Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 16:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe
-
Size
453KB
-
MD5
16ce2693bdbe4b4dda738ed5981cee10
-
SHA1
d6904c0471e33c952b983dc8c178fb4187e85b63
-
SHA256
98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0
-
SHA512
bccc3761e7e22ce0072c4819a1fc1a4de7d5aede33b0013403af9c81faf2c645bf3b8ecc2afad554ba76ebbea7fc50ce3404fc07e4b7bcfa53eec237653cbffb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1592-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-947-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-1265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1592 thnhbb.exe 4100 jpvpd.exe 4940 bttnhb.exe 2756 frrlffx.exe 4924 pjjdv.exe 1416 bhnhbt.exe 2804 lxfxlfx.exe 4228 vpjdd.exe 4352 pvdvj.exe 2924 jdpjv.exe 2136 3xxrffx.exe 2652 nnbtnn.exe 4548 jvvvp.exe 1996 bnnhbt.exe 4564 dvdvd.exe 944 tnnhtn.exe 4188 5dvvp.exe 3108 httnbt.exe 224 hbbthh.exe 4880 5frrrrx.exe 3660 jjvpp.exe 2548 hbbtht.exe 1244 frxrrlr.exe 700 fllfxxl.exe 3220 pjdvp.exe 760 xxfxrlf.exe 3420 ttbtnh.exe 1000 dddvp.exe 4952 rllffxx.exe 2480 djpjd.exe 4280 xffrfrf.exe 3924 jvjdv.exe 5052 ttthhb.exe 1584 dvpjd.exe 632 pjdpd.exe 4084 xllfrxr.exe 3960 hbbbtn.exe 4164 pjvvj.exe 2676 lllllll.exe 4416 rxlfxxr.exe 5076 hhnhbb.exe 3796 jjpjd.exe 4044 lxxxllf.exe 1180 3lrrrrf.exe 3724 5tbtnh.exe 2936 dpvpj.exe 4252 jpjvp.exe 3112 llxrllx.exe 5028 5nnhtn.exe 4476 dppdd.exe 4672 pjppd.exe 2052 fxxrffx.exe 2804 tntttt.exe 1748 jpdvd.exe 3664 pjjdp.exe 1988 xflfrlf.exe 4864 frfxrrl.exe 3152 btnnhb.exe 1360 pjdvj.exe 2596 frlxlxx.exe 1624 3bhbhh.exe 640 nnnntn.exe 4464 5jjdv.exe 4708 5frfrlx.exe -
resource yara_rule behavioral2/memory/1592-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-795-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxlflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1592 2112 98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe 83 PID 2112 wrote to memory of 1592 2112 98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe 83 PID 2112 wrote to memory of 1592 2112 98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe 83 PID 1592 wrote to memory of 4100 1592 thnhbb.exe 84 PID 1592 wrote to memory of 4100 1592 thnhbb.exe 84 PID 1592 wrote to memory of 4100 1592 thnhbb.exe 84 PID 4100 wrote to memory of 4940 4100 jpvpd.exe 85 PID 4100 wrote to memory of 4940 4100 jpvpd.exe 85 PID 4100 wrote to memory of 4940 4100 jpvpd.exe 85 PID 4940 wrote to memory of 2756 4940 bttnhb.exe 86 PID 4940 wrote to memory of 2756 4940 bttnhb.exe 86 PID 4940 wrote to memory of 2756 4940 bttnhb.exe 86 PID 2756 wrote to memory of 4924 2756 frrlffx.exe 87 PID 2756 wrote to memory of 4924 2756 frrlffx.exe 87 PID 2756 wrote to memory of 4924 2756 frrlffx.exe 87 PID 4924 wrote to memory of 1416 4924 pjjdv.exe 88 PID 4924 wrote to memory of 1416 4924 pjjdv.exe 88 PID 4924 wrote to memory of 1416 4924 pjjdv.exe 88 PID 1416 wrote to memory of 2804 1416 bhnhbt.exe 89 PID 1416 wrote to memory of 2804 1416 bhnhbt.exe 89 PID 1416 wrote to memory of 2804 1416 bhnhbt.exe 89 PID 2804 wrote to memory of 4228 2804 lxfxlfx.exe 