Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Dropper/Berbew.exe
windows7-x64
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows7-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows7-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows7-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows7-x64
7RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows7-x64
10Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows7-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows7-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows7-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows7-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows7-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows7-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows7-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows7-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows7-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
03/09/2024, 14:02
240903-rb57sazdqf 1003/09/2024, 13:51
240903-q59avszclf 1002/09/2024, 19:51
240902-yk8gtsxbpd 1002/09/2024, 02:27
240902-cxh7tazflg 1002/09/2024, 02:26
240902-cwxc2sygll 1021/06/2024, 19:37
240621-yca7cszgnd 1009/06/2024, 17:07
240609-vm7rjadd73 1013/05/2024, 17:36
240513-v6qblafe3y 1012/05/2024, 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 14:02
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral4
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win7-20240708-en
agenttesladanabotdharmaformbookgoziqakbotraccoon86920224spx1291590734339i0qiw9zagilenetbankercryptonedefense_evasiondiscoveryevasionexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
windows7-x64
48 signatures
150 seconds
Behavioral task
behavioral6
Sample
RAT/31.exe
Resource
win10v2004-20240802-en
agenttesladanabotdharmaformbookgoziraccoon86920224appi0qiw9zagilenetbankerbotnetcredential_accesscryptonedefense_evasiondiscoveryevasionexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
windows10-2004-x64
41 signatures
150 seconds
Behavioral task
behavioral7
Sample
RAT/XClient.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral8
Sample
RAT/XClient.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral9
Sample
RAT/file.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral10
Sample
RAT/file.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral11
Sample
Ransomware/Client-2.exe
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral12
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
Behavioral task
behavioral13
Sample
Ransomware/criticalupdate01.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral14
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
11 signatures
150 seconds
Behavioral task
behavioral15
Sample
Ransomware/default.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral16
Sample
Ransomware/default.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
18 signatures
150 seconds
Behavioral task
behavioral17
Sample
Stealers/Azorult.exe
Resource
win7-20240704-en
azorultrmsaspackv2defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx
windows7-x64
53 signatures
150 seconds
Behavioral task
behavioral18
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240802-en
azorultrmsaspackv2defense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationrattrojanupx
windows10-2004-x64
55 signatures
150 seconds
Behavioral task
behavioral19
Sample
Stealers/BlackMoon.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral20
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral21
Sample
Stealers/Dridex.dll
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral22
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
11 signatures
150 seconds
Behavioral task
behavioral23
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral24
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
Behavioral task
behavioral25
Sample
Stealers/lumma.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral26
Sample
