Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
67s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
17/02/2025, 01:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e19ea25740dd4d76c979b87d1c92715497beb9a1f5e5b21791e46c04144e0bd4N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e19ea25740dd4d76c979b87d1c92715497beb9a1f5e5b21791e46c04144e0bd4N.exe
-
Size
458KB
-
MD5
d0efe12bb1337607cba903280659aa70
-
SHA1
7cce1a0c110ec286b3cac1405cf4ffaa0284ced1
-
SHA256
e19ea25740dd4d76c979b87d1c92715497beb9a1f5e5b21791e46c04144e0bd4
-
SHA512
5c39ac6b2cc1fdb3fc0141424db7362c4800e39951a0a75f7878c458776afc7c48ee91ddbf7ef6120d5edd57b591e5b91c3f09317f3ddc29e770382f4630c7bf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2s:q7Tc2NYHUrAwfMp3CDR2s
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1652-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-1068-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-1183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Downloads MZ/PE file 1 IoCs
flow pid Process 52 2912 Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1992 htntht.exe 3688 nhnhbb.exe 416 68660.exe 4228 666000.exe 3404 jjppp.exe 4632 vdvjj.exe 2896 e84200.exe 4736 rlxrllx.exe 3024 s0648.exe 4768 026044.exe 548 lxxllll.exe 740 28404.exe 1520 u004826.exe 2204 w28200.exe 3508 thbhbh.exe 1640 u686004.exe 1000 082608.exe 3760 bbnhhh.exe 4808 04268.exe 1268 6028844.exe 4876 3ttnnt.exe 1212 62260.exe 696 5bnhtt.exe 2640 02848.exe 5004 064888.exe 652 40602.exe 512 vjdjp.exe 4792 266002.exe 2364 6608620.exe 2444 jdpvv.exe 988 6440444.exe 1112 hntttt.exe 1696 djpvp.exe 4336 pvpdj.exe 1976 vvddd.exe 2096 0460666.exe 2312 vpppp.exe 1656 42282.exe 2744 4002286.exe 3632 fxrlllr.exe 3276 jvddv.exe 3668 8422864.exe 4112 4066086.exe 4708 bhtttn.exe 4568 o648884.exe 2224 rfrrrrr.exe 4820 466666.exe 2740 pjvpd.exe 4972 e42288.exe 2736 k06044.exe 2000 lxxrfxf.exe 1340 668844.exe 1980 lfrlllx.exe 1640 64840.exe 1924 00666.exe 2528 6460606.exe 4404 06482.exe 1100 pvvvp.exe 804 6046442.exe 2836 o848400.exe 2328 28888.exe 2824 xlrxflr.exe 956 1ttnnh.exe 4744 1pvpp.exe -
resource yara_rule behavioral2/memory/1652-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-682-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o226004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c460880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c404820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k20400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1980 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1992 1652 e19ea25740dd4d76c979b87d1c92715497beb9a1f5e5b21791e46c04144e0bd4N.exe 89 PID 1652 wrote to memory of 1992 1652 e19ea25740dd4d76c979b87d1c92715497beb9a1f5e5b21791e46c04144e0bd4N.exe 89 PID 1652 wrote to memory of 1992 1652 e19ea25740dd4d76c979b87d1c92715497beb9a1f5e5b21791e46c04144e0bd4N.exe 89 PID 1992 wrote to memory of 3688 1992 htntht.exe 90 PID 1992 wrote to memory of 3688 1992 htntht.exe 90 PID 1992 wrote to memory of 3688 1992 htntht.exe 90 PID 3688 wrote to memory of 416 3688 nhnhbb.exe 91 PID 3688 wrote to memory of 416 3688 nhnhbb.exe 91 PID 3688 wrote to memory of 416 3688 nhnhbb.exe 91 PID 416 wrote to memory of 4228 416 68660.exe 92 PID 416 wrote to memory of 4228 416 68660.exe 92 PID 416 wrote to memory of 4228 416 68660.exe 92 PID 4228 wrote to memory of 