Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 06:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe
-
Size
454KB
-
MD5
292017c17459514a9baf708a9424c4c7
-
SHA1
16677736b9343ac68a200a293069ef0891932af8
-
SHA256
98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982
-
SHA512
f7176e91d326609e401d02352baf1ba31ee2b208faf5e6b5c7989f267dc4ae5ec6225fb87b57d921e4eca37bcdc2f8e656cc35410b8df227588aeaf472ffe748
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1F:q7Tc2NYHUrAwfMp3CD1F
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4844-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-919-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-1615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-1856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5020 nnntbt.exe 4420 68004.exe 4396 o084022.exe 4616 k00044.exe 4852 xrfrlxl.exe 5008 4688060.exe 2512 884040.exe 2752 0244448.exe 2936 08020.exe 3424 6046822.exe 4188 djvpj.exe 996 0840444.exe 3172 vdddj.exe 5044 hnbbtb.exe 3552 200046.exe 2668 682086.exe 2316 o208462.exe 436 02480.exe 2408 26644.exe 4028 nntbhb.exe 4764 hbnbbt.exe 768 00042.exe 1080 vjvvp.exe 4476 tnthbb.exe 1268 tttnnh.exe 2204 22842.exe 2232 jvvpd.exe 2460 888260.exe 3304 bhnnnt.exe 1128 jvjjj.exe 4408 2060880.exe 448 2222284.exe 2400 3pvvp.exe 3148 464006.exe 2776 886248.exe 3044 204264.exe 4032 lrfllrx.exe 4980 k60288.exe 1184 vdppd.exe 1944 462224.exe 3528 9vpvj.exe 4516 c644428.exe 5100 ffxxxxx.exe 4232 tnhnbb.exe 4884 btbthh.exe 5052 bntnbb.exe 2264 02488.exe 4372 0000688.exe 1600 282464.exe 4036 484022.exe 3512 866042.exe 2236 e48200.exe 452 nthbtt.exe 4752 bhnbtn.exe 3780 xxxrrrr.exe 4420 ttthtt.exe 3712 284260.exe 4780 7pjjv.exe 4248 pjpvj.exe 3340 pjpjd.exe 4192 02846.exe 4852 1ffrlrl.exe 3484 djjdj.exe 4220 lrlllll.exe -
resource yara_rule behavioral2/memory/4844-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-808-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0466008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8268444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6060066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q46662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0244444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4844 wrote to memory of 5020 4844 98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe 82 PID 4844 wrote to memory of 5020 4844 98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe 82 PID 4844 wrote to memory of 5020 4844 98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe 82 PID 5020 wrote to memory of 4420 5020 nnntbt.exe 83 PID 5020 wrote to memory of 4420 5020 nnntbt.exe 83 PID 5020 wrote to memory of 4420 5020 nnntbt.exe 83 PID 4420 wrote to memory of 4396 4420 68004.exe 84 PID 4420 wrote to memory of 4396 4420 68004.exe 84 PID 4420 wrote to memory of 4396 4420 68004.exe 84 PID 4396 wrote to memory of 4616 4396 o084022.exe 85 PID 4396 wrote to memory of 4616 4396 o084022.exe 85 PID 4396 wrote to memory of 4616 4396 o084022.exe 85 PID 4616 wrote to memory of 4852 4616 k00044.exe 86 PID 4616 wrote to memory of 4852 4616 k00044.exe 86 PID 4616 wrote to memory of 4852 4616 k00044.exe 86 PID 4852 wrote to memory of 5008 4852 xrfrlxl.exe 87 PID 4852 wrote to memory of 5008 