Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 00:28
Behavioral task
behavioral1
Sample
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe
-
Size
332KB
-
MD5
557ed787bced7e444ccf6021227a8ce7
-
SHA1
6ea7f7320f3ba030684e9d43f93f296ca0385f44
-
SHA256
c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6
-
SHA512
719708aaf8303f4a08f06960bbcf3bca67699d9c006af778eb6f293b074e318c227c0fdcd591872f7b2407fe095c8138f3c9933f2e3b179373574f63ba8566de
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeHN:R4wFHoSHYHUrAwfMp3CDHN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2260-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1592-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2088-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1992-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1776-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-115-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2800-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2240-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2224-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2496-177-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1752-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1656-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1752-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1784-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1040-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1552-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/860-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2260-291-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2260-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2904-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2124-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3032-375-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2936-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1528-526-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3052-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-609-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2080-623-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2040-676-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-724-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-791-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1872-8512-0x0000000077800000-0x000000007791F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2252 fxrrflx.exe 2856 nnnhbn.exe 2836 dpjdj.exe 2576 9lrrfxl.exe 2596 5jvdd.exe 2744 vpvdv.exe 2580 llfrlxx.exe 1592 hnthtt.exe 2088 rrlxfrx.exe 1992 vvvjp.exe 3020 5llxrxl.exe 1776 nbhbhb.exe 2628 llxflrf.exe 1864 btbntb.exe 1996 hhbnbb.exe 1000 jjppp.exe 2196 nntntb.exe 2800 3vdvv.exe 2188 5xllxrf.exe 2240 7pvjd.exe 2496 vjddj.exe 2224 btbhnn.exe 1356 bnbttn.exe 2336 5dddd.exe 1656 bbhbtb.exe 1752 pjjvj.exe 1784 1xfxfxf.exe 1708 pdvvj.exe 1040 5rxflrf.exe 2276 tnbhtb.exe 1552 jjpvd.exe 976 ffxrrlf.exe 2492 nnhnbn.exe 980 pdjjj.exe 860 fflrrrf.exe 2988 5ntnth.exe 2260 hhhtbh.exe 2680 pvdjv.exe 2720 llrrffr.exe 1580 5hhntt.exe 2844 9djvp.exe 2904 pjjpv.exe 2352 fxlfrlx.exe 1328 hbnbht.exe 1440 9tthtb.exe 2588 dpvdp.exe 2648 rflrxfl.exe 2108 9btbbb.exe 1232 3bnnnn.exe 864 jvddd.exe 2124 xrxxxfl.exe 3032 lrlfxrx.exe 2284 9bhhnn.exe 1776 9dpjj.exe 2936 jdpvp.exe 2888 rffffxf.exe 2000 nhttht.exe 2928 jdppj.exe 2452 vjpjp.exe 2448 rfrrrlr.exe 1504 9rfxffx.exe 1764 thntbb.exe 2128 9pjjd.exe 1760 5djjd.exe -