90 PID 2804 wrote to memory of 4228 2804 lxfxlfx.exe 90 PID 2804 wrote to memory of 4228 2804 lxfxlfx.exe 90 PID 4228 wrote to memory of 4352 4228 vpjdd.exe 91 PID 4228 wrote to memory of 4352 4228 vpjdd.exe 91 PID 4228 wrote to memory of 4352 4228 vpjdd.exe 91 PID 4352 wrote to memory of 2924 4352 pvdvj.exe 92 PID 4352 wrote to memory of 2924 4352 pvdvj.exe 92 PID 4352 wrote to memory of 2924 4352 pvdvj.exe 92 PID 2924 wrote to memory of 2136 2924 jdpjv.exe 93 PID 2924 wrote to memory of 2136 2924 jdpjv.exe 93 PID 2924 wrote to memory of 2136 2924 jdpjv.exe 93 PID 2136 wrote to memory of 2652 2136 3xxrffx.exe 94 PID 2136 wrote to memory of 2652 2136 3xxrffx.exe 94 PID 2136 wrote to memory of 2652 2136 3xxrffx.exe 94 PID 2652 wrote to memory of 4548 2652 nnbtnn.exe 95 PID 2652 wrote to memory of 4548 2652 nnbtnn.exe 95 PID 2652 wrote to memory of 4548 2652 nnbtnn.exe 95 PID 4548 wrote to memory of 1996 4548 jvvvp.exe 96 PID 4548 wrote to memory of 1996 4548 jvvvp.exe 96 PID 4548 wrote to memory of 1996 4548 jvvvp.exe 96 PID 1996 wrote to memory of 4564 1996 bnnhbt.exe 97 PID 1996 wrote to memory of 4564 1996 bnnhbt.exe 97 PID 1996 wrote to memory of 4564 1996 bnnhbt.exe 97 PID 4564 wrote to memory of 944 4564 dvdvd.exe 98 PID 4564 wrote to memory of 944 4564 dvdvd.exe 98 PID 4564 wrote to memory of 944 4564 dvdvd.exe 98 PID 944 wrote to memory of 4188 944 tnnhtn.exe 99 PID 944 wrote to memory of 4188 944 tnnhtn.exe 99 PID 944 wrote to memory of 4188 944 tnnhtn.exe 99 PID 4188 wrote to memory of 3108 4188 5dvvp.exe 100 PID 4188 wrote to memory of 3108 4188 5dvvp.exe 100 PID 4188 wrote to memory of 3108 4188 5dvvp.exe 100 PID 3108 wrote to memory of 224 3108 httnbt.exe 101 PID 3108 wrote to memory of 224 3108 httnbt.exe 101 PID 3108 wrote to memory of 224 3108 httnbt.exe 101 PID 224 wrote to memory of 4880 224 hbbthh.exe 102 PID 224 wrote to memory of 4880 224 hbbthh.exe 102 PID 224 wrote to memory of 4880 224 hbbthh.exe 102 PID 4880 wrote to memory of 3660 4880 5frrrrx.exe 103 PID 4880 wrote to memory of 3660 4880 5frrrrx.exe 103 PID 4880 wrote to memory of 3660 4880 5frrrrx.exe 103 PID 3660 wrote to memory of 2548 3660 jjvpp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe"C:\Users\Admin\AppData\Local\Temp\98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\thnhbb.exec:\thnhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\jpvpd.exec:\jpvpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\bttnhb.exec:\bttnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\frrlffx.exec:\frrlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\pjjdv.exec:\pjjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\bhnhbt.exec:\bhnhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\lxfxlfx.exec:\lxfxlfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\vpjdd.exec:\vpjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\pvdvj.exec:\pvdvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\jdpjv.exec:\jdpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\3xxrffx.exec:\3xxrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\nnbtnn.exec:\nnbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\jvvvp.exec:\jvvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\bnnhbt.exec:\bnnhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\dvdvd.exec:\dvdvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\tnnhtn.exec:\tnnhtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\5dvvp.exec:\5dvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\httnbt.exec:\httnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\hbbthh.exec:\hbbthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\5frrrrx.exec:\5frrrrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\jjvpp.exec:\jjvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\hbbtht.exec:\hbbtht.exe23⤵
- Executes dropped EXE
PID:2548 -
\??\c:\frxrrlr.exec:\frxrrlr.exe24⤵
- Executes dropped EXE
PID:1244 -
\??\c:\fllfxxl.exec:\fllfxxl.exe25⤵
- Executes dropped EXE
PID:700 -
\??\c:\pjdvp.exec:\pjdvp.exe26⤵
- Executes dropped EXE
PID:3220 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe27⤵
- Executes dropped EXE
PID:760 -
\??\c:\ttbtnh.exec:\ttbtnh.exe28⤵
- Executes dropped EXE
PID:3420 -
\??\c:\dddvp.exec:\dddvp.exe29⤵
- Executes dropped EXE
PID:1000 -
\??\c:\rllffxx.exec:\rllffxx.exe30⤵
- Executes dropped EXE
PID:4952 -
\??\c:\djpjd.exec:\djpjd.exe31⤵
- Executes dropped EXE
PID:2480 -
\??\c:\xffrfrf.exec:\xffrfrf.exe32⤵
- Executes dropped EXE
PID:4280 -
\??\c:\jvjdv.exec:\jvjdv.exe33⤵
- Executes dropped EXE
PID:3924 -
\??\c:\ttthhb.exec:\ttthhb.exe34⤵
- Executes dropped EXE
PID:5052 -
\??\c:\dvpjd.exec:\dvpjd.exe35⤵
- Executes dropped EXE
PID:1584 -
\??\c:\pjdpd.exec:\pjdpd.exe36⤵
- Executes dropped EXE
PID:632 -
\??\c:\xllfrxr.exec:\xllfrxr.exe37⤵
- Executes dropped EXE
PID:4084 -
\??\c:\hbbbtn.exec:\hbbbtn.exe38⤵
- Executes dropped EXE
PID:3960 -
\??\c:\pjvvj.exec:\pjvvj.exe39⤵
- Executes dropped EXE
PID:4164 -
\??\c:\lllllll.exec:\lllllll.exe40⤵
- Executes dropped EXE
PID:2676 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe41⤵
- Executes dropped EXE
PID:4416 -
\??\c:\hhnhbb.exec:\hhnhbb.exe42⤵
- Executes dropped EXE
PID:5076 -
\??\c:\jjpjd.exec:\jjpjd.exe43⤵
- Executes dropped EXE
PID:3796 -
\??\c:\lxxxllf.exec:\lxxxllf.exe44⤵
- Executes dropped EXE
PID:4044 -
\??\c:\3lrrrrf.exec:\3lrrrrf.exe45⤵
- Executes dropped EXE
PID:1180 -
\??\c:\5tbtnh.exec:\5tbtnh.exe46⤵
- Executes dropped EXE
PID:3724 -
\??\c:\dpvpj.exec:\dpvpj.exe47⤵
- Executes dropped EXE
PID:2936 -
\??\c:\jpjvp.exec:\jpjvp.exe48⤵
- Executes dropped EXE
PID:4252 -
\??\c:\llxrllx.exec:\llxrllx.exe49⤵
- Executes dropped EXE
PID:3112 -
\??\c:\5nnhtn.exec:\5nnhtn.exe50⤵
- Executes dropped EXE
PID:5028 -
\??\c:\dppdd.exec:\dppdd.exe51⤵
- Executes dropped EXE
PID:4476 -
\??\c:\pjppd.exec:\pjppd.exe52⤵
- Executes dropped EXE
PID:4672 -
\??\c:\fxxrffx.exec:\fxxrffx.exe53⤵
- Executes dropped EXE
PID:2052 -
\??\c:\tntttt.exec:\tntttt.exe54⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jpdvd.exec:\jpdvd.exe55⤵
- Executes dropped EXE
PID:1748 -
\??\c:\pjjdp.exec:\pjjdp.exe56⤵
- Executes dropped EXE
PID:3664 -
\??\c:\xflfrlf.exec:\xflfrlf.exe57⤵
- Executes dropped EXE
PID:1988 -
\??\c:\frfxrrl.exec:\frfxrrl.exe58⤵