4852 xrfrlxl.exe 87 PID 4852 wrote to memory of 5008 4852 xrfrlxl.exe 87 PID 5008 wrote to memory of 2512 5008 4688060.exe 88 PID 5008 wrote to memory of 2512 5008 4688060.exe 88 PID 5008 wrote to memory of 2512 5008 4688060.exe 88 PID 2512 wrote to memory of 2752 2512 884040.exe 89 PID 2512 wrote to memory of 2752 2512 884040.exe 89 PID 2512 wrote to memory of 2752 2512 884040.exe 89 PID 2752 wrote to memory of 2936 2752 0244448.exe 90 PID 2752 wrote to memory of 2936 2752 0244448.exe 90 PID 2752 wrote to memory of 2936 2752 0244448.exe 90 PID 2936 wrote to memory of 3424 2936 08020.exe 91 PID 2936 wrote to memory of 3424 2936 08020.exe 91 PID 2936 wrote to memory of 3424 2936 08020.exe 91 PID 3424 wrote to memory of 4188 3424 6046822.exe 92 PID 3424 wrote to memory of 4188 3424 6046822.exe 92 PID 3424 wrote to memory of 4188 3424 6046822.exe 92 PID 4188 wrote to memory of 996 4188 djvpj.exe 93 PID 4188 wrote to memory of 996 4188 djvpj.exe 93 PID 4188 wrote to memory of 996 4188 djvpj.exe 93 PID 996 wrote to memory of 3172 996 0840444.exe 94 PID 996 wrote to memory of 3172 996 0840444.exe 94 PID 996 wrote to memory of 3172 996 0840444.exe 94 PID 3172 wrote to memory of 5044 3172 vdddj.exe 95 PID 3172 wrote to memory of 5044 3172 vdddj.exe 95 PID 3172 wrote to memory of 5044 3172 vdddj.exe 95 PID 5044 wrote to memory of 3552 5044 hnbbtb.exe 96 PID 5044 wrote to memory of 3552 5044 hnbbtb.exe 96 PID 5044 wrote to memory of 3552 5044 hnbbtb.exe 96 PID 3552 wrote to memory of 2668 3552 200046.exe 97 PID 3552 wrote to memory of 2668 3552 200046.exe 97 PID 3552 wrote to memory of 2668 3552 200046.exe 97 PID 2668 wrote to memory of 2316 2668 682086.exe 98 PID 2668 wrote to memory of 2316 2668 682086.exe 98 PID 2668 wrote to memory of 2316 2668 682086.exe 98 PID 2316 wrote to memory of 436 2316 o208462.exe 99 PID 2316 wrote to memory of 436 2316 o208462.exe 99 PID 2316 wrote to memory of 436 2316 o208462.exe 99 PID 436 wrote to memory of 2408 436 02480.exe 100 PID 436 wrote to memory of 2408 436 02480.exe 100 PID 436 wrote to memory of 2408 436 02480.exe 100 PID 2408 wrote to memory of 4028 2408 26644.exe 101 PID 2408 wrote to memory of 4028 2408 26644.exe 101 PID 2408 wrote to memory of 4028 2408 26644.exe 101 PID 4028 wrote to memory of 4764 4028 nntbhb.exe 102 PID 4028 wrote to memory of 4764 4028 nntbhb.exe 102 PID 4028 wrote to memory of 4764 4028 nntbhb.exe 102 PID 4764 wrote to memory of 768 4764 hbnbbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe"C:\Users\Admin\AppData\Local\Temp\98f2513e7f6634f2aaeab123d917c7d951683bd3bfa5d37c13d00af289622982.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\nnntbt.exec:\nnntbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\68004.exec:\68004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\o084022.exec:\o084022.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\k00044.exec:\k00044.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\xrfrlxl.exec:\xrfrlxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\4688060.exec:\4688060.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\884040.exec:\884040.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\0244448.exec:\0244448.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\08020.exec:\08020.