Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 23:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe
-
Size
454KB
-
MD5
24c370f1592c15f02284689804ab6cfe
-
SHA1
4527344624d7ec793a794a107e1915e7fad7fa95
-
SHA256
eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260
-
SHA512
771cffc7ddded9e20fe58c0c8be490d6706aa62651e8d3c9a67ebdb866728b8d3320ca488e9519d54a25684c7c3c1bf9215252516f3385647530209acd844ae5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/2100-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-38-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2920-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-73-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2724-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-96-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2560-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-110-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1196-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-147-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/388-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-170-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2884-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-257-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2276-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-386-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-413-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/856-432-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2524-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-459-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2884-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-522-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2972-542-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1672-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-589-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2660-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/812-700-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1200-725-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2344-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-836-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-890-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2672-933-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2108 5jdjv.exe 2628 1rlrfrf.exe 2920 xxrfxfr.exe 292 3bhnbn.exe 2764 lrrxrfx.exe 2804 jjjvd.exe 2712 hhttbn.exe 2724 bhhbth.exe 2560 bbnthn.exe 3012 1pjvp.exe 2004 lxrxflx.exe 680 bbtbnn.exe 1196 llflrfr.exe 1648 hhthnt.exe 1044 xxrfxxr.exe 388 5bnhnb.exe 1644 7lflxxl.exe 2608 tntnbb.exe 2884 9lxlrxr.exe 2888 hhhthh.exe 2504 xlxrfrf.exe 1628 nnnbht.exe 980 tbbnhh.exe 1584 ttthht.exe 1424 rffrflx.exe 2276 bnnbnh.exe 2252 ntttht.exe 1432 hnnbbt.exe 756 5bbntb.exe 2992 3tbnnt.exe 2092 hnnhtt.exe 1608 nnntbt.exe 2484 nnbhtb.exe 2656 nnnbnt.exe 2356 5dvvd.exe 2812 xxxrxfr.exe 2676 7xrxlrl.exe 2556 btnnbh.exe 2872 dvppd.exe 2572 1ddjd.exe 2800 fffrrxf.exe 2580 1hhnbn.exe 2560 3bthtb.exe 2592 vdpdj.exe 1848 5xlfllr.exe 1748 llrlxfl.exe 856 tntnbh.exe 324 vpjjv.exe 948 5lrfxfx.exe 2524 rxffflf.exe 1140 1nnhbt.exe 1516 jjddp.exe 2536 lfflxll.exe 1016 5xxfllr.exe 1796 nntnhn.exe 2868 9dvvj.exe 2884 3pddj.exe 1428 fxxxxfr.exe 1884 1httbb.exe 2388 5hbbhn.exe 1628 vpjpd.exe 980 llflrfr.exe 572 1lffrxf.exe 2384 bhhttt.exe -