resource yara_rule behavioral1/memory/2260-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000010300-5.dat upx behavioral1/memory/2260-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2252-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016645-17.dat upx behavioral1/memory/2856-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001686c-24.dat upx behavioral1/memory/2252-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c73-42.dat upx behavioral1/memory/2576-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016ac1-34.dat upx behavioral1/files/0x0007000000016c95-48.dat upx behavioral1/memory/2744-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2580-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016ce1-57.dat upx behavioral1/files/0x0007000000016d0d-65.dat upx behavioral1/files/0x0008000000016d47-73.dat upx behavioral1/memory/1592-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174a6-80.dat upx behavioral1/memory/1992-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2088-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1992-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174c3-89.dat upx behavioral1/memory/1776-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3020-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001757f-97.dat upx behavioral1/files/0x0015000000018676-107.dat upx behavioral1/memory/1776-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018696-118.dat upx behavioral1/memory/2628-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018697-124.dat upx behavioral1/files/0x00050000000187a2-133.dat upx behavioral1/files/0x0006000000018c34-139.dat upx behavioral1/files/0x0006000000018c44-146.dat upx behavioral1/files/0x0006000000018f65-154.dat upx behavioral1/memory/2800-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001904c-161.dat upx behavioral1/files/0x00060000000190e1-169.dat upx behavioral1/memory/2240-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2496-176-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2224-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0035000000016334-179.dat upx behavioral1/files/0x00050000000191d2-187.dat upx behavioral1/files/0x00050000000191f6-193.dat upx behavioral1/memory/2336-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019217-201.dat upx behavioral1/files/0x0005000000019240-208.dat upx behavioral1/memory/1752-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1656-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019259-218.dat upx behavioral1/memory/1752-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019268-226.dat upx behavioral1/memory/1784-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001926c-233.dat upx behavioral1/files/0x0005000000019275-240.dat upx behavioral1/files/0x0005000000019278-248.dat upx behavioral1/files/0x000500000001929a-255.dat upx behavioral1/memory/1040-256-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2492-269-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1552-275-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/860-281-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2260-293-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2844-316-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2904-322-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2252 2260 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 30 PID 2260 wrote to memory of 2252 2260 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 30 PID 2260 wrote to memory of 2252 2260 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 30 PID 2260 wrote to memory of 2252 2260 c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe 30 PID 2252 wrote to memory of 2856 2252 fxrrflx.exe 31 PID 2252 wrote to memory of 2856 2252 fxrrflx.exe 31 PID 2252 wrote to memory of 2856 2252 fxrrflx.exe 31 PID 2252 wrote to memory of 2856 2252 fxrrflx.exe 31 PID 2856 wrote to memory of 2836 2856 nnnhbn.exe 32 PID 2856 wrote to memory of 2836 2856 nnnhbn.exe 32 PID 2856 wrote to memory of 2836 2856 nnnhbn.exe 32 PID 2856 wrote to memory of 2836 2856 nnnhbn.exe 32 PID 2836 wrote to memory of 2576 2836 dpjdj.exe 33 PID 2836 wrote to memory of 2576 2836 dpjdj.exe 33 PID 2836 wrote to memory of 2576 2836 dpjdj.exe 33 PID 2836 wrote to memory of 2576 2836 dpjdj.exe 33 PID 2576 wrote to memory of 2596 2576 9lrrfxl.exe 34 PID 2576 wrote to memory of 2596 2576 9lrrfxl.exe 34 PID 2576 wrote to memory of 2596 2576 9lrrfxl.exe 34 PID 2576 wrote to memory of 2596 2576 9lrrfxl.exe 34 PID 2596 wrote to memory of 2744 2596 5jvdd.exe 35 PID 2596 wrote to memory of 2744 2596 5jvdd.exe 35 PID 2596 wrote to memory of 2744 2596 5jvdd.exe 35 PID 2596 wrote to memory of 2744 2596 5jvdd.exe 35 PID 2744 wrote to memory of 2580 2744 vpvdv.exe 36 PID 2744 wrote to memory of 2580 2744 vpvdv.exe 36 PID 2744 wrote to memory of 2580 2744 vpvdv.exe 36 PID 2744 wrote to memory of 2580 2744 vpvdv.exe 36 PID 2580 wrote to memory of 1592 2580 llfrlxx.exe 37 PID 2580 wrote to memory of 1592 2580 llfrlxx.exe 37 PID 2580 wrote to memory of 1592 2580 llfrlxx.exe 37 PID 2580 wrote to memory of 1592 2580 llfrlxx.exe 37 PID 1592 wrote to memory of 2088 1592 hnthtt.exe 38 PID 1592 wrote to memory of 2088 1592 hnthtt.exe 38 PID 1592 wrote to memory of 2088 1592 hnthtt.exe 38 PID 1592 wrote to memory of 2088 1592 hnthtt.exe 38 PID 2088 wrote to memory of 1992 2088 rrlxfrx.exe 39 PID 2088 wrote to memory of 1992 2088 rrlxfrx.exe 39 PID 2088 wrote to memory of 1992 2088 rrlxfrx.exe 39 PID 2088 wrote to memory of 1992 2088 rrlxfrx.exe 39 PID 1992 wrote to memory of 3020 1992 vvvjp.exe 40 PID 1992 wrote to memory of 3020 1992 vvvjp.exe 40 PID 1992 wrote to memory of 3020 1992 vvvjp.exe 40 PID 1992 wrote to memory of 3020 1992 vvvjp.exe 40 PID 3020 wrote to memory of 1776 3020 5llxrxl.exe 41 PID 3020 wrote to memory of 1776 3020 5llxrxl.exe 41 PID 3020 wrote to memory of 1776 3020 5llxrxl.exe 41 PID 3020 wrote to memory of 1776 3020 5llxrxl.exe 41 PID 1776 wrote to memory of 2628 1776 nbhbhb.exe 42 PID 1776 wrote to memory of 2628 1776 nbhbhb.exe 42 PID 1776 wrote to memory of 2628 1776 nbhbhb.exe 42 PID 1776 wrote to memory of 2628 1776 nbhbhb.exe 42 PID 2628 wrote to memory of 1864 2628 llxflrf.exe 43 PID 2628 wrote to memory of 1864 2628 llxflrf.exe 43 PID 2628 wrote to memory of 1864 2628 llxflrf.exe 43 PID 2628 wrote to memory of 1864 2628 llxflrf.exe 43 PID 1864 wrote to memory of 1996 1864 btbntb.exe 44 PID 1864 wrote to memory of 1996 1864 btbntb.exe 44 PID 1864 wrote to memory of 1996 1864 btbntb.exe 44 PID 1864 wrote to memory of 1996 1864 btbntb.exe 44 PID 1996 wrote to memory of 1000 1996 hhbnbb.exe 45 PID 1996 wrote to memory of 1000 1996 hhbnbb.exe 45 PID 1996 wrote to memory of 1000 1996 hhbnbb.exe 45 PID 1996 wrote to memory of 1000 1996 hhbnbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe"C:\Users\Admin\AppData\Local\Temp\c5aa6e271f5f845ca2f324ece7dad3cbaf459261cb51024ed8b207e1234a59b6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\fxrrflx.exec:\fxrrflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\nnnhbn.exec:\nnnhbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\dpjdj.exec:\dpjdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\9lrrfxl.exec:\9lrrfxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\5jvdd.exec:\5jvdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\vpvdv.exec:\vpvdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\llfrlxx.exec:\llfrlxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\hnthtt.exec:\hnthtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\rrlxfrx.exec:\rrlxfrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\vvvjp.exec:\vvvjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\5llxrxl.exec:\5llxrxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\nbhbhb.exec:\nbhbhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\llxflrf.exec:\llxflrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\btbntb.exec:\btbntb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\hhbnbb.exec:\hhbnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\jjppp.exec:\jjppp.exe17⤵
- Executes dropped EXE
PID:1000 -
\??\c:\nntntb.exec:\nntntb.exe18⤵
- Executes dropped EXE
PID:2196 -
\??\c:\3vdvv.exec:\3vdvv.exe19⤵
- Executes dropped EXE
PID:2800 -
\??\c:\5xllxrf.exec:\5xllxrf.exe20⤵
- Executes dropped EXE
PID:2188 -
\??\c:\7pvjd.exec:\7pvjd.exe21⤵
- Executes dropped EXE
PID:2240 -
\??\c:\vjddj.exec:\vjddj.exe22⤵
- Executes dropped EXE
PID:2496 -
\??\c:\btbhnn.exec:\btbhnn.exe23⤵
- Executes dropped EXE
PID:2224 -
\??\c:\bnbttn.exec:\bnbttn.exe24⤵
- Executes dropped EXE
PID:1356 -
\??\c:\5dddd.exec:\5dddd.exe25⤵
- Executes dropped EXE
PID:2336 -
\??\c:\bbhbtb.exec:\bbhbtb.exe26⤵
- Executes dropped EXE
PID:1656 -
\??\c:\pjjvj.exec:\pjjvj.exe27⤵
- Executes dropped EXE
PID:1752 -
\??\c:\1xfxfxf.exec:\1xfxfxf.exe28⤵
- Executes dropped EXE
PID:1784 -
\??\c:\pdvvj.exec:\pdvvj.exe29⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5rxflrf.exec:\5rxflrf.exe30⤵
- Executes dropped EXE
PID:1040 -
\??\c:\tnbhtb.exec:\tnbhtb.exe31⤵
- Executes dropped EXE
PID:2276 -
\??\c:\jjpvd.exec:\jjpvd.exe32⤵
- Executes dropped EXE
PID:1552 -
\??\c:\ffxrrlf.exec:\ffxrrlf.exe33⤵
- Executes dropped EXE
PID:976 -
\??\c:\nnhnbn.exec:\nnhnbn.exe34⤵
- Executes dropped EXE
PID:2492 -
\??\c:\pdjjj.exec:\pdjjj.exe35⤵
- Executes dropped EXE
PID:980 -
\??\c:\fflrrrf.exec:\fflrrrf.exe36⤵
- Executes dropped EXE
PID:860 -
\??\c:\5ntnth.exec:\5ntnth.exe37⤵
- Executes dropped EXE
PID:2988 -
\??\c:\hhhtbh.exec:\hhhtbh.exe38⤵
- Executes dropped EXE
PID:2260 -
\??\c:\pvdjv.exec:\pvdjv.exe39⤵
- Executes dropped EXE
PID:2680 -
\??\c:\llrrffr.exec:\llrrffr.exe40⤵
- Executes dropped EXE
PID:2720 -
\??\c:\5hhntt.exec:\5hhntt.exe41⤵
- Executes dropped EXE
PID:1580 -
\??\c:\9djvp.exec:\9djvp.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pjjpv.exec:\pjjpv.exe43⤵
- Executes dropped EXE
PID:2904 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe44⤵
- Executes dropped EXE
PID:2352 -
\??\c:\hbnbht.exec:\hbnbht.exe45⤵
- Executes dropped EXE
PID:1328 -
\??\c:\9tthtb.exec:\9tthtb.exe46⤵
- Executes dropped EXE
PID:1440 -
\??\c:\dpvdp.exec:\dpvdp.exe47⤵
- Executes dropped EXE
PID:2588 -
\??\c:\rflrxfl.exec:\rflrxfl.exe48⤵
- Executes dropped EXE
PID:2648 -
\??\c:\9btbbb.exec:\9btbbb.exe49⤵
- Executes dropped EXE
PID:2108 -
\??\c:\3bnnnn.exec:\3bnnnn.exe50⤵
- Executes dropped EXE
PID:1232 -
\??\c:\jvddd.exec:\jvddd.exe51⤵
- Executes dropped EXE
PID:864 -
\??\c:\xrxxxfl.exec:\xrxxxfl.exe52⤵
- Executes dropped EXE
PID:2124 -
\??\c:\lrlfxrx.exec:\lrlfxrx.exe53⤵
- Executes dropped EXE