Stealers/lumma.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral27
Sample
Trojan/BetaBot.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral28
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
23 signatures
150 seconds
Behavioral task
behavioral29
Sample
Trojan/SmokeLoader.exe
Resource
win7-20240708-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral30
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
Stealers/BlackMoon.exe
-
Size
387KB
-
MD5
336efa7460c08e3d47f29121742eb010
-
SHA1
f41c36cd83879d170309dede056563d35741b87b
-
SHA256
e6dd3fa33ad938b07c8978691f86b73e9f6fd84104b92f42566498bdb6b2930e
-
SHA512
e8d118fbe907a00d89c2514af4de475a0ea54943076bf90174234f77f2ec093a1246a0d4e78d1104a0dcda150b5441d28f4f3d1e768ecb20ae86383a99863c14
-
SSDEEP
12288:n3C9ytvngQjpUXoSWlnwJv90aKToFqwfN:SgdnJVU4TlnwJ6Goo
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral19/memory/2544-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/2380-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/316-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/2980-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/2732-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/2968-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/2652-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/2620-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/776-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/1412-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/1200-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/2920-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/1916-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/1480-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/3040-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/2248-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/1196-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/1936-234-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/1960-243-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/1488-252-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral19/memory/2232-279-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral19/memory/300-28971-0x0000000140000000-0x00000001405E8000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
pid Process 2380 btnbbn.exe 316 vppjv.exe 2732 bnhbtt.exe 2980 tbtnnh.exe 2968 9nbhbh.exe 2652 hhtbnn.exe 2620 jpjpj.exe 3048 hnntnt.exe 776 lxxxlrf.exe 1412 bhbntt.exe 1200 xfxlxfx.exe 2920 tnhhtb.exe 1916 dddjd.exe 1480 9nnbnn.exe 1208 xlxffrl.exe 3040 jpdjj.exe 2248 3hhntt.exe 2104 ddjpd.exe 2304 tbnbtb.exe 1196 xfxlfxr.exe 1460 nhhtnt.exe 696 7rxlxxr.exe 1936 bhbnnn.exe 1960 fxxflrl.exe 1488 7bbhnh.exe 2340 xflflxl.exe 2068 btbbtt.exe 2232 fxfrfrr.exe 2236 jvdvj.exe 1436 llxrlrf.exe 2552 thhhhh.exe 2080 ffrlrll.exe 2084 hnthtn.exe 852 9vvdp.exe 2772 1fflrxr.exe 2880 3bnnbb.exe 2632 vvvjj.exe 2904 fxlxlll.exe 2952 hhthnn.exe 2800 hntnhb.exe 2644 djvjj.exe 2692 7lxflrx.exe 3052 bbthhb.exe 1768 dvjvv.exe 308 1rfrffx.exe 1112 hthhnt.exe 2612 dvppd.exe 1992 1pjpp.exe 1612 xxlrxxf.exe 2364 nnntht.exe 1732 5dvvv.exe 2384 lxlrrrf.exe 1208 bhtbhh.exe 2916 jpppd.exe 2204 rrlxlxf.exe 2472 rrlxrxf.exe 1580 thbnnn.exe 2352 jjdjv.exe 1196 ffrffxr.exe 2036 tnhbtn.exe 2172 jpdvd.exe 324 5jpjp.exe 1928 rllxrxl.exe 928 nnbbhh.exe -
resource yara_rule behavioral19/memory/2544-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2380-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/316-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2732-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2732-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2980-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2732-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2968-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2968-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2968-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2652-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2652-