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\6046822.exec:\6046822.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\djvpj.exec:\djvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\0840444.exec:\0840444.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\vdddj.exec:\vdddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\hnbbtb.exec:\hnbbtb.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\200046.exec:\200046.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\682086.exec:\682086.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\o208462.exec:\o208462.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\02480.exec:\02480.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\26644.exec:\26644.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\nntbhb.exec:\nntbhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\hbnbbt.exec:\hbnbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\00042.exec:\00042.exe23⤵
- Executes dropped EXE
PID:768 -
\??\c:\vjvvp.exec:\vjvvp.exe24⤵
- Executes dropped EXE
PID:1080 -
\??\c:\tnthbb.exec:\tnthbb.exe25⤵
- Executes dropped EXE
PID:4476 -
\??\c:\tttnnh.exec:\tttnnh.exe26⤵
- Executes dropped EXE
PID:1268 -
\??\c:\22842.exec:\22842.exe27⤵
- Executes dropped EXE
PID:2204 -
\??\c:\jvvpd.exec:\jvvpd.exe28⤵
- Executes dropped EXE
PID:2232 -
\??\c:\888260.exec:\888260.exe29⤵
- Executes dropped EXE
PID:2460 -
\??\c:\bhnnnt.exec:\bhnnnt.exe30⤵
- Executes dropped EXE
PID:3304 -
\??\c:\jvjjj.exec:\jvjjj.exe31⤵
- Executes dropped EXE
PID:1128 -
\??\c:\2060880.exec:\2060880.exe32⤵
- Executes dropped EXE
PID:4408 -
\??\c:\2222284.exec:\2222284.exe33⤵
- Executes dropped EXE
PID:448 -
\??\c:\3pvvp.exec:\3pvvp.exe34⤵
- Executes dropped EXE
PID:2400 -
\??\c:\464006.exec:\464006.exe35⤵
- Executes dropped EXE
PID:3148 -
\??\c:\886248.exec:\886248.exe36⤵
- Executes dropped EXE
PID:2776 -
\??\c:\204264.exec:\204264.exe37⤵
- Executes dropped EXE
PID:3044 -
\??\c:\lrfllrx.exec:\lrfllrx.exe38⤵
- Executes dropped EXE
PID:4032 -
\??\c:\k60288.exec:\k60288.exe39⤵
- Executes dropped EXE
PID:4980 -
\??\c:\vdppd.exec:\vdppd.exe40⤵
- Executes dropped EXE
PID:1184 -
\??\c:\462224.exec:\462224.exe41⤵
- Executes dropped EXE
PID:1944 -
\??\c:\9vpvj.exec:\9vpvj.exe42⤵
- Executes dropped EXE
PID:3528 -
\??\c:\c644428.exec:\c644428.exe43⤵
- Executes dropped EXE
PID:4516 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe44⤵
- Executes dropped EXE
PID:5100 -
\??\c:\tnhnbb.exec:\tnhnbb.exe45⤵
- Executes dropped EXE
PID:4232 -
\??\c:\btbthh.exec:\btbthh.exe46⤵
- Executes dropped EXE
PID:4884 -
\??\c:\bntnbb.exec:\bntnbb.exe47⤵
- Executes dropped EXE
PID:5052 -
\??\c:\02488.exec:\02488.exe48⤵
- Executes dropped EXE
PID:2264 -
\??\c:\0000688.exec:\0000688.exe49⤵
- Executes dropped EXE
PID:4372 -
\??\c:\282464.exec:\282464.exe50⤵
- Executes dropped EXE
PID:1600 -
\??\c:\484022.exec:\484022.exe51⤵
- Executes dropped EXE
PID:4036 -
\??\c:\866042.exec:\866042.exe52⤵
- Executes dropped EXE
PID:3512 -
\??\c:\e48200.exec:\e48200.exe53⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jjjjd.exec:\jjjjd.exe54⤵PID:1504
-
\??\c:\nthbtt.exec:\nthbtt.exe55⤵
- Executes dropped EXE
PID:452 -
\??\c:\bhnbtn.exec:\bhnbtn.exe56⤵
- Executes dropped EXE