3404 4228 666000.exe 93 PID 4228 wrote to memory of 3404 4228 666000.exe 93 PID 4228 wrote to memory of 3404 4228 666000.exe 93 PID 3404 wrote to memory of 4632 3404 jjppp.exe 94 PID 3404 wrote to memory of 4632 3404 jjppp.exe 94 PID 3404 wrote to memory of 4632 3404 jjppp.exe 94 PID 4632 wrote to memory of 2896 4632 vdvjj.exe 95 PID 4632 wrote to memory of 2896 4632 vdvjj.exe 95 PID 4632 wrote to memory of 2896 4632 vdvjj.exe 95 PID 2896 wrote to memory of 4736 2896 e84200.exe 96 PID 2896 wrote to memory of 4736 2896 e84200.exe 96 PID 2896 wrote to memory of 4736 2896 e84200.exe 96 PID 4736 wrote to memory of 3024 4736 rlxrllx.exe 97 PID 4736 wrote to memory of 3024 4736 rlxrllx.exe 97 PID 4736 wrote to memory of 3024 4736 rlxrllx.exe 97 PID 3024 wrote to memory of 4768 3024 s0648.exe 99 PID 3024 wrote to memory of 4768 3024 s0648.exe 99 PID 3024 wrote to memory of 4768 3024 s0648.exe 99 PID 4768 wrote to memory of 548 4768 026044.exe 100 PID 4768 wrote to memory of 548 4768 026044.exe 100 PID 4768 wrote to memory of 548 4768 026044.exe 100 PID 548 wrote to memory of 740 548 lxxllll.exe 101 PID 548 wrote to memory of 740 548 lxxllll.exe 101 PID 548 wrote to memory of 740 548 lxxllll.exe 101 PID 740 wrote to memory of 1520 740 28404.exe 102 PID 740 wrote to memory of 1520 740 28404.exe 102 PID 740 wrote to memory of 1520 740 28404.exe 102 PID 1520 wrote to memory of 2204 1520 u004826.exe 103 PID 1520 wrote to memory of 2204 1520 u004826.exe 103 PID 1520 wrote to memory of 2204 1520 u004826.exe 103 PID 2204 wrote to memory of 3508 2204 w28200.exe 104 PID 2204 wrote to memory of 3508 2204 w28200.exe 104 PID 2204 wrote to memory of 3508 2204 w28200.exe 104 PID 3508 wrote to memory of 1640 3508 thbhbh.exe 106 PID 3508 wrote to memory of 1640 3508 thbhbh.exe 106 PID 3508 wrote to memory of 1640 3508 thbhbh.exe 106 PID 1640 wrote to memory of 1000 1640 u686004.exe 107 PID 1640 wrote to memory of 1000 1640 u686004.exe 107 PID 1640 wrote to memory of 1000 1640 u686004.exe 107 PID 1000 wrote to memory of 3760 1000 082608.exe 108 PID 1000 wrote to memory of 3760 1000 082608.exe 108 PID 1000 wrote to memory of 3760 1000 082608.exe 108 PID 3760 wrote to memory of 4808 3760 bbnhhh.exe 109 PID 3760 wrote to memory of 4808 3760 bbnhhh.exe 109 PID 3760 wrote to memory of 4808 3760 bbnhhh.exe 109 PID 4808 wrote to memory of 1268 4808 04268.exe 110 PID 4808 wrote to memory of 1268 4808 04268.exe 110 PID 4808 wrote to memory of 1268 4808 04268.exe 110 PID 1268 wrote to memory of 4876 1268 6028844.exe 111 PID 1268 wrote to memory of 4876 1268 6028844.exe 111 PID 1268 wrote to memory of 4876 1268 6028844.exe 111 PID 4876 wrote to memory of 1212 4876 3ttnnt.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\e19ea25740dd4d76c979b87d1c92715497beb9a1f5e5b21791e46c04144e0bd4N.exe"C:\Users\Admin\AppData\Local\Temp\e19ea25740dd4d76c979b87d1c92715497beb9a1f5e5b21791e46c04144e0bd4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\htntht.exec:\htntht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\nhnhbb.exec:\nhnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\68660.exec:\68660.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