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2652-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2652-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2620-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2620-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2620-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/776-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/1412-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/1200-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2920-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/1916-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/1480-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/3040-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2248-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/1196-207-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/1936-234-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/1960-243-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/1488-252-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral19/memory/2232-279-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 300 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 300 Process not Found -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found -
Suspicious use of SendNotifyMessage 35 IoCs
pid Process 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found 300 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2380 2544 BlackMoon.exe 30 PID 2544 wrote to memory of 2380 2544 BlackMoon.exe 30 PID 2544 wrote to memory of 2380 2544 BlackMoon.exe 30 PID 2544 wrote to memory of 2380 2544 BlackMoon.exe 30 PID 2380 wrote to memory of 316 2380 btnbbn.exe 31 PID 2380 wrote to memory of 316 2380 btnbbn.exe 31 PID 2380 wrote to memory of 316 2380 btnbbn.exe 31 PID 2380 wrote to memory of 316 2380 btnbbn.exe 31 PID 316 wrote to memory of 2732 316 vppjv.exe 32 PID 316 wrote to memory of 2732 316 vppjv.exe 32 PID 316 wrote to memory of 2732 316 vppjv.exe 32 PID 316 wrote to memory of 2732 316 vppjv.exe 32 PID 2732 wrote to memory of 2980 2732 bnhbtt.exe 33 PID 2732 wrote to memory of 2980 2732 bnhbtt.exe 33 PID 2732 wrote to memory of 2980 2732 bnhbtt.exe 33 PID 2732 wrote to memory of 2980 2732 bnhbtt.exe 33 PID 2980 wrote to memory of 2968 2980 tbtnnh.exe 34 PID 2980 wrote to memory of 2968 2980 tbtnnh.exe 34 PID 2980 wrote to memory of 2968 2980 tbtnnh.exe 34 PID 2980 wrote to memory of 2968 2980 tbtnnh.exe 34 PID 2968 wrote to memory of 2652 2968 9nbhbh.exe 35 PID 2968 wrote to memory of 2652 2968 9nbhbh.exe 35 PID 2968 wrote to memory of 2652 2968 9nbhbh.exe 35 PID 2968 wrote to memory of 2652 2968 9nbhbh.exe 35 PID 2652 wrote to memory of 2620 2652 hhtbnn.exe 36 PID 2652 wrote to memory of 2620 2652 hhtbnn.exe 36 PID 2652 wrote to memory of 2620 2652 hhtbnn.exe 36 PID 2652 wrote to memory of 2620 2652 hhtbnn.exe 36 PID 2620 wrote to memory of 3048 2620 jpjpj.exe 37 PID 2620 wrote to memory of 3048 2620 jpjpj.exe 37 PID 2620 wrote to memory of 3048 2620 jpjpj.exe 37 PID 2620 wrote to memory of 3048 2620 jpjpj.exe 37 PID 3048 wrote to memory of 776 3048 hnntnt.exe 38 PID 3048 wrote to memory of 776 3048 hnntnt.exe 38 PID 3048 wrote to memory of 776 3048 hnntnt.exe 38 PID 3048 wrote to memory of 776 3048 hnntnt.exe 38 PID 776 wrote to memory of 1412 776 lxxxlrf.exe 39 PID 776 wrote to memory of 1412 776 lxxxlrf.exe 39 PID 776 wrote to memory of 1412 776 lxxxlrf.exe 39 PID 776 wrote to memory of 1412 776 lxxxlrf.exe 39 PID 1412 wrote to memory of 1200 1412 bhbntt.exe 40 PID 1412 wrote to memory of 1200 1412 bhbntt.exe 40 PID 1412 wrote to memory of 1200 1412 bhbntt.exe 40 PID 1412 wrote to memory of 1200 1412 bhbntt.exe 40 PID 1200 wrote to memory of 2920 1200 xfxlxfx.exe 41 PID 1200 wrote to memory of 2920 1200 xfxlxfx.exe 41 PID 1200 wrote to memory of 2920 1200 xfxlxfx.exe 41 PID 1200 wrote to memory of 2920 1200 xfxlxfx.exe 41 PID 2920 wrote to memory of 1916 2920 tnhhtb.exe 42 PID 2920 wrote to memory of 