PID:3032 -
\??\c:\9bhhnn.exec:\9bhhnn.exe54⤵
- Executes dropped EXE
PID:2284 -
\??\c:\9dpjj.exec:\9dpjj.exe55⤵
- Executes dropped EXE
PID:1776 -
\??\c:\jdpvp.exec:\jdpvp.exe56⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rffffxf.exec:\rffffxf.exe57⤵
- Executes dropped EXE
PID:2888 -
\??\c:\nhttht.exec:\nhttht.exe58⤵
- Executes dropped EXE
PID:2000 -
\??\c:\jdppj.exec:\jdppj.exe59⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vjpjp.exec:\vjpjp.exe60⤵
- Executes dropped EXE
PID:2452 -
\??\c:\rfrrrlr.exec:\rfrrrlr.exe61⤵
- Executes dropped EXE
PID:2448 -
\??\c:\9rfxffx.exec:\9rfxffx.exe62⤵
- Executes dropped EXE
PID:1504 -
\??\c:\thntbb.exec:\thntbb.exe63⤵
- Executes dropped EXE
PID:1764 -
\??\c:\9pjjd.exec:\9pjjd.exe64⤵
- Executes dropped EXE
PID:2128 -
\??\c:\5djjd.exec:\5djjd.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760 -
\??\c:\frrrrrr.exec:\frrrrrr.exe66⤵
- System Location Discovery: System Language Discovery
PID:2144 -
\??\c:\7bhhtn.exec:\7bhhtn.exe67⤵PID:1388
-
\??\c:\3thnhh.exec:\3thnhh.exe68⤵PID:2236
-
\??\c:\jvjdd.exec:\jvjdd.exe69⤵
- System Location Discovery: System Language Discovery
PID:2460 -
\??\c:\pjdjv.exec:\pjdjv.exe70⤵PID:2432
-
\??\c:\3xlfllr.exec:\3xlfllr.exe71⤵PID:1180
-
\??\c:\5bnnnt.exec:\5bnnnt.exe72⤵PID:1956
-
\??\c:\htntnn.exec:\htntnn.exe73⤵PID:2672
-
\??\c:\pjdjp.exec:\pjdjp.exe74⤵PID:1752
-
\??\c:\fxfrxfl.exec:\fxfrxfl.exe75⤵PID:1772
-
\??\c:\xrflrxf.exec:\xrflrxf.exe76⤵PID:1528
-
\??\c:\5htntn.exec:\5htntn.exe77⤵PID:1636
-
\??\c:\vvpjp.exec:\vvpjp.exe78⤵PID:2420
-
\??\c:\vjvpp.exec:\vjvpp.exe79⤵PID:2504
-
\??\c:\lffxxrx.exec:\lffxxrx.exe80⤵PID:2656
-
\??\c:\1tbbtn.exec:\1tbbtn.exe81⤵PID:2296
-
\??\c:\7hthth.exec:\7hthth.exe82⤵PID:2476
-
\??\c:\pjppp.exec:\pjppp.exe83⤵PID:1268
-
\??\c:\vvvjd.exec:\vvvjd.exe84⤵PID:980
-
\??\c:\5rrrrll.exec:\5rrrrll.exe85⤵PID:1484
-
\??\c:\bbtthn.exec:\bbtthn.exe86⤵PID:2988
-
\??\c:\hbhnnn.exec:\hbhnnn.exe87⤵PID:3052
-
\??\c:\pjdjd.exec:\pjdjd.exe88⤵PID:2856
-
\??\c:\3rrxxfx.exec:\3rrxxfx.exe89⤵PID:1548
-
\??\c:\lrlflrf.exec:\lrlflrf.exe90⤵PID:1688
-
\??\c:\hbhhhn.exec:\hbhhhn.exe91⤵PID:2724
-
\??\c:\btnnnn.exec:\btnnnn.exe92⤵PID:2688
-
\??\c:\dpddp.exec:\dpddp.exe93⤵PID:1804
-
\??\c:\9frfrlx.exec:\9frfrlx.exe94⤵PID:2876
-
\??\c:\tnnthn.exec:\tnnthn.exe95⤵PID:2612
-
\??\c:\hbbhnt.exec:\hbbhnt.exe96⤵PID:2600
-
\??\c:\vpjpv.exec:\vpjpv.exe97⤵PID:2080
-
\??\c:\vvppv.exec:\vvppv.exe98⤵PID:996
-
\??\c:\5xrflrr.exec:\5xrflrr.exe99⤵PID:1524
-
\??\c:\bbnhth.exec:\bbnhth.exe100⤵PID:1296
-
\??\c:\vpddj.exec:\vpddj.exe101⤵PID:2124
-
\??\c:\ddpdp.exec:\ddpdp.exe102⤵PID:372
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe103⤵PID:2064
-
\??\c:\rrxflrf.exec:\rrxflrf.exe104⤵PID:396
-
\??\c:\bnhhnt.exec:\bnhhnt.exe105⤵PID:1004
-
\??\c:\nbthbb.exec:\nbthbb.exe106⤵PID:2628
-
\??\c:\9jjdj.exec:\9jjdj.exe107⤵PID:2040
-
\??\c:\jdvdd.exec:\jdvdd.exe108⤵PID:2020
-
\??\c:\fxlrlfx.exec:\fxlrlfx.exe109⤵PID:2452
-
\??\c:\nhntbb.exec:\nhntbb.exe110⤵PID:2448
-
\??\c:\vddpj.exec:\vddpj.exe111⤵PID:2200
-
\??\c:\ddpdj.exec:\ddpdj.exe112⤵PID:2180
-
\??\c:\7rxrrrr.exec:\7rxrrrr.exe113⤵PID:2208
-
\??\c:\fflxxfl.exec:\fflxxfl.exe114⤵PID:2216
-
\??\c:\1tbhhn.exec:\1tbhhn.exe115⤵PID:2144
-
\??\c:\pppvj.exec:\pppvj.exe116⤵PID:1792
-
\??\c:\dpddj.exec:\dpddj.exe117⤵PID:1852
-
\??\c:\lfxfrfr.exec:\lfxfrfr.exe118⤵PID:2460
-
\??\c:\xrrxlrf.exec:\xrrxlrf.exe119⤵PID:2432
-
\??\c:\hhbnbt.exec:\hhbnbt.exe120⤵PID:848
-
\??\c:\dvvjv.exec:\dvvjv.exe121⤵PID:872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-