Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 15:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe
-
Size
456KB
-
MD5
69082df138681363674c31f41a442980
-
SHA1
374a52e1777ffe981fba29df4ea92fe5a3742fcc
-
SHA256
16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49
-
SHA512
8e471385a2207b0b6771eb2eb14cc0fc074191399772fe8f4abb91a7689671fc34fec6f9da47b16a10dea7d1f889cb51f8ca482f4b9b513872ea1605d6e0e2e3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRN:q7Tc2NYHUrAwfMp3CDRN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2216-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-134-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2884-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-218-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/676-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-246-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/304-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/388-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-391-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1132-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-432-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1768-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1120-480-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2768-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-822-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1716-943-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2036-950-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/884-1043-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-1344-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2676 bbthht.exe 2684 hnhtht.exe 1668 jjdpv.exe 2868 vdvdp.exe 2584 xlxlrlx.exe 2592 1jdjd.exe 3016 fxflflr.exe 1532 lxrlflx.exe 1716 httnht.exe 1396 5fflxlx.exe 2348 nbnhnt.exe 2068 ttnnhb.exe 2844 nnhnbn.exe 2884 nnhbtb.exe 1888 bhbtnt.exe 1768 fffrflf.exe 2376 pdvvd.exe 2200 nbhnth.exe 2396 jppvv.exe 936 bbhtnt.exe 1480 nbthbn.exe 1812 bbtbht.exe 676 9nnbnb.exe 1448 5thtnb.exe 2076 7nnbbn.exe 304 lrxfrxl.exe 388 9hbnnb.exe 2056 xflxrxl.exe 1124 7nnbbh.exe 3048 lrlxlxr.exe 1756 hthhth.exe 2216 rlffrlx.exe 1656 thhttn.exe 2680 jpjpd.exe 2788 3llrfrf.exe 2804 rfflxfx.exe 2864 5btbnt.exe 2576 vjddd.exe 2524 lxxlfll.exe 2600 9rrxrxl.exe 2572 nhnbbn.exe 3008 1ppjp.exe 2708 xlfxlrf.exe 1808 bnnnht.exe 1132 dpjvj.exe 2172 3flrxlx.exe 2212 nbtbtb.exe 2324 dvpdp.exe 2848 xflxfxl.exe 2880 5bbbnh.exe 2844 nnbthh.exe 1944 1djvj.exe 1604 1llrflr.exe 2748 hnthht.exe 1768 pvjjj.exe 1680 5vppp.exe 2104 rrfrlrf.exe 1464 nththt.exe 1120 5pddp.exe 2128 5lllxff.exe 1236 rrfllrl.exe 1940 hnhntb.exe 2416 9dpvd.exe 1952 xrflxlr.exe -