PID:4752 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe57⤵
- Executes dropped EXE
PID:3780 -
\??\c:\ttthtt.exec:\ttthtt.exe58⤵
- Executes dropped EXE
PID:4420 -
\??\c:\284260.exec:\284260.exe59⤵
- Executes dropped EXE
PID:3712 -
\??\c:\7pjjv.exec:\7pjjv.exe60⤵
- Executes dropped EXE
PID:4780 -
\??\c:\pjpvj.exec:\pjpvj.exe61⤵
- Executes dropped EXE
PID:4248 -
\??\c:\pjpjd.exec:\pjpjd.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3340 -
\??\c:\02846.exec:\02846.exe63⤵
- Executes dropped EXE
PID:4192 -
\??\c:\1ffrlrl.exec:\1ffrlrl.exe64⤵
- Executes dropped EXE
PID:4852 -
\??\c:\djjdj.exec:\djjdj.exe65⤵
- Executes dropped EXE
PID:3484 -
\??\c:\lrlllll.exec:\lrlllll.exe66⤵
- Executes dropped EXE
PID:4220 -
\??\c:\nttvvd.exec:\nttvvd.exe67⤵PID:1796
-
\??\c:\jvvvv.exec:\jvvvv.exe68⤵PID:3452
-
\??\c:\jjdpp.exec:\jjdpp.exe69⤵PID:3348
-
\??\c:\0226660.exec:\0226660.exe70⤵PID:3188
-
\??\c:\06684.exec:\06684.exe71⤵PID:3424
-
\??\c:\8004446.exec:\8004446.exe72⤵PID:740
-
\??\c:\006666.exec:\006666.exe73⤵PID:2940
-
\??\c:\hnttnt.exec:\hnttnt.exe74⤵PID:996
-
\??\c:\46822.exec:\46822.exe75⤵PID:4180
-
\??\c:\620688.exec:\620688.exe76⤵PID:3172
-
\??\c:\28464.exec:\28464.exe77⤵PID:5044
-
\??\c:\xrlrrlr.exec:\xrlrrlr.exe78⤵PID:2352
-
\??\c:\3xlrfrx.exec:\3xlrfrx.exe79⤵PID:2872
-
\??\c:\084440.exec:\084440.exe80⤵PID:208
-
\??\c:\5frxxff.exec:\5frxxff.exe81⤵PID:924
-
\??\c:\066264.exec:\066264.exe82⤵PID:5084
-
\??\c:\5pdvv.exec:\5pdvv.exe83⤵PID:2408
-
\??\c:\6064260.exec:\6064260.exe84⤵PID:1540
-
\??\c:\m2886.exec:\m2886.exe85⤵PID:1676
-
\??\c:\a2666.exec:\a2666.exe86⤵PID:3840
-
\??\c:\04820.exec:\04820.exe87⤵PID:5088
-
\??\c:\ddpdd.exec:\ddpdd.exe88⤵PID:3696
-
\??\c:\rffffll.exec:\rffffll.exe89⤵PID:764
-
\??\c:\484066.exec:\484066.exe90⤵PID:8
-
\??\c:\26020.exec:\26020.exe91⤵PID:3500
-
\??\c:\484444.exec:\484444.exe92⤵PID:3648
-
\??\c:\dvddd.exec:\dvddd.exe93⤵PID:2232
-
\??\c:\rfffxxl.exec:\rfffxxl.exe94⤵PID:3144
-
\??\c:\820660.exec:\820660.exe95⤵PID:1396
-
\??\c:\lfflffr.exec:\lfflffr.exe96⤵PID:2808
-
\??\c:\4804448.exec:\4804448.exe97⤵PID:1128
-
\??\c:\046688.exec:\046688.exe98⤵PID:2920
-
\??\c:\8802228.exec:\8802228.exe99⤵PID:2572
-
\??\c:\xllxlxr.exec:\xllxlxr.exe100⤵PID:4908
-
\??\c:\k06620.exec:\k06620.exe101⤵PID:1412
-
\??\c:\22266.exec:\22266.exe102⤵PID:1288
-
\??\c:\22222.exec:\22222.exe103⤵PID:2480
-
\??\c:\2244068.exec:\2244068.exe104⤵PID:1652
-
\??\c:\2462644.exec:\2462644.exe105⤵PID:372
-
\??\c:\44844.exec:\44844.exe106⤵PID:3200
-
\??\c:\1jjjp.exec:\1jjjp.exe107⤵PID:1252
-
\??\c:\1xfflrx.exec:\1xfflrx.exe108⤵PID:1924
-
\??\c:\5ffxfxl.exec:\5ffxfxl.exe109⤵PID:2036
-
\??\c:\hhnhnb.exec:\hhnhnb.exe110⤵PID:2580
-
\??\c:\24888.exec:\24888.exe111⤵PID:4052
-
\??\c:\bnhnbh.exec:\bnhnbh.exe112⤵
- System Location Discovery: System Language Discovery
PID:3536 -
\??\c:\04684.exec:\04684.exe113⤵PID:2828
-
\??\c:\480426.exec:\480426.exe114⤵PID:4324
-
\??\c:\tbnthn.exec:\tbnthn.exe115⤵PID:2236
-
\??\c:\64222.exec:\64222.exe116⤵PID:660
-
\??\c:\860800.exec:\860800.exe117⤵PID:968
-
\??\c:\3jjpd.exec:\3jjpd.exe118⤵PID:3876
-
\??\c:\frxfflr.exec:\frxfflr.exe119⤵PID:5048
-
\??\c:\88060.exec:\88060.exe120⤵PID:2696
-
\??\c:\htbhhn.exec:\htbhhn.exe121⤵PID:1880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-