resource yara_rule behavioral1/memory/2100-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-96-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2560-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/388-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-386-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2592-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-535-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1672-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-602-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2660-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-700-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1200-725-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2756-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-751-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/1120-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-933-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfllxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2108 2100 eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe 31 PID 2100 wrote to memory of 2108 2100 eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe 31 PID 2100 wrote to memory of 2108 2100 eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe 31 PID 2100 wrote to memory of 2108 2100 eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe 31 PID 2108 wrote to memory of 2628 2108 5jdjv.exe 32 PID 2108 wrote to memory of 2628 2108 5jdjv.exe 32 PID 2108 wrote to memory of 2628 2108 5jdjv.exe 32 PID 2108 wrote to memory of 2628 2108 5jdjv.exe 32 PID 2628 wrote to memory of 2920 2628 1rlrfrf.exe 33 PID 2628 wrote to memory of 2920 2628 1rlrfrf.exe 33 PID 2628 wrote to memory of 2920 2628 1rlrfrf.exe 33 PID 2628 wrote to memory of 2920 2628 1rlrfrf.exe 33 PID 2920 wrote to memory of 292 2920 xxrfxfr.exe 34 PID 2920 wrote to memory of 292 2920 xxrfxfr.exe 34 PID 2920 wrote to memory of 292 2920 xxrfxfr.exe 34 PID 2920 wrote to memory of 292 2920 xxrfxfr.exe 34 PID 292 wrote to memory of 2764 292 3bhnbn.exe 35 PID 292 wrote to memory of 2764 292 3bhnbn.exe 35 PID 292 wrote to memory of 2764 292 3bhnbn.exe 35 PID 292 wrote to memory of 2764 292 3bhnbn.exe 35 PID 2764 wrote to memory of 2804 2764 lrrxrfx.exe 36 PID 2764 wrote to memory of 2804 2764 lrrxrfx.exe 36 PID 2764 wrote to memory of 2804 2764 lrrxrfx.exe 36 PID 2764 wrote to memory of 2804 2764 lrrxrfx.exe 36 PID 2804 wrote to memory of 2712 2804 jjjvd.exe 37 PID 2804 wrote to memory of 2712 2804 jjjvd.exe 37 PID 2804 wrote to memory of 2712 2804 jjjvd.exe 37 PID 2804 wrote to memory of 2712 2804 jjjvd.exe 37 PID 2712 wrote to memory of 2724 2712 hhttbn.exe 38 PID 2712 