resource yara_rule behavioral1/memory/2216-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-134-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2884-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/388-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-432-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1768-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/344-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-943-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2116-951-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-1044-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-1267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-1323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-1344-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxflrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttth.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2676 2216 16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe 30 PID 2216 wrote to memory of 2676 2216 16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe 30 PID 2216 wrote to memory of 2676 2216 16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe 30 PID 2216 wrote to memory of 2676 2216 16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe 30 PID 2676 wrote to memory of 2684 2676 bbthht.exe 31 PID 2676 wrote to memory of 2684 2676 bbthht.exe 31 PID 2676 wrote to memory of 2684 2676 bbthht.exe 31 PID 2676 wrote to memory of 2684 2676 bbthht.exe 31 PID 2684 wrote to memory of 1668 2684 hnhtht.exe 32 PID 2684 wrote to memory of 1668 2684 hnhtht.exe 32 PID 2684 wrote to memory of 1668 2684 hnhtht.exe 32 PID 2684 wrote to memory of 1668 2684 hnhtht.exe 32 PID 1668 wrote to memory of 2868 1668 jjdpv.exe 33 PID 1668 wrote to memory of 2868 1668 jjdpv.exe 33 PID 1668 wrote to memory of 2868 1668 jjdpv.exe 33 PID 1668 wrote to memory of 2868 1668 jjdpv.exe 33 PID 2868 wrote to memory of 2584 2868 vdvdp.exe 34 PID 2868 wrote to memory of 2584 2868 vdvdp.exe 34 PID 2868 wrote to memory of 2584 2868 vdvdp.exe 34 PID 2868 wrote to memory of 2584 2868 vdvdp.exe 34 PID 2584 wrote to memory of 2592 2584 xlxlrlx.exe 35 PID 2584 wrote to memory of 2592 2584 xlxlrlx.exe 35 PID 2584 wrote to memory of 2592 2584 xlxlrlx.exe 35 PID 2584 wrote to memory of 2592 2584 xlxlrlx.exe 35 PID 2592 wrote to memory of 3016 2592 1jdjd.exe 36 PID 2592 wrote to memory of 3016 2592 1jdjd.exe 36 PID 2592 wrote to memory of 3016 2592 1jdjd.exe 36 PID 2592 wrote to memory of 3016 2592 1jdjd.exe 36 PID 3016 wrote to memory of 1532 3016 fxflflr.exe 37 PID 3016 wrote to memory of 1532 3016 fxflflr.exe 37 PID 3016 wrote to memory of 1532 3016 fxflflr.exe 37 PID 3016 wrote to memory of 1532 3016 fxflflr.exe 37 PID 1532 wrote to memory of 1716 1532 lxrlflx.exe 38 PID 1532 wrote to memory of 1716 1532 lxrlflx.exe 38 PID 1532 wrote to memory of 1716 1532 lxrlflx.exe 38 PID 1532 wrote to memory of 1716 1532 lxrlflx.exe 38 PID 1716 wrote to memory of 1396 1716 httnht.exe 39 PID 1716 wrote to memory of 1396 