1916 2920 tnhhtb.exe 42 PID 2920 wrote to memory of 1916 2920 tnhhtb.exe 42 PID 2920 wrote to memory of 1916 2920 tnhhtb.exe 42 PID 1916 wrote to memory of 1480 1916 dddjd.exe 43 PID 1916 wrote to memory of 1480 1916 dddjd.exe 43 PID 1916 wrote to memory of 1480 1916 dddjd.exe 43 PID 1916 wrote to memory of 1480 1916 dddjd.exe 43 PID 1480 wrote to memory of 1208 1480 9nnbnn.exe 44 PID 1480 wrote to memory of 1208 1480 9nnbnn.exe 44 PID 1480 wrote to memory of 1208 1480 9nnbnn.exe 44 PID 1480 wrote to memory of 1208 1480 9nnbnn.exe 44 PID 1208 wrote to memory of 3040 1208 xlxffrl.exe 45 PID 1208 wrote to memory of 3040 1208 xlxffrl.exe 45 PID 1208 wrote to memory of 3040 1208 xlxffrl.exe 45 PID 1208 wrote to memory of 3040 1208 xlxffrl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"C:\Users\Admin\AppData\Local\Temp\Stealers\BlackMoon.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\btnbbn.exec:\btnbbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\vppjv.exec:\vppjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\bnhbtt.exec:\bnhbtt.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\tbtnnh.exec:\tbtnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\9nbhbh.exec:\9nbhbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\hhtbnn.exec:\hhtbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\jpjpj.exec:\jpjpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\hnntnt.exec:\hnntnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\lxxxlrf.exec:\lxxxlrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\bhbntt.exec:\bhbntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\xfxlxfx.exec:\xfxlxfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\tnhhtb.exec:\tnhhtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\dddjd.exec:\dddjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\9nnbnn.exec:\9nnbnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\xlxffrl.exec:\xlxffrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\jpdjj.exec:\jpdjj.exe17⤵
- Executes dropped EXE
PID:3040 -
\??\c:\3hhntt.exec:\3hhntt.exe18⤵
- Executes dropped EXE
PID:2248 -
\??\c:\ddjpd.exec:\ddjpd.exe19⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tbnbtb.exec:\tbnbtb.exe20⤵
- Executes dropped EXE
PID:2304 -
\??\c:\xfxlfxr.exec:\xfxlfxr.exe21⤵
- Executes dropped EXE
PID:1196 -
\??\c:\nhhtnt.exec:\nhhtnt.exe22⤵
- Executes dropped EXE
PID:1460 -
\??\c:\7rxlxxr.exec:\7rxlxxr.exe23⤵
- Executes dropped EXE
PID:696 -
\??\c:\bhbnnn.exec:\bhbnnn.exe24⤵
- Executes dropped EXE
PID:1936 -
\??\c:\fxxflrl.exec:\fxxflrl.exe25⤵
- Executes dropped EXE
PID:1960 -
\??\c:\7bbhnh.exec:\7bbhnh.exe26⤵
- Executes dropped EXE
PID:1488 -
\??\c:\xflflxl.exec:\xflflxl.exe27⤵
- Executes dropped EXE
PID:2340 -
\??\c:\btbbtt.exec:\btbbtt.exe28⤵
- Executes dropped EXE
PID:2068 -
\??\c:\fxfrfrr.exec:\fxfrfrr.exe29⤵
- Executes dropped EXE
PID:2232 -
\??\c:\jvdvj.exec:\jvdvj.exe30⤵
- Executes dropped EXE
PID:2236 -
\??\c:\llxrlrf.exec:\llxrlrf.exe31⤵
- Executes dropped EXE
PID:1436 -
\??\c:\thhhhh.exec:\thhhhh.exe32⤵
- Executes dropped EXE
PID:2552 -
\??\c:\ffrlrll.exec:\ffrlrll.exe33⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hnthtn.exec:\hnthtn.exe34⤵
- Executes dropped EXE
PID:2084 -
\??\c:\9vvdp.exec:\9vvdp.exe35⤵
- Executes dropped EXE
PID:852 -
\??\c:\1fflrxr.exec:\1fflrxr.exe36⤵
- Executes dropped EXE
PID:2772 -
\??\c:\3bnnbb.exec:\3bnnbb.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\vvvjj.exec:\vvvjj.exe38⤵
- Executes dropped EXE
PID:2632 -
\??\c:\fxlxlll.exec:\fxlxlll.exe39⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hhthnn.exec:\hhthnn.exe40⤵
- Executes dropped EXE
PID:2952 -
\??\c:\hntnhb.exec:\hntnhb.exe41⤵
- Executes dropped EXE
PID:2800 -
\??\c:\djvjj.exec:\djvjj.exe42⤵
- Executes dropped EXE
PID:2644 -
\??\c:\7lxflrx.exec:\7lxflrx.exe43⤵
- Executes dropped EXE
PID:2692 -
\??\c:\bbthhb.exec:\bbthhb.exe44⤵
- Executes dropped EXE
PID:3052 -
\??\c:\dvjvv.exec:\dvjvv.exe45⤵
- Executes dropped EXE