wrote to memory of 2724 2712 hhttbn.exe 38 PID 2712 wrote to memory of 2724 2712 hhttbn.exe 38 PID 2712 wrote to memory of 2724 2712 hhttbn.exe 38 PID 2724 wrote to memory of 2560 2724 bhhbth.exe 39 PID 2724 wrote to memory of 2560 2724 bhhbth.exe 39 PID 2724 wrote to memory of 2560 2724 bhhbth.exe 39 PID 2724 wrote to memory of 2560 2724 bhhbth.exe 39 PID 2560 wrote to memory of 3012 2560 bbnthn.exe 40 PID 2560 wrote to memory of 3012 2560 bbnthn.exe 40 PID 2560 wrote to memory of 3012 2560 bbnthn.exe 40 PID 2560 wrote to memory of 3012 2560 bbnthn.exe 40 PID 3012 wrote to memory of 2004 3012 1pjvp.exe 41 PID 3012 wrote to memory of 2004 3012 1pjvp.exe 41 PID 3012 wrote to memory of 2004 3012 1pjvp.exe 41 PID 3012 wrote to memory of 2004 3012 1pjvp.exe 41 PID 2004 wrote to memory of 680 2004 lxrxflx.exe 42 PID 2004 wrote to memory of 680 2004 lxrxflx.exe 42 PID 2004 wrote to memory of 680 2004 lxrxflx.exe 42 PID 2004 wrote to memory of 680 2004 lxrxflx.exe 42 PID 680 wrote to memory of 1196 680 bbtbnn.exe 43 PID 680 wrote to memory of 1196 680 bbtbnn.exe 43 PID 680 wrote to memory of 1196 680 bbtbnn.exe 43 PID 680 wrote to memory of 1196 680 bbtbnn.exe 43 PID 1196 wrote to memory of 1648 1196 llflrfr.exe 44 PID 1196 wrote to memory of 1648 1196 llflrfr.exe 44 PID 1196 wrote to memory of 1648 1196 llflrfr.exe 44 PID 1196 wrote to memory of 1648 1196 llflrfr.exe 44 PID 1648 wrote to memory of 1044 1648 hhthnt.exe 45 PID 1648 wrote to memory of 1044 1648 hhthnt.exe 45 PID 1648 wrote to memory of 1044 1648 hhthnt.exe 45 PID 1648 wrote to memory of 1044 1648 hhthnt.exe 45 PID 1044 wrote to memory of 388 1044 xxrfxxr.exe 46 PID 1044 wrote to memory of 388 1044 xxrfxxr.exe 46 PID 1044 wrote to memory of 388 1044 xxrfxxr.exe 46 PID 1044 wrote to memory of 388 1044 xxrfxxr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe"C:\Users\Admin\AppData\Local\Temp\eae9dbbc4f0714d30e7a0e99440f86c619205564bd4f47a8328adef3b3d02260.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\5jdjv.exec:\5jdjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\1rlrfrf.exec:\1rlrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\xxrfxfr.exec:\xxrfxfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\3bhnbn.exec:\3bhnbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:292 -
\??\c:\lrrxrfx.exec:\lrrxrfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\jjjvd.exec:\jjjvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\hhttbn.exec:\hhttbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\bhhbth.exec:\bhhbth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\bbnthn.exec:\bbnthn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\1pjvp.exec:\1pjvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\lxrxflx.exec:\lxrxflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\bbtbnn.exec:\bbtbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\llflrfr.exec:\llflrfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\hhthnt.exec:\hhthnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\xxrfxxr.exec:\xxrfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\5bnhnb.exec:\5bnhnb.exe17⤵
