Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 09:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe
-
Size
453KB
-
MD5
56a34d40da1706dd668fb0dcd8d7cbf0
-
SHA1
13d1cb7beb81d1b16f13f25fb2448bf137f295ea
-
SHA256
15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680
-
SHA512
022b4a6a996108fdebd79c8def43c71de05225c46482a972da8c3ad2c5ce6c37d0c76b6a979f826f6e4f9a3d3ad77932a6f253ffb20634e2a3b722f768dbeb2e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2180-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/556-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/600-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-486-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1052-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/352-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-561-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-599-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2748-612-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/316-679-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/648-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/648-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-903-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-1137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1180-1234-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1696-1302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-1321-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1732 bhbthn.exe 2412 vppvj.exe 2516 lflrxfx.exe 2724 vvpjv.exe 2936 1rxfxll.exe 2736 1thbbb.exe 2448 lfflrrf.exe 2656 nhbnbh.exe 2940 httbtt.exe 2708 1vvdp.exe 2444 vpdjd.exe 556 bbtbnt.exe 2860 7vvvd.exe 600 5hbhhh.exe 2700 3thhnt.exe 1184 9frrlrx.exe 1888 nbnhhh.exe 2396 lfxfrrf.exe 2220 hhbntb.exe 3036 lrlxrlf.exe 2836 htbnnn.exe 1416 fllxfrx.exe 468 hbbhhh.exe 2188 7rfrxxl.exe 1336 nhbhhn.exe 2104 fxllrrx.exe 2484 tnbtht.exe 568 rrlrlrr.exe 708 rflllll.exe 1040 tntttn.exe 2088 xrlflrx.exe 1704 3thbbt.exe 1372 3rffllr.exe 1620 htbbtt.exe 2812 5pdvp.exe 2892 9jvpp.exe 2724 lxllllr.exe 2224 1lxrxxf.exe 2756 3hthbb.exe 2500 9pddp.exe 2948 7vpjp.exe 2392 rlffxrf.exe 2744 tnhhnh.exe 2796 tbnhhb.exe 2804 pdvpp.exe 2652 xrfffxf.exe 1836 lxllrrx.exe 2348 hbbbtt.exe 556 vpjpd.exe 2824 jjvjj.exe 1260 xfrffff.exe 2856 tnbbhh.exe 2548 1vjpj.exe 536 dpddv.exe 1892 rrllrlr.exe 1044 bnbttn.exe 2428 9thtnn.exe 1352 pjvpp.exe 1536 xlxrrrx.exe 2192 xlxrrrx.exe 2204 nnhnnt.exe 2208 5ntnnh.exe 1640 pvjdj.exe 1900 rfrlflf.exe -
resource yara_rule behavioral1/memory/2180-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-49-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2736-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/468-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-882-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-920-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-996-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-1021-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-1137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-1253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-1302-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 1732 2180 15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe 30 PID 2180 wrote to memory of 1732 2180 15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe 30 PID 2180 wrote to memory of 1732 2180 15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe 30 PID 2180 wrote to memory of 