1716 httnht.exe 39 PID 1716 wrote to memory of 1396 1716 httnht.exe 39 PID 1716 wrote to memory of 1396 1716 httnht.exe 39 PID 1396 wrote to memory of 2348 1396 5fflxlx.exe 40 PID 1396 wrote to memory of 2348 1396 5fflxlx.exe 40 PID 1396 wrote to memory of 2348 1396 5fflxlx.exe 40 PID 1396 wrote to memory of 2348 1396 5fflxlx.exe 40 PID 2348 wrote to memory of 2068 2348 nbnhnt.exe 41 PID 2348 wrote to memory of 2068 2348 nbnhnt.exe 41 PID 2348 wrote to memory of 2068 2348 nbnhnt.exe 41 PID 2348 wrote to memory of 2068 2348 nbnhnt.exe 41 PID 2068 wrote to memory of 2844 2068 ttnnhb.exe 42 PID 2068 wrote to memory of 2844 2068 ttnnhb.exe 42 PID 2068 wrote to memory of 2844 2068 ttnnhb.exe 42 PID 2068 wrote to memory of 2844 2068 ttnnhb.exe 42 PID 2844 wrote to memory of 2884 2844 nnhnbn.exe 43 PID 2844 wrote to memory of 2884 2844 nnhnbn.exe 43 PID 2844 wrote to memory of 2884 2844 nnhnbn.exe 43 PID 2844 wrote to memory of 2884 2844 nnhnbn.exe 43 PID 2884 wrote to memory of 1888 2884 nnhbtb.exe 44 PID 2884 wrote to memory of 1888 2884 nnhbtb.exe 44 PID 2884 wrote to memory of 1888 2884 nnhbtb.exe 44 PID 2884 wrote to memory of 1888 2884 nnhbtb.exe 44 PID 1888 wrote to memory of 1768 1888 bhbtnt.exe 45 PID 1888 wrote to memory of 1768 1888 bhbtnt.exe 45 PID 1888 wrote to memory of 1768 1888 bhbtnt.exe 45 PID 1888 wrote to memory of 1768 1888 bhbtnt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe"C:\Users\Admin\AppData\Local\Temp\16cd07aed63893a287f12fc0e94d164dc418d02a40e86c199fd051af1f765d49N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\bbthht.exec:\bbthht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\hnhtht.exec:\hnhtht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\jjdpv.exec:\jjdpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\vdvdp.exec:\vdvdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\xlxlrlx.exec:\xlxlrlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\1jdjd.exec:\1jdjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\fxflflr.exec:\fxflflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\lxrlflx.exec:\lxrlflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\httnht.exec:\httnht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\5fflxlx.exec:\5fflxlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\nbnhnt.exec:\nbnhnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\ttnnhb.exec:\ttnnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\nnhnbn.exec:\nnhnbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\nnhbtb.exec:\nnhbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\bhbtnt.exec:\bhbtnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\fffrflf.exec:\fffrflf.exe17⤵
- Executes dropped EXE
PID:1768 -
\??\c:\pdvvd.exec:\pdvvd.exe18⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nbhnth.exec:\nbhnth.exe19⤵
- Executes dropped EXE
PID:2200 -
\??\c:\jppvv.exec:\jppvv.exe20⤵
- Executes dropped EXE
PID:2396 -
\??\c:\bbhtnt.exec:\bbhtnt.exe21⤵
- Executes dropped EXE
PID:936 -
\??\c:\nbthbn.exec:\nbthbn.exe22⤵
- Executes dropped EXE
PID:1480 -
\??\c:\bbtbht.exec:\bbtbht.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812 -
\??\c:\9nnbnb.exec:\9nnbnb.exe24⤵
- Executes dropped EXE
PID:676 -
\??\c:\5thtnb.exec:\5thtnb.exe25⤵
- Executes dropped EXE
PID:1448 -
\??\c:\7nnbbn.exec:\7nnbbn.exe26⤵
- Executes dropped EXE
PID:2076 -
\??\c:\lrxfrxl.exec:\lrxfrxl.exe27⤵
- Executes dropped EXE
PID:304 -
\??\c:\9hbnnb.exec:\9hbnnb.exe28⤵
- Executes dropped EXE
PID:388 -
\??\c:\xflxrxl.exec:\xflxrxl.exe29⤵
- Executes dropped EXE
PID:2056 -
\??\c:\7nnbbh.exec:\7nnbbh.exe30⤵
- Executes dropped EXE
PID:1124 -
\??\c:\lrlxlxr.exec:\lrlxlxr.exe31⤵
- Executes dropped EXE
PID:3048 -
\??\c:\hthhth.exec:\hthhth.exe32⤵
- Executes dropped EXE
PID:1756 -
\??\c:\rlffrlx.exec:\rlffrlx.exe33⤵
- Executes dropped EXE
PID:2216 -
\??\c:\thhttn.exec:\thhttn.exe34⤵
- Executes dropped EXE
PID:1656 -
\??\c:\jpjpd.exec:\jpjpd.exe35⤵
- Executes dropped EXE
PID:2680 -
\??\c:\3llrfrf.exec:\3llrfrf.exe36⤵
- Executes dropped EXE
PID:2788 -
\??\c:\rfflxfx.exec:\rfflxfx.exe37⤵
- Executes dropped EXE
PID:2804 -
\??\c:\5btbnt.exec:\5btbnt.exe38⤵
- Executes dropped EXE
PID:2864 -
\??\c:\vjddd.exec:\vjddd.exe39⤵
- Executes dropped EXE
PID:2576 -
\??\c:\lxxlfll.exec:\lxxlfll.exe40⤵
- Executes dropped EXE
PID:2524 -
\??\c:\9rrxrxl.exec:\9rrxrxl.exe41⤵
- Executes dropped EXE
PID:2600 -
\??\c:\nhnbbn.exec:\nhnbbn.exe42⤵
- Executes dropped EXE
PID:2572 -
\??\c:\1ppjp.exec:\1ppjp.exe43⤵
- Executes dropped EXE
PID:3008 -
\??\c:\xlfxlrf.exec:\xlfxlrf.exe44⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bnnnht.exec:\bnnnht.exe45⤵
- Executes dropped EXE
PID:1808 -
\??\c:\dpjvj.exec:\dpjvj.exe46⤵
- Executes dropped EXE
PID:1132 -
\??\c:\3flrxlx.exec:\3flrxlx.exe47⤵
- Executes dropped EXE
PID:2172 -
\??\c:\nbtbtb.exec:\nbtbtb.exe48⤵
- Executes dropped EXE
PID:2212 -
\??\c:\dvpdp.exec:\dvpdp.exe49⤵
- Executes dropped EXE
PID:2324 -
\??\c:\xflxfxl.exec:\xflxfxl.exe50⤵
- Executes dropped EXE
PID:2848 -
\??\c:\5bbbnh.exec:\5bbbnh.exe51⤵
- Executes dropped EXE
PID:2880 -
\??\c:\nnbthh.exec:\nnbthh.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
\??\c:\1djvj.exec:\1djvj.exe53⤵
- Executes dropped EXE
PID:1944 -
\??\c:\1llrflr.exec:\1llrflr.exe54⤵
- Executes dropped EXE
PID:1604 -
\??\c:\hnthht.exec:\hnthht.exe55⤵
- Executes dropped EXE
PID:2748 -
\??\c:\pvjjj.exec:\pvjjj.exe56⤵
- Executes dropped EXE
PID:1768 -
\??\c:\5vppp.exec:\5vppp.exe57⤵
- Executes dropped EXE
PID:1680 -
\??\c:\rrfrlrf.exec:\rrfrlrf.exe58⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nththt.exec:\nththt.exe59⤵
- Executes dropped EXE
PID:1464 -
\??\c:\5pddp.exec:\5pddp.exe60⤵
- Executes dropped EXE
PID:1120 -
\??\c:\5lllxff.exec:\5lllxff.exe61⤵
- Executes dropped EXE
PID:2128 -
\??\c:\rrfllrl.exec:\rrfllrl.exe62⤵
- Executes dropped EXE
PID:1236 -
\??\c:\hnhntb.exec:\hnhntb.exe63⤵
- Executes dropped EXE
PID:1940 -
\??\c:\9dpvd.exec:\9dpvd.exe64⤵
- Executes dropped EXE
PID:2416 -
\??\c:\xrflxlr.exec:\xrflxlr.exe65⤵
- Executes dropped EXE
PID:1952 -
\??\c:\lrfflrr.exec:\lrfflrr.exe66⤵PID:1628
-
\??\c:\ntnbhn.exec:\ntnbhn.exe67⤵PID:344
-
\??\c:\9vddv.exec:\9vddv.exe68⤵PID:1608
-
\??\c:\xfrxfrf.exec:\xfrxfrf.exe69⤵PID:2476
-
\??\c:\3bhhbn.exec:\3bhhbn.exe70⤵PID:1772
-
\??\c:\1btbbh.exec:\1btbbh.exe71⤵PID:2968
-
\??\c:\djdpv.exec:\djdpv.exe72⤵PID:580
-
\??\c:\llffxfl.exec:\llffxfl.exe73⤵PID:2500
-
\??\c:\3xrrflf.exec:\3xrrflf.exe74⤵PID:1124
-
\??\c:\hnhbhn.exec:\hnhbhn.exe75⤵PID:3024
-
\??\c:\dpdjd.exec:\dpdjd.exe76⤵PID:2996
-
\??\c:\lrlrxfl.exec:\lrlrxfl.exe77⤵PID:2768
-
\??\c:\ffxlxxx.exec:\ffxlxxx.exe78⤵PID:2764
-
\??\c:\3tbttt.exec:\3tbttt.exe79⤵PID:2808
-
\??\c:\vdvdp.exec:\vdvdp.exe80⤵PID:2176
-
\??\c:\rxxlrfx.exec:\rxxlrfx.exe81⤵PID:2788
-
\??\c:\1fflrxl.exec:\1fflrxl.exe82⤵PID:2664
-
\??\c:\7hbhnb.exec:\7hbhnb.exe83⤵PID:2692
-
\??\c:\ppvjv.exec:\ppvjv.exe84⤵PID:2544
-
\??\c:\1pddj.exec:\1pddj.exe85⤵PID:3012
-
\??\c:\ffxrxrx.exec:\ffxrxrx.exe86⤵PID:3020
-
\??\c:\bnbnbh.exec:\bnbnbh.exe87⤵PID:3060
-
\??\c:\vjpjv.exec:\vjpjv.exe88⤵PID:3008
-
\??\c:\djvdp.exec:\djvdp.exe89⤵PID:2956
-
\??\c:\fxrxflf.exec:\fxrxflf.exe90⤵PID:1808
-
\??\c:\3hhtbh.exec:\3hhtbh.exe91⤵PID:2196
-
\??\c:\hbhhtn.exec:\hbhhtn.exe92⤵PID:1396
-
\??\c:\djdvv.exec:\djdvv.exe93⤵PID:1988
-
\??\c:\fllxfxf.exec:\fllxfxf.exe94⤵PID:2784
-
\??\c:\3bbbhn.exec:\3bbbhn.exe95⤵PID:1068
-
\??\c:\tbnthn.exec:\tbnthn.exe96⤵PID:2896
-
\??\c:\5pppv.exec:\5pppv.exe97⤵PID:2568
-
\??\c:\lrlrflr.exec:\lrlrflr.exe98⤵PID:2872
-
\??\c:\9hbnbn.exec:\9hbnbn.exe99⤵PID:324
-
\??\c:\bbbnhn.exec:\bbbnhn.exe100⤵PID:2388
-
\??\c:\jvpvj.exec:\jvpvj.exe101⤵PID:1904
-
\??\c:\rxllrxx.exec:\rxllrxx.exe102⤵PID:2944
-
\??\c:\bbntbb.exec:\bbntbb.exe103⤵PID:2200
-
\??\c:\dpdpj.exec:\dpdpj.exe104⤵PID:2364
-
\??\c:\dvppv.exec:\dvppv.exe105⤵PID:1588
-
\??\c:\rrlxxxl.exec:\rrlxxxl.exe106⤵PID:696
-
\??\c:\bbnbhn.exec:\bbnbhn.exe107⤵PID:1084
-
\??\c:\1ntbht.exec:\1ntbht.exe108⤵PID:1644
-
\??\c:\lxxlxrx.exec:\lxxlxrx.exe109⤵PID:2236
-
\??\c:\nnnthn.exec:\nnnthn.exe110⤵PID:1760
-
\??\c:\5pvpv.exec:\5pvpv.exe111⤵PID:712
-
\??\c:\3jjdp.exec:\3jjdp.exe112⤵PID:492
-
\??\c:\xlrlrrf.exec:\xlrlrrf.exe113⤵PID:1764
-
\??\c:\tnnbtn.exec:\tnnbtn.exe114⤵PID:2256
-
\??\c:\tbthnt.exec:\tbthnt.exe115⤵PID:1864
-
\??\c:\jdvjv.exec:\jdvjv.exe116⤵PID:2264
-
\??\c:\xxlxfrf.exec:\xxlxfrf.exe117⤵PID:860
-
\??\c:\5bbbnb.exec:\5bbbnb.exe118⤵PID:2080
-
\??\c:\pvvjd.exec:\pvvjd.exe119⤵PID:1224
-
\??\c:\jjjvp.exec:\jjjvp.exe120⤵PID:2488
-
\??\c:\rfxrlrf.exec:\rfxrlrf.exe121⤵PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-