- Executes dropped EXE
PID:4864 -
\??\c:\btnnhb.exec:\btnnhb.exe59⤵
- Executes dropped EXE
PID:3152 -
\??\c:\pjdvj.exec:\pjdvj.exe60⤵
- Executes dropped EXE
PID:1360 -
\??\c:\frlxlxx.exec:\frlxlxx.exe61⤵
- Executes dropped EXE
PID:2596 -
\??\c:\3bhbhh.exec:\3bhbhh.exe62⤵
- Executes dropped EXE
PID:1624 -
\??\c:\nnnntn.exec:\nnnntn.exe63⤵
- Executes dropped EXE
PID:640 -
\??\c:\5jjdv.exec:\5jjdv.exe64⤵
- Executes dropped EXE
PID:4464 -
\??\c:\5frfrlx.exec:\5frfrlx.exe65⤵
- Executes dropped EXE
PID:4708 -
\??\c:\bthbhh.exec:\bthbhh.exe66⤵PID:944
-
\??\c:\jvdpj.exec:\jvdpj.exe67⤵PID:2184
-
\??\c:\rfflxlf.exec:\rfflxlf.exe68⤵PID:1740
-
\??\c:\nttbnh.exec:\nttbnh.exe69⤵PID:5080
-
\??\c:\vppjd.exec:\vppjd.exe70⤵PID:60
-
\??\c:\rxrrfxr.exec:\rxrrfxr.exe71⤵PID:2716
-
\??\c:\xxfxrrr.exec:\xxfxrrr.exe72⤵PID:372
-
\??\c:\htnthb.exec:\htnthb.exe73⤵PID:4428
-
\??\c:\jjjvj.exec:\jjjvj.exe74⤵PID:5104
-
\??\c:\rlxrffx.exec:\rlxrffx.exe75⤵PID:4880
-
\??\c:\ffrlrlr.exec:\ffrlrlr.exe76⤵PID:2992
-
\??\c:\thnnhh.exec:\thnnhh.exe77⤵PID:1976
-
\??\c:\thntnt.exec:\thntnt.exe78⤵PID:4292
-
\??\c:\dvvjd.exec:\dvvjd.exe79⤵PID:376
-
\??\c:\frxrxxr.exec:\frxrxxr.exe80⤵PID:1244
-
\??\c:\htthtt.exec:\htthtt.exe81⤵PID:4108
-
\??\c:\djjvj.exec:\djjvj.exe82⤵PID:3864
-
\??\c:\rllxfrx.exec:\rllxfrx.exe83⤵PID:4752
-
\??\c:\lfxlxlx.exec:\lfxlxlx.exe84⤵PID:732
-
\??\c:\htthth.exec:\htthth.exe85⤵PID:1452
-
\??\c:\djdjp.exec:\djdjp.exe86⤵
- System Location Discovery: System Language Discovery
PID:4660 -
\??\c:\dvpvj.exec:\dvpvj.exe87⤵PID:3348
-
\??\c:\xffrxfx.exec:\xffrxfx.exe88⤵PID:1352
-
\??\c:\thbnbn.exec:\thbnbn.exe89⤵PID:992
-
\??\c:\nhbnhb.exec:\nhbnhb.exe90⤵PID:3856
-
\??\c:\dvpdj.exec:\dvpdj.exe91⤵PID:2480
-
\??\c:\xxxlxlf.exec:\xxxlxlf.exe92⤵PID:4964
-
\??\c:\fllfrlx.exec:\fllfrlx.exe93⤵PID:4184
-
\??\c:\9nnbnt.exec:\9nnbnt.exe94⤵PID:512
-
\??\c:\5vvvp.exec:\5vvvp.exe95⤵PID:5052
-
\??\c:\pjvjv.exec:\pjvjv.exe96⤵PID:1584
-
\??\c:\rffrxrl.exec:\rffrxrl.exe97⤵PID:632
-
\??\c:\7ntnnh.exec:\7ntnnh.exe98⤵PID:3968
-
\??\c:\7vvvj.exec:\7vvvj.exe99⤵PID:2984
-
\??\c:\5fxrxrl.exec:\5fxrxrl.exe100⤵PID:4164
-
\??\c:\lflxrll.exec:\lflxrll.exe101⤵PID:432
-
\??\c:\hnnbnh.exec:\hnnbnh.exe102⤵PID:4436
-
\??\c:\1vdpd.exec:\1vdpd.exe103⤵PID:3460
-
\??\c:\9jjdp.exec:\9jjdp.exe104⤵PID:4192
-
\??\c:\5rrfxrl.exec:\5rrfxrl.exe105⤵PID:3632
-
\??\c:\3tthbt.exec:\3tthbt.exe106⤵PID:3636
-
\??\c:\bnnbnh.exec:\bnnbnh.exe107⤵PID:1888
-
\??\c:\jjjvj.exec:\jjjvj.exe108⤵PID:3964
-
\??\c:\jvjvj.exec:\jvjvj.exe109⤵PID:2336
-
\??\c:\rflrfrf.exec:\rflrfrf.exe110⤵PID:2056
-
\??\c:\tnnhtn.exec:\tnnhtn.exe111⤵PID:3824
-
\??\c:\bbbbtn.exec:\bbbbtn.exe112⤵PID:1020
-
\??\c:\vdpdj.exec:\vdpdj.exe113⤵PID:2360
-
\??\c:\rrxxfll.exec:\rrxxfll.exe114⤵PID:3212
-
\??\c:\rfrfrlf.exec:\rfrfrlf.exe115⤵PID:4672
-
\??\c:\btthbt.exec:\btthbt.exe116⤵PID:4860
-
\??\c:\7nnntn.exec:\7nnntn.exe117⤵PID:4856
-
\??\c:\vdjdj.exec:\vdjdj.exe118⤵PID:3556
-
\??\c:\rrxlxrf.exec:\rrxlxrf.exe119⤵PID:1116
-
\??\c:\xllxlfx.exec:\xllxlfx.exe120⤵PID:3304
-
\??\c:\hnthtn.exec:\hnthtn.exe121⤵PID:3612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-