PID:1768 -
\??\c:\1rfrffx.exec:\1rfrffx.exe46⤵
- Executes dropped EXE
PID:308 -
\??\c:\hthhnt.exec:\hthhnt.exe47⤵
- Executes dropped EXE
PID:1112 -
\??\c:\dvppd.exec:\dvppd.exe48⤵
- Executes dropped EXE
PID:2612 -
\??\c:\1pjpp.exec:\1pjpp.exe49⤵
- Executes dropped EXE
PID:1992 -
\??\c:\xxlrxxf.exec:\xxlrxxf.exe50⤵
- Executes dropped EXE
PID:1612 -
\??\c:\nnntht.exec:\nnntht.exe51⤵
- Executes dropped EXE
PID:2364 -
\??\c:\5dvvv.exec:\5dvvv.exe52⤵
- Executes dropped EXE
PID:1732 -
\??\c:\lxlrrrf.exec:\lxlrrrf.exe53⤵
- Executes dropped EXE
PID:2384 -
\??\c:\bhtbhh.exec:\bhtbhh.exe54⤵
- Executes dropped EXE
PID:1208 -
\??\c:\jpppd.exec:\jpppd.exe55⤵
- Executes dropped EXE
PID:2916 -
\??\c:\rrlxlxf.exec:\rrlxlxf.exe56⤵
- Executes dropped EXE
PID:2204 -
\??\c:\rrlxrxf.exec:\rrlxrxf.exe57⤵
- Executes dropped EXE
PID:2472 -
\??\c:\thbnnn.exec:\thbnnn.exe58⤵
- Executes dropped EXE
PID:1580 -
\??\c:\jjdjv.exec:\jjdjv.exe59⤵
- Executes dropped EXE
PID:2352 -
\??\c:\ffrffxr.exec:\ffrffxr.exe60⤵
- Executes dropped EXE
PID:1196 -
\??\c:\tnhbtn.exec:\tnhbtn.exe61⤵
- Executes dropped EXE
PID:2036 -
\??\c:\jpdvd.exec:\jpdvd.exe62⤵
- Executes dropped EXE
PID:2172 -
\??\c:\5jpjp.exec:\5jpjp.exe63⤵
- Executes dropped EXE
PID:324 -
\??\c:\rllxrxl.exec:\rllxrxl.exe64⤵
- Executes dropped EXE
PID:1928 -
\??\c:\nnbbhh.exec:\nnbbhh.exe65⤵
- Executes dropped EXE
PID:928 -
\??\c:\3vjvd.exec:\3vjvd.exe66⤵PID:2344
-
\??\c:\rxxxxxx.exec:\rxxxxxx.exe67⤵PID:1256
-
\??\c:\lfrlxlx.exec:\lfrlxlx.exe68⤵PID:2964
-
\??\c:\hhhnbb.exec:\hhhnbb.exe69⤵PID:1152
-
\??\c:\jjjjv.exec:\jjjjv.exe70⤵PID:2956
-
\??\c:\rrlxlxx.exec:\rrlxlxx.exe71⤵PID:1552
-
\??\c:\3ttbth.exec:\3ttbth.exe72⤵PID:3032
-
\??\c:\pjjvj.exec:\pjjvj.exe73⤵PID:2592
-
\??\c:\jddjv.exec:\jddjv.exe74⤵PID:1532
-
\??\c:\rxfrrll.exec:\rxfrrll.exe75⤵PID:2720
-
\??\c:\bhttbn.exec:\bhttbn.exe76⤵PID:2908
-
\??\c:\jjjvp.exec:\jjjvp.exe77⤵PID:852
-
\??\c:\fxllrfr.exec:\fxllrfr.exe78⤵PID:2496
-
\??\c:\bttbnh.exec:\bttbnh.exe79⤵PID:2860
-
\??\c:\pjdjv.exec:\pjdjv.exe80⤵PID:2812
-
\??\c:\jjdjp.exec:\jjdjp.exe81⤵PID:1524
-
\??\c:\lrfxrfl.exec:\lrfxrfl.exe82⤵PID:2652
-
\??\c:\bhthth.exec:\bhthth.exe83⤵PID:1668
-
\??\c:\vvpjv.exec:\vvpjv.exe84⤵PID:2796
-
\??\c:\3lxfflx.exec:\3lxfflx.exe85⤵PID:624
-
\??\c:\ffxfrxl.exec:\ffxfrxl.exe86⤵PID:1592
-
\??\c:\hbhhnn.exec:\hbhhnn.exe87⤵
- System Location Discovery: System Language Discovery
PID:776 -
\??\c:\5vjvd.exec:\5vjvd.exe88⤵PID:1108
-
\??\c:\rxlffxx.exec:\rxlffxx.exe89⤵PID:2836
-
\??\c:\tbhhbb.exec:\tbhhbb.exe90⤵PID:1736
-
\??\c:\dvjjj.exec:\dvjjj.exe91⤵PID:2924
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe92⤵PID:380
-
\??\c:\5nbntb.exec:\5nbntb.exe93⤵PID:1660
-
\??\c:\vppdj.exec:\vppdj.exe94⤵PID:2664
-
\??\c:\pjjdj.exec:\pjjdj.exe95⤵PID:2940
-
\??\c:\xfrlrff.exec:\xfrlrff.exe96⤵PID:2220
-
\??\c:\3tnttt.exec:\3tnttt.exe97⤵PID:2476
-
\??\c:\hbthnb.exec:\hbthnb.exe98⤵PID:1900
-
\??\c:\pjvvj.exec:\pjvvj.exe99⤵PID:2456
-
\??\c:\xxxxfxx.exec:\xxxxfxx.exe100⤵PID:1580
-
\??\c:\bbnhbt.exec:\bbnhbt.exe101⤵PID:1300
-
\??\c:\vdddv.exec:\vdddv.exe102⤵PID:1460
-
\??\c:\xflxrfl.exec:\xflxrfl.exe103⤵PID:3000
-
\??\c:\ffrlrrl.exec:\ffrlrrl.exe104⤵PID:1728
-
\??\c:\pppvp.exec:\pppvp.exe105⤵PID:1604
-
\??\c:\ppdjd.exec:\ppdjd.exe106⤵PID:320
-
\??\c:\xfxlrxl.exec:\xfxlrxl.exe107⤵PID:1684
-
\??\c:\tbnnnh.exec:\tbnnnh.exe108⤵PID:2556
-
\??\c:\hbbhtb.exec:\hbbhtb.exe109⤵PID:300
-
\??\c:\dpddp.exec:\dpddp.exe110⤵PID:2020
-
\??\c:\xlxrfxr.exec:\xlxrfxr.exe111⤵PID:3036
-
\??\c:\httthb.exec:\httthb.exe112⤵PID:3016
-
\??\c:\ntnthn.exec:\ntnthn.exe113⤵PID:1440
-
\??\c:\5jjpj.exec:\5jjpj.exe114⤵PID:2100
-
\??\c:\xxxlfrl.exec:\xxxlfrl.exe115⤵PID:1644
-
\??\c:\hhttbh.exec:\hhttbh.exe116⤵PID:2460
-
\??\c:\tbbtbb.exec:\tbbtbb.exe117⤵PID:316
-
\??\c:\pvjvp.exec:\pvjvp.exe118⤵PID:2756
-
\??\c:\rflxxlf.exec:\rflxxlf.exe119⤵PID:2732
-
\??\c:\nhthbn.exec:\nhthbn.exe120⤵PID:2860
-
\??\c:\bntnbb.exec:\bntnbb.exe121⤵PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-