\??\c:\666000.exec:\666000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\jjppp.exec:\jjppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\vdvjj.exec:\vdvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\e84200.exec:\e84200.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\rlxrllx.exec:\rlxrllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\s0648.exec:\s0648.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\026044.exec:\026044.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\lxxllll.exec:\lxxllll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\28404.exec:\28404.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\u004826.exec:\u004826.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\w28200.exec:\w28200.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\thbhbh.exec:\thbhbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\u686004.exec:\u686004.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\082608.exec:\082608.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\bbnhhh.exec:\bbnhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\04268.exec:\04268.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\6028844.exec:\6028844.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\3ttnnt.exec:\3ttnnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\62260.exec:\62260.exe23⤵
- Executes dropped EXE
PID:1212 -
\??\c:\5bnhtt.exec:\5bnhtt.exe24⤵
- Executes dropped EXE
PID:696 -
\??\c:\02848.exec:\02848.exe25⤵
- Executes dropped EXE
PID:2640 -
\??\c:\064888.exec:\064888.exe26⤵
- Executes dropped EXE
PID:5004 -
\??\c:\40602.exec:\40602.exe27⤵
- Executes dropped EXE
PID:652 -
\??\c:\vjdjp.exec:\vjdjp.exe28⤵
- Executes dropped EXE
PID:512 -
\??\c:\266002.exec:\266002.exe29⤵
- Executes dropped EXE
PID:4792 -
\??\c:\6608620.exec:\6608620.exe30⤵
- Executes dropped EXE
PID:2364 -
\??\c:\jdpvv.exec:\jdpvv.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
\??\c:\6440444.exec:\6440444.exe32⤵
- Executes dropped EXE
PID:988 -
\??\c:\hntttt.exec:\hntttt.exe33⤵
- Executes dropped EXE
PID:1112 -
\??\c:\djpvp.exec:\djpvp.exe34⤵
- Executes dropped EXE
PID:1696 -
\??\c:\pvpdj.exec:\pvpdj.exe35⤵
- Executes dropped EXE
PID:4336 -
\??\c:\vvddd.exec:\vvddd.exe36⤵
- Executes dropped EXE
PID:1976 -
\??\c:\0460666.exec:\0460666.exe37⤵
- Executes dropped EXE
PID:2096 -
\??\c:\vpppp.exec:\vpppp.exe38⤵
- Executes dropped EXE
PID:2312 -
\??\c:\42282.exec:\42282.exe39⤵
- Executes dropped EXE
PID:1656 -
\??\c:\4002286.exec:\4002286.exe40⤵
- Executes dropped EXE
PID:2744 -
\??\c:\fxrlllr.exec:\fxrlllr.exe41⤵
- Executes dropped EXE
PID:3632 -
\??\c:\jvddv.exec:\jvddv.exe42⤵
- Executes dropped EXE
PID:3276 -
\??\c:\8422864.exec:\8422864.exe43⤵
- Executes dropped EXE
PID:3668 -
\??\c:\4066086.exec:\4066086.exe44⤵
- Executes dropped EXE
PID:4112 -
\??\c:\bhtttn.exec:\bhtttn.exe45⤵
- Executes dropped EXE
PID:4708 -
\??\c:\o648884.exec:\o648884.exe46⤵
- Executes dropped EXE
PID:4568 -
\??\c:\rfrrrrr.exec:\rfrrrrr.exe47⤵
- Executes dropped EXE
PID:2224 -
\??\c:\466666.exec:\466666.exe48⤵
- Executes dropped EXE
PID:4820 -
\??\c:\pjvpd.exec:\pjvpd.exe49⤵
- Executes dropped EXE
PID:2740 -
\??\c:\e42288.exec:\e42288.exe50⤵
- Executes dropped EXE
PID:4972 -
\??\c:\k06044.exec:\k06044.exe51⤵
- Executes dropped EXE
PID:2736 -
\??\c:\lxxrfxf.exec:\lxxrfxf.exe52⤵
- Executes dropped EXE
PID:2000 -
\??\c:\668844.exec:\668844.exe53⤵
- Executes dropped EXE
PID:1340 -
\??\c:\lfrlllx.exec:\lfrlllx.exe54⤵
- Executes dropped EXE
PID:1980 -
\??\c:\64840.exec:\64840.exe55⤵
- Executes dropped EXE
PID:1640 -
\??\c:\00666.exec:\00666.exe56⤵
- Executes dropped EXE
PID:1924 -
\??\c:\6460606.exec:\6460606.exe57⤵
- Executes dropped EXE
PID:2528 -
\??\c:\06482.exec:\06482.exe58⤵
- Executes dropped EXE
PID:4404 -
\??\c:\pvvvp.exec:\pvvvp.exe59⤵
- Executes dropped EXE
PID:1100 -
\??\c:\6046442.exec:\6046442.exe60⤵
- Executes dropped EXE
PID:804 -
\??\c:\o848400.exec:\o848400.exe61⤵
- Executes dropped EXE
PID:2836 -
\??\c:\28888.exec:\28888.exe62⤵
- Executes dropped EXE
PID:2328 -
\??\c:\xlrxflr.exec:\xlrxflr.exe63⤵
- Executes dropped EXE
PID:2824 -
\??\c:\1ttnnh.exec:\1ttnnh.exe64⤵
- Executes dropped EXE
PID:956 -
\??\c:\1pvpp.exec:\1pvpp.exe65⤵
- Executes dropped EXE
PID:4744 -
\??\c:\480220.exec:\480220.exe66⤵PID:3804
-
\??\c:\nbnntn.exec:\nbnntn.exe67⤵PID:1180
-
\??\c:\btnhbh.exec:\btnhbh.exe68⤵PID:4356
-
\??\c:\pjjjp.exec:\pjjjp.exe69⤵PID:4520
-
\??\c:\886800.exec:\886800.exe70⤵PID:4912
-
\??\c:\806044.exec:\806044.exe71⤵PID:3496
-
\??\c:\bnbbnb.exec:\bnbbnb.exe72⤵PID:4256
-
\??\c:\pjjdv.exec:\pjjdv.exe73⤵PID:988
-
\??\c:\628262.exec:\628262.exe74⤵PID:1016
-
\??\c:\6622600.exec:\6622600.exe75⤵PID:4240
-
\??\c:\httttt.exec:\httttt.exe76⤵PID:3904
-
\??\c:\82260.exec:\82260.exe77⤵PID:2692
-
\??\c:\4682684.exec:\4682684.exe78⤵PID:2108
-
\??\c:\o622266.exec:\o622266.exe79⤵PID:1976
-
\??\c:\xlrlllf.exec:\xlrlllf.exe80⤵PID:4072
-
\??\c:\htbtnn.exec:\htbtnn.exe81⤵PID:4632
-
\??\c:\1tbbbb.exec:\1tbbbb.exe82⤵PID:1656
-
\??\c:\jjddv.exec:\jjddv.exe83⤵PID:1768
-
\??\c:\hbtnnt.exec:\hbtnnt.exe84⤵PID:2376
-
\??\c:\06820.exec:\06820.exe85⤵PID:3248
-
\??\c:\jvjpd.exec:\jvjpd.exe86⤵PID:4676
-
\??\c:\vvddd.exec:\vvddd.exe87⤵PID:1296
-
\??\c:\jdjjj.exec:\jdjjj.exe88⤵PID:1060
-
\??\c:\jvjjd.exec:\jvjjd.exe89⤵PID:3888
-
\??\c:\dddvp.exec:\dddvp.exe90⤵PID:4768
-
\??\c:\1jppd.exec:\1jppd.exe91⤵PID:216
-
\??\c:\824220.exec:\824220.exe92⤵PID:1520
-
\??\c:\02222.exec:\02222.exe93⤵PID:2896
-
\??\c:\rrxxllr.exec:\rrxxllr.exe94⤵
- System Location Discovery: System Language Discovery
PID:2320 -
\??\c:\lllfxrl.exec:\lllfxrl.exe95⤵PID:3980
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe96⤵PID:940
-
\??\c:\hbhnht.exec:\hbhnht.exe97⤵PID:3508
-
\??\c:\vjpjd.exec:\vjpjd.exe98⤵PID:1544
-
\??\c:\jjjdv.exec:\jjjdv.exe99⤵PID:4644
-
\??\c:\m6826.exec:\m6826.exe100⤵PID:1000
-
\??\c:\flrrxfr.exec:\flrrxfr.exe101⤵PID:700
-
\??\c:\rxrxrrx.exec:\rxrxrrx.exe102⤵PID:2860
-
\??\c:\0288266.exec:\0288266.exe103⤵PID:1564
-
\??\c:\680066.exec:\680066.exe104⤵PID:3348
-
\??\c:\6244848.exec:\6244848.exe105⤵PID:2168
-
\??\c:\htthht.exec:\htthht.exe106⤵PID:2064
-
\??\c:\7flfxff.exec:\7flfxff.exe107⤵PID:1212
-
\??\c:\6284068.exec:\6284068.exe108⤵PID:64
-
\??\c:\3djjj.exec:\3djjj.exe109⤵PID:3548
-
\??\c:\2648660.exec:\2648660.exe110⤵PID:4744
-
\??\c:\4840444.exec:\4840444.exe111⤵PID:440
-
\??\c:\ttbbtb.exec:\ttbbtb.exe112⤵PID:1396
-
\??\c:\nhtttb.exec:\nhtttb.exe113⤵PID:4356
-
\??\c:\2622266.exec:\2622266.exe114⤵PID:2776
-
\??\c:\8668822.exec:\8668822.exe115⤵PID:4760
-
\??\c:\lrfxrrr.exec:\lrfxrrr.exe116⤵PID:4244
-
\??\c:\i848220.exec:\i848220.exe117⤵PID:4220
-
\??\c:\m8626.exec:\m8626.exe118⤵PID:1888
-
\??\c:\bhhtnh.exec:\bhhtnh.exe119⤵PID:1992
-
\??\c:\824404.exec:\824404.exe120⤵PID:4336
-
\??\c:\0682666.exec:\0682666.exe121⤵PID:1412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-