1732 2180 15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe 30 PID 1732 wrote to memory of 2412 1732 bhbthn.exe 31 PID 1732 wrote to memory of 2412 1732 bhbthn.exe 31 PID 1732 wrote to memory of 2412 1732 bhbthn.exe 31 PID 1732 wrote to memory of 2412 1732 bhbthn.exe 31 PID 2412 wrote to memory of 2516 2412 vppvj.exe 32 PID 2412 wrote to memory of 2516 2412 vppvj.exe 32 PID 2412 wrote to memory of 2516 2412 vppvj.exe 32 PID 2412 wrote to memory of 2516 2412 vppvj.exe 32 PID 2516 wrote to memory of 2724 2516 lflrxfx.exe 33 PID 2516 wrote to memory of 2724 2516 lflrxfx.exe 33 PID 2516 wrote to memory of 2724 2516 lflrxfx.exe 33 PID 2516 wrote to memory of 2724 2516 lflrxfx.exe 33 PID 2724 wrote to memory of 2936 2724 vvpjv.exe 34 PID 2724 wrote to memory of 2936 2724 vvpjv.exe 34 PID 2724 wrote to memory of 2936 2724 vvpjv.exe 34 PID 2724 wrote to memory of 2936 2724 vvpjv.exe 34 PID 2936 wrote to memory of 2736 2936 1rxfxll.exe 35 PID 2936 wrote to memory of 2736 2936 1rxfxll.exe 35 PID 2936 wrote to memory of 2736 2936 1rxfxll.exe 35 PID 2936 wrote to memory of 2736 2936 1rxfxll.exe 35 PID 2736 wrote to memory of 2448 2736 1thbbb.exe 36 PID 2736 wrote to memory of 2448 2736 1thbbb.exe 36 PID 2736 wrote to memory of 2448 2736 1thbbb.exe 36 PID 2736 wrote to memory of 2448 2736 1thbbb.exe 36 PID 2448 wrote to memory of 2656 2448 lfflrrf.exe 37 PID 2448 wrote to memory of 2656 2448 lfflrrf.exe 37 PID 2448 wrote to memory of 2656 2448 lfflrrf.exe 37 PID 2448 wrote to memory of 2656 2448 lfflrrf.exe 37 PID 2656 wrote to memory of 2940 2656 nhbnbh.exe 38 PID 2656 wrote to memory of 2940 2656 nhbnbh.exe 38 PID 2656 wrote to memory of 2940 2656 nhbnbh.exe 38 PID 2656 wrote to memory of 2940 2656 nhbnbh.exe 38 PID 2940 wrote to memory of 2708 2940 httbtt.exe 39 PID 2940 wrote to memory of 2708 2940 httbtt.exe 39 PID 2940 wrote to memory of 2708 2940 httbtt.exe 39 PID 2940 wrote to memory of 2708 2940 httbtt.exe 39 PID 2708 wrote to memory of 2444 2708 1vvdp.exe 40 PID 2708 wrote to memory of 2444 2708 1vvdp.exe 40 PID 2708 wrote to memory of 2444 2708 1vvdp.exe 40 PID 2708 wrote to memory of 2444 2708 1vvdp.exe 40 PID 2444 wrote to memory of 556 2444 vpdjd.exe 41 PID 2444 wrote to memory of 556 2444 vpdjd.exe 41 PID 2444 wrote to memory of 556 2444 vpdjd.exe 41 PID 2444 wrote to memory of 556 2444 vpdjd.exe 41 PID 556 wrote to memory of 2860 556 bbtbnt.exe 42 PID 556 wrote to memory of 2860 556 bbtbnt.exe 42 PID 556 wrote to memory of 2860 556 bbtbnt.exe 42 PID 556 wrote to memory of 2860 556 bbtbnt.exe 42 PID 2860 wrote to memory of 600 2860 7vvvd.exe 43 PID 2860 wrote to memory of 600 2860 7vvvd.exe 43 PID 2860 wrote to memory of 600 2860 7vvvd.exe 43 PID 2860 wrote to memory of 600 2860 7vvvd.exe 43 PID 600 wrote to memory of 2700 600 5hbhhh.exe 44 PID 600 wrote to memory of 2700 600 5hbhhh.exe 44 PID 600 wrote to memory of 2700 600 5hbhhh.exe 44 PID 600 wrote to memory of 2700 600 5hbhhh.exe 44 PID 2700 wrote to memory of 1184 2700 3thhnt.exe 45 PID 2700 wrote to memory of 1184 2700 3thhnt.exe 45 PID 2700 wrote to memory of 1184 2700 3thhnt.exe 45 PID 2700 wrote to memory of 1184 2700 3thhnt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe"C:\Users\Admin\AppData\Local\Temp\15c21e378c2ef970961f94fd58443df78053543db20da33d78dc5597c30a6680N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\bhbthn.exec:\bhbthn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\vppvj.exec:\vppvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\lflrxfx.exec:\lflrxfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\vvpjv.exec:\vvpjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\1rxfxll.exec:\1rxfxll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\1thbbb.exec:\1thbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\lfflrrf.exec:\lfflrrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\nhbnbh.exec:\nhbnbh.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\httbtt.exec:\httbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\1vvdp.exec:\1vvdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\vpdjd.exec:\vpdjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\bbtbnt.exec:\bbtbnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\7vvvd.exec:\7vvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\5hbhhh.exec:\5hbhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600 -
\??\c:\3thhnt.exec:\3thhnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\9frrlrx.exec:\9frrlrx.exe17⤵
- Executes dropped EXE
PID:1184 -
\??\c:\nbnhhh.exec:\nbnhhh.exe18⤵
- Executes dropped EXE
PID:1888 -
\??\c:\lfxfrrf.exec:\lfxfrrf.exe19⤵
- Executes dropped EXE
PID:2396 -
\??\c:\hhbntb.exec:\hhbntb.exe20⤵
- Executes dropped EXE
PID:2220 -
\??\c:\lrlxrlf.exec:\lrlxrlf.exe21⤵
- Executes dropped EXE
PID:3036 -
\??\c:\htbnnn.exec:\htbnnn.exe22⤵
- Executes dropped EXE
PID:2836 -
\??\c:\fllxfrx.exec:\fllxfrx.exe23⤵
- Executes dropped EXE
PID:1416 -
\??\c:\hbbhhh.exec:\hbbhhh.exe24⤵
- Executes dropped EXE
PID:468 -
\??\c:\7rfrxxl.exec:\7rfrxxl.exe25⤵
- Executes dropped EXE
PID:2188 -
\??\c:\nhbhhn.exec:\nhbhhn.exe26⤵
- Executes dropped EXE
PID:1336 -
\??\c:\fxllrrx.exec:\fxllrrx.exe27⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tnbtht.exec:\tnbtht.exe28⤵
- Executes dropped EXE
PID:2484 -
\??\c:\rrlrlrr.exec:\rrlrlrr.exe29⤵
- Executes dropped EXE
PID:568 -
\??\c:\rflllll.exec:\rflllll.exe30⤵
- Executes dropped EXE
PID:708 -
\??\c:\tntttn.exec:\tntttn.exe31⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xrlflrx.exec:\xrlflrx.exe32⤵
- Executes dropped EXE
PID:2088 -
\??\c:\3thbbt.exec:\3thbbt.exe33⤵
- Executes dropped EXE
PID:1704 -
\??\c:\3rffllr.exec:\3rffllr.exe34⤵
- Executes dropped EXE
PID:1372 -
\??\c:\htbbtt.exec:\htbbtt.exe35⤵
- Executes dropped EXE
PID:1620 -
\??\c:\5pdvp.exec:\5pdvp.exe36⤵
- Executes dropped EXE
PID:2812 -
\??\c:\9jvpp.exec:\9jvpp.exe37⤵
- Executes dropped EXE
PID:2892 -
\??\c:\lxllllr.exec:\lxllllr.exe38⤵
- Executes dropped EXE
PID:2724 -
\??\c:\1lxrxxf.exec:\1lxrxxf.exe39⤵
- Executes dropped EXE
PID:2224 -
\??\c:\3hthbb.exec:\3hthbb.exe40⤵
- Executes dropped EXE
PID:2756 -
\??\c:\9pddp.exec:\9pddp.exe41⤵
- Executes dropped EXE
PID:2500 -
\??\c:\7vpjp.exec:\7vpjp.exe42⤵
- Executes dropped EXE
PID:2948 -
\??\c:\rlffxrf.exec:\rlffxrf.exe43⤵
- Executes dropped EXE
PID:2392 -
\??\c:\tnhhnh.exec:\tnhhnh.exe44⤵
- Executes dropped EXE
PID:2744 -
\??\c:\tbnhhb.exec:\tbnhhb.exe45⤵
- Executes dropped EXE
PID:2796 -
\??\c:\pdvpp.exec:\pdvpp.exe46⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xrfffxf.exec:\xrfffxf.exe47⤵
- Executes dropped EXE
PID:2652 -
\??\c:\lxllrrx.exec:\lxllrrx.exe48⤵
- Executes dropped EXE
PID:1836 -
\??\c:\hbbbtt.exec:\hbbbtt.exe49⤵
- Executes dropped EXE
PID:2348 -
\??\c:\vpjpd.exec:\vpjpd.exe50⤵
- Executes dropped EXE
PID:556 -
\??\c:\jjvjj.exec:\jjvjj.exe51⤵
- Executes dropped EXE
PID:2824 -
\??\c:\xfrffff.exec:\xfrffff.exe52⤵
- Executes dropped EXE
PID:1260 -
\??\c:\tnