to memory of 3376 2724 nhbbbb.exe 89 PID 3376 wrote to memory of 1924 3376 88482.exe 90 PID 3376 wrote to memory of 1924 3376 88482.exe 90 PID 3376 wrote to memory of 1924 3376 88482.exe 90 PID 1924 wrote to memory of 5116 1924 nhbntn.exe 91 PID 1924 wrote to memory of 5116 1924 nhbntn.exe 91 PID 1924 wrote to memory of 5116 1924 nhbntn.exe 91 PID 5116 wrote to memory of 1364 5116 22826.exe 92 PID 5116 wrote to memory of 1364 5116 22826.exe 92 PID 5116 wrote to memory of 1364 5116 22826.exe 92 PID 1364 wrote to memory of 2916 1364 04622.exe 93 PID 1364 wrote to memory of 2916 1364 04622.exe 93 PID 1364 wrote to memory of 2916 1364 04622.exe 93 PID 2916 wrote to memory of 5080 2916 862060.exe 94 PID 2916 wrote to memory of 5080 2916 862060.exe 94 PID 2916 wrote to memory of 5080 2916 862060.exe 94 PID 5080 wrote to memory of 2432 5080 4408264.exe 95 PID 5080 wrote to memory of 2432 5080 4408264.exe 95 PID 5080 wrote to memory of 2432 5080 4408264.exe 95 PID 2432 wrote to memory of 2500 2432 7jdpd.exe 96 PID 2432 wrote to memory of 2500 2432 7jdpd.exe 96 PID 2432 wrote to memory of 2500 2432 7jdpd.exe 96 PID 2500 wrote to memory of 1660 2500 4226420.exe 97 PID 2500 wrote to memory of 1660 2500 4226420.exe 97 PID 2500 wrote to memory of 1660 2500 4226420.exe 97 PID 1660 wrote to memory of 5024 1660 206048.exe 98 PID 1660 wrote to memory of 5024 1660 206048.exe 98 PID 1660 wrote to memory of 5024 1660 206048.exe 98 PID 5024 wrote to memory of 4488 5024 5nnbnh.exe 99 PID 5024 wrote to memory of 4488 5024 5nnbnh.exe 99 PID 5024 wrote to memory of 4488 5024 5nnbnh.exe 99 PID 4488 wrote to memory of 2560 4488 2664208.exe 100 PID 4488 wrote to memory of 2560 4488 2664208.exe 100 PID 4488 wrote to memory of 2560 4488 2664208.exe 100 PID 2560 wrote to memory of 4756 2560 9xrlxrf.exe 101 PID 2560 wrote to memory of 4756 2560 9xrlxrf.exe 101 PID 2560 wrote to memory of 4756 2560 9xrlxrf.exe 101 PID 4756 wrote to memory of 3672 4756 tbbtht.exe 102 PID 4756 wrote to memory of 3672 4756 tbbtht.exe 102 PID 4756 wrote to memory of 3672 4756 tbbtht.exe 102 PID 3672 wrote to memory of 2960 3672 644206.exe 103 PID 3672 wrote to memory of 2960 3672 644206.exe 103 PID 3672 wrote to memory of 2960 3672 644206.exe 103 PID 2960 wrote to memory of 4660 2960 08068.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b58a5533cfad11ecb27998d91f80f633941a303ca3d5e7897d41bd2f9c1820f9.exe"C:\Users\Admin\AppData\Local\Temp\b58a5533cfad11ecb27998d91f80f633941a303ca3d5e7897d41bd2f9c1820f9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\4266668.exec:\4266668.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\nbhnht.exec:\nbhnht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\hbbnhb.exec:\hbbnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\u660860.exec:\u660860.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\tnnbnb.exec:\tnnbnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\nhbbbb.exec:\nhbbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\88482.exec:\88482.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\nhbntn.exec:\nhbntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\22826.exec:\22826.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\04622.exec:\04622.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\862060.exec:\862060.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\4408264.exec:\4408264.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\7jdpd.exec:\7jdpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\4226420.exec:\4226420.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\206048.exec:\206048.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\5nnbnh.exec:\5nnbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\2664208.exec:\2664208.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\9xrlxrf.exec:\9xrlxrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\tbbtht.exec:\tbbtht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\644206.exec:\644206.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\08068.exec:\08068.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\86260.exec:\86260.exe23⤵
- Executes dropped EXE
PID:4660 -
\??\c:\jvdvv.exec:\jvdvv.exe24⤵
- Executes dropped EXE
PID:2064 -
\??\c:\rrxrxxf.exec:\rrxrxxf.exe25⤵
- Executes dropped EXE
PID:736 -
\??\c:\9ppjd.exec:\9ppjd.exe26⤵
- Executes dropped EXE
PID:1548 -
\??\c:\fflfxrl.exec:\fflfxrl.exe27⤵
- Executes dropped EXE
PID:4072 -
\??\c:\068406.exec:\068406.exe28⤵
- Executes dropped EXE
PID:1508 -
\??\c:\5nhhbb.exec:\5nhhbb.exe29⤵
- Executes dropped EXE
PID:4324 -
\??\c:\tnhtbb.exec:\tnhtbb.exe30⤵
- Executes dropped EXE
PID:1320 -
\??\c:\bnhbtn.exec:\bnhbtn.exe31⤵
- Executes dropped EXE
PID:3436 -
\??\c:\4060448.exec:\4060448.exe32⤵
- Executes dropped EXE
PID:2448 -
\??\c:\xlllffx.exec:\xlllffx.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:404 -
\??\c:\44444.exec:\44444.exe34⤵
- Executes dropped EXE
PID:1540 -
\??\c:\tnbtbb.exec:\tnbtbb.exe35⤵
- Executes dropped EXE
PID:3944 -
\??\c:\886488.exec:\886488.exe36⤵
- Executes dropped EXE
PID:3652 -
\??\c:\8244440.exec:\8244440.exe37⤵
- Executes dropped EXE
PID:4608 -
\??\c:\424044.exec:\424044.exe38⤵
- Executes dropped EXE
PID:1584 -
\??\c:\1rxxlfx.exec:\1rxxlfx.exe39⤵
- Executes dropped EXE
PID:3108 -
\??\c:\xrfxxxf.exec:\xrfxxxf.exe40⤵
- Executes dropped EXE
PID:2640 -
\??\c:\jvddv.exec:\jvddv.exe41⤵
- Executes dropped EXE
PID:5108 -
\??\c:\04448.exec:\04448.exe42⤵
- Executes dropped EXE
PID:4456 -
\??\c:\60028.exec:\60028.exe43⤵
- Executes dropped EXE
PID:1448 -
\??\c:\lffxrxr.exec:\lffxrxr.exe44⤵
- Executes dropped EXE
PID:3020 -
\??\c:\pdddp.exec:\pdddp.exe45⤵
- Executes dropped EXE
PID:1216 -
\??\c:\llrfrfx.exec:\llrfrfx.exe46⤵
- Executes dropped EXE
PID:4676 -
\??\c:\600044.exec:\600044.exe47⤵
- Executes dropped EXE
PID:4552 -
\??\c:\jpvdp.exec:\jpvdp.exe48⤵
- Executes dropped EXE
PID:2480 -
\??\c:\3jvpd.exec:\3jvpd.exe49⤵
- Executes dropped EXE
PID:468 -
\??\c:\llrrrrx.exec:\llrrrrx.exe50⤵
- Executes dropped EXE
PID:2084 -
\??\c:\9lrlrlr.exec:\9lrlrlr.exe51⤵
- Executes dropped EXE
PID:1304 -
\??\c:\llrfxrl.exec:\llrfxrl.exe52⤵
- Executes dropped EXE
PID:4244 -
\??\c:\jvvpd.exec:\jvvpd.exe53⤵
- Executes dropped EXE
PID:3236 -
\??\c:\dpvpj.exec:\dpvpj.exe54⤵
- Executes dropped EXE
PID:1960 -
\??\c:\m8202.exec:\m8202.exe55⤵
- Executes dropped EXE
PID:412 -
\??\c:\2420080.exec:\2420080.exe56⤵
- Executes dropped EXE
PID:4868 -
\??\c:\jjpjv.exec:\jjpjv.exe57⤵
- Executes dropped EXE
PID:544 -
\??\c:\4666448.exec:\4666448.exe58⤵
- Executes dropped EXE
PID:4916 -
\??\c:\206044.exec:\206044.exe59⤵
- Executes dropped EXE
PID:464 -
\??\c:\268288.exec:\268288.exe60⤵
- Executes dropped EXE
PID:2300 -
\??\c:\fxfrlfx.exec:\fxfrlfx.exe61⤵
- Executes dropped EXE
PID:5116 -
\??\c:\20604.exec:\20604.exe62⤵
- Executes dropped EXE
PID:1956 -
\??\c:\84482.exec:\84482.exe63⤵
- Executes dropped EXE
PID:1192 -
\??\c:\bhnbtn.exec:\bhnbtn.exe64⤵
- Executes dropped EXE
PID:3476 -
\??\c:\84608.exec:\84608.exe65⤵
- Executes dropped EXE
PID:3304 -
\??\c:\62608.exec:\62608.exe66⤵PID:1076
-
\??\c:\rffxllf.exec:\rffxllf.exe67⤵PID:5028
-
\??\c:\dpppd.exec:\dpppd.exe68⤵PID:1104
-
\??\c:\6868828.exec:\6868828.exe69⤵PID:3468
-
\??\c:\4028264.exec:\4028264.exe70⤵PID:5024
-
\??\c:\286482.exec:\286482.exe71⤵PID:4032
-
\??\c:\vvdpv.exec:\vvdpv.exe72⤵PID:4436
-
\??\c:\pdvpj.exec:\pdvpj.exe73⤵PID:2384
-
\??\c:\602000.exec:\602000.exe74⤵PID:3320
-
\??\c:\04424.exec:\04424.exe75⤵PID:3416
-
\??\c:\024200.exec:\024200.exe76⤵PID:3560
-
\??\c:\8248600.exec:\8248600.exe77⤵PID:2960
-
\??\c:\htntht.exec:\htntht.exe78⤵
- System Location Discovery: System Language Discovery
PID:1932 -
\??\c:\5ppvj.exec:\5ppvj.exe79⤵PID:624
-
\??\c:\nnnhnh.exec:\nnnhnh.exe80⤵PID:4052
-
\??\c:\i286004.exec:\i286004.exe81⤵PID:736
-
\??\c:\fxlllfx.exec:\fxlllfx.exe82⤵PID:1964
-
\??\c:\00260.exec:\00260.exe83⤵PID:2648
-
\??\c:\jvdvp.exec:\jvdvp.exe84⤵PID:2488
-
\??\c:\3ntnhb.exec:\3ntnhb.exe85⤵PID:4356
-
\??\c:\4842000.exec:\4842000.exe86⤵PID:3152
-
\??\c:\9fffxxx.exec:\9fffxxx.exe87⤵PID:2128
-
\??\c:\s6402.exec:\s6402.exe88⤵PID:1004
-
\??\c:\pdpjv.exec:\pdpjv.exe89⤵PID:4980
-
\??\c:\406484.exec:\406484.exe90⤵PID:4568
-
\??\c:\e28266.exec:\e28266.exe91⤵PID:2448
-
\??\c:\42482.exec:\42482.exe92⤵PID:404
-
\??\c:\a6642.exec:\a6642.exe93⤵PID:3136
-
\??\c:\80042.exec:\80042.exe94⤵PID:972
-
\??\c:\9fxrlfx.exec:\9fxrlfx.exe95⤵PID:3156
-
\??\c:\648648.exec:\648648.exe96⤵PID:3904
-
\??\c:\btbtnb.exec:\btbtnb.exe97⤵PID:4812
-
\??\c:\628866.exec:\628866.exe98⤵PID:3108
-
\??\c:\6408260.exec:\6408260.exe99⤵PID:2640
-
\??\c:\i486660.exec:\i486660.exe100⤵PID:2788
-
\??\c:\4682004.exec:\4682004.exe101⤵PID:4456
-
\??\c:\vdjdv.exec:\vdjdv.exe102⤵PID:2876
-
\??\c:\08266.exec:\08266.exe103⤵PID:3776
-
\??\c:\3tnthb.exec:\3tnthb.exe104⤵PID:4564
-
\??\c:\8448604.exec:\8448604.exe105⤵PID:848
-
\??\c:\frlxlrf.exec:\frlxlrf.exe106⤵PID:1180
-
\??\c:\284882.exec:\284882.exe107⤵PID:2932
-
\??\c:\tnbnhh.exec:\tnbnhh.exe108⤵PID:2268
-
\??\c:\088204.exec:\088204.exe109⤵PID:2076
-
\??\c:\26648.exec:\26648.exe110⤵PID:3616
-
\??\c:\688222.exec:\688222.exe111⤵PID:3192
-
\??\c:\7jdpj.exec:\7jdpj.exe112⤵PID:3504
-
\??\c:\xrxxfxf.exec:\xrxxfxf.exe113⤵PID:1304
-
\??\c:\xllffff.exec:\xllffff.exe114⤵PID:2956
-
\??\c:\4026044.exec:\4026044.exe115⤵PID:2880
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe116⤵PID:2608
-
\??\c:\0486048.exec:\0486048.exe117⤵PID:412
-
\??\c:\9rrfxrf.exec:\9rrfxrf.exe118⤵PID:4868
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe119⤵PID:544
-
\??\c:\rfrrrlr.exec:\rfrrrlr.exe120⤵PID:4916
-
\??\c:\646600.exec:\646600.exe121⤵PID:464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-