- Executes dropped EXE
PID:388 -
\??\c:\7lflxxl.exec:\7lflxxl.exe18⤵
- Executes dropped EXE
PID:1644 -
\??\c:\tntnbb.exec:\tntnbb.exe19⤵
- Executes dropped EXE
PID:2608 -
\??\c:\9lxlrxr.exec:\9lxlrxr.exe20⤵
- Executes dropped EXE
PID:2884 -
\??\c:\hhhthh.exec:\hhhthh.exe21⤵
- Executes dropped EXE
PID:2888 -
\??\c:\xlxrfrf.exec:\xlxrfrf.exe22⤵
- Executes dropped EXE
PID:2504 -
\??\c:\nnnbht.exec:\nnnbht.exe23⤵
- Executes dropped EXE
PID:1628 -
\??\c:\tbbnhh.exec:\tbbnhh.exe24⤵
- Executes dropped EXE
PID:980 -
\??\c:\ttthht.exec:\ttthht.exe25⤵
- Executes dropped EXE
PID:1584 -
\??\c:\rffrflx.exec:\rffrflx.exe26⤵
- Executes dropped EXE
PID:1424 -
\??\c:\bnnbnh.exec:\bnnbnh.exe27⤵
- Executes dropped EXE
PID:2276 -
\??\c:\ntttht.exec:\ntttht.exe28⤵
- Executes dropped EXE
PID:2252 -
\??\c:\hnnbbt.exec:\hnnbbt.exe29⤵
- Executes dropped EXE
PID:1432 -
\??\c:\5bbntb.exec:\5bbntb.exe30⤵
- Executes dropped EXE
PID:756 -
\??\c:\3tbnnt.exec:\3tbnnt.exe31⤵
- Executes dropped EXE
PID:2992 -
\??\c:\hnnhtt.exec:\hnnhtt.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
\??\c:\nnntbt.exec:\nnntbt.exe33⤵
- Executes dropped EXE
PID:1608 -
\??\c:\nnbhtb.exec:\nnbhtb.exe34⤵
- Executes dropped EXE
PID:2484 -
\??\c:\nnnbnt.exec:\nnnbnt.exe35⤵
- Executes dropped EXE
PID:2656 -
\??\c:\5dvvd.exec:\5dvvd.exe36⤵
- Executes dropped EXE
PID:2356 -
\??\c:\xxxrxfr.exec:\xxxrxfr.exe37⤵
- Executes dropped EXE
PID:2812 -
\??\c:\7xrxlrl.exec:\7xrxlrl.exe38⤵
- Executes dropped EXE
PID:2676 -
\??\c:\btnnbh.exec:\btnnbh.exe39⤵
- Executes dropped EXE
PID:2556 -
\??\c:\dvppd.exec:\dvppd.exe40⤵
- Executes dropped EXE
PID:2872 -
\??\c:\1ddjd.exec:\1ddjd.exe41⤵
- Executes dropped EXE
PID:2572 -
\??\c:\fffrrxf.exec:\fffrrxf.exe42⤵
- Executes dropped EXE
PID:2800 -
\??\c:\1hhnbn.exec:\1hhnbn.exe43⤵
- Executes dropped EXE
PID:2580 -
\??\c:\3bthtb.exec:\3bthtb.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
\??\c:\vdpdj.exec:\vdpdj.exe45⤵
- Executes dropped EXE
PID:2592 -
\??\c:\5xlfllr.exec:\5xlfllr.exe46⤵
- Executes dropped EXE
PID:1848 -
\??\c:\llrlxfl.exec:\llrlxfl.exe47⤵
- Executes dropped EXE
PID:1748 -
\??\c:\tntnbh.exec:\tntnbh.exe48⤵
- Executes dropped EXE
PID:856 -
\??\c:\vpjjv.exec:\vpjjv.exe49⤵
- Executes dropped EXE
PID:324 -
\??\c:\5lrfxfx.exec:\5lrfxfx.exe50⤵
- Executes dropped EXE
PID:948 -
\??\c:\rxffflf.exec:\rxffflf.exe51⤵
- Executes dropped EXE
PID:2524 -
\??\c:\1nnhbt.exec:\1nnhbt.exe52⤵
- Executes dropped EXE
PID:1140 -
\??\c:\jjddp.exec:\jjddp.exe53⤵
- Executes dropped EXE
PID:1516 -
\??\c:\lfflxll.exec:\lfflxll.exe54⤵
- Executes dropped EXE
PID:2536 -
\??\c:\5xxfllr.exec:\5xxfllr.exe55⤵
- Executes dropped EXE
PID:1016 -
\??\c:\nntnhn.exec:\nntnhn.exe56⤵
- Executes dropped EXE
PID:1796 -
\??\c:\9dvvj.exec:\9dvvj.exe57⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3pddj.exec:\3pddj.exe58⤵
- Executes dropped EXE
PID:2884 -
\??\c:\fxxxxfr.exec:\fxxxxfr.exe59⤵
- Executes dropped EXE
PID:1428 -
\??\c:\1httbb.exec:\1httbb.exe60⤵
- Executes dropped EXE
PID:1884 -
\??\c:\5hbbhn.exec:\5hbbhn.exe61⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vpjpd.exec:\vpjpd.exe62⤵
- Executes dropped EXE
PID:1628 -
\??\c:\llflrfr.exec:\llflrfr.exe63⤵
- Executes dropped EXE
PID:980 -
\??\c:\1lffrxf.exec:\1lffrxf.exe64⤵
- Executes dropped EXE
PID:572 -
\??\c:\bhhttt.exec:\bhhttt.exe65⤵
- Executes dropped EXE
PID:2384 -
\??\c:\ppjpd.exec:\ppjpd.exe66⤵PID:3048
-
\??\c:\lfrxrrf.exec:\lfrxrrf.exe67⤵PID:1936
-
\??\c:\rlffrxf.exec:\rlffrxf.exe68⤵PID:2972
-
\??\c:\nhbhnt.exec:\nhbhnt.exe69⤵PID:880
-
\??\c:\3jdjv.exec:\3jdjv.exe70⤵PID:1672
-
\??\c:\xffxrxr.exec:\xffxrxr.exe71⤵PID:2344
-
\??\c:\llxfxfr.exec:\llxfxfr.exe72⤵PID:1756
-
\??\c:\5btbbb.exec:\5btbbb.exe73⤵PID:2336
-
\??\c:\pvvjv.exec:\pvvjv.exe74⤵PID:2632
-
\??\c:\9ddpd.exec:\9ddpd.exe75⤵PID:2160
-
\??\c:\9xllrxl.exec:\9xllrxl.exe76⤵PID:2220
-
\??\c:\btnthh.exec:\btnthh.exe77⤵PID:2640
-
\??\c:\7vppp.exec:\7vppp.exe78⤵PID:2748
-
\??\c:\9ddpj.exec:\9ddpj.exe79⤵PID:2660
-
\??\c:\flfxrxr.exec:\flfxrxr.exe80⤵PID:2684
-
\??\c:\9ntnbh.exec:\9ntnbh.exe81⤵PID:2804
-
\??\c:\hhtntb.exec:\hhtntb.exe82⤵PID:2716
-
\??\c:\jjjvj.exec:\jjjvj.exe83⤵PID:2444
-
\??\c:\7xrlfrf.exec:\7xrlfrf.exe84⤵PID:2664
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe85⤵PID:3064
-
\??\c:\bbbbnt.exec:\bbbbnt.exe86⤵PID:2360
-
\??\c:\ddvpj.exec:\ddvpj.exe87⤵
- System Location Discovery: System Language Discovery
PID:1904 -
\??\c:\ppvjd.exec:\ppvjd.exe88⤵PID:1920
-
\??\c:\fllrlxr.exec:\fllrlxr.exe89⤵PID:1852
-
\??\c:\btthth.exec:\btthth.exe90⤵PID:1888
-
\??\c:\hhntth.exec:\hhntth.exe91⤵PID:1196
-
\??\c:\9vpvd.exec:\9vpvd.exe92⤵PID:812
-
\??\c:\rrlfxfx.exec:\rrlfxfx.exe93⤵PID:624
-
\??\c:\rrrfrxl.exec:\rrrfrxl.exe94⤵PID:2020
-
\??\c:\bbhhtn.exec:\bbhhtn.exe95⤵PID:2784
-
\??\c:\vjvdj.exec:\vjvdj.exe96⤵PID:1200
-
\??\c:\jjjpd.exec:\jjjpd.exe97⤵PID:3008
-
\??\c:\llxxflx.exec:\llxxflx.exe98⤵PID:2144
-
\??\c:\nttbhn.exec:\nttbhn.exe99⤵PID:2876
-
\??\c:\vvvjd.exec:\vvvjd.exe100⤵PID:2756
-
\??\c:\jjjpv.exec:\jjjpv.exe101⤵PID:2532
-
\??\c:\llffrxx.exec:\llffrxx.exe102⤵PID:1120
-
\??\c:\ttnnbb.exec:\ttnnbb.exe103⤵PID:1008
-
\??\c:\nhhhtb.exec:\nhhhtb.exe104⤵PID:1712
-
\??\c:\djpdp.exec:\djpdp.exe105⤵PID:1552
-
\??\c:\lfxflrl.exec:\lfxflrl.exe106⤵PID:776
-
\??\c:\rllrfrx.exec:\rllrfrx.exe107⤵PID:2288
-
\??\c:\nnhhnn.exec:\nnhhnn.exe108⤵PID:2408
-
\??\c:\ppjvv.exec:\ppjvv.exe109⤵PID:2276
-
\??\c:\jddpd.exec:\jddpd.exe110⤵PID:3068
-
\??\c:\xxxxfrx.exec:\xxxxfrx.exe111⤵PID:496
-
\??\c:\nntbnt.exec:\nntbnt.exe112⤵PID:1696
-
\??\c:\jjdpd.exec:\jjdpd.exe113⤵PID:2980
-
\??\c:\ddvvv.exec:\ddvvv.exe114⤵PID:2344
-
\??\c:\3fxxlrf.exec:\3fxxlrf.exe115⤵PID:2284
-
\??\c:\hhhnbh.exec:\hhhnbh.exe116⤵PID:2336
-
\??\c:\1nntnn.exec:\1nntnn.exe117⤵PID:1608
-
\??\c:\vpjpv.exec:\vpjpv.exe118⤵PID:2160
-
\??\c:\9ffffrf.exec:\9ffffrf.exe119⤵PID:2220
-
\??\c:\ntbbnt.exec:\ntbbnt.exe120⤵PID:2680
-
\??\c:\3jjpd.exec:\3jjpd.exe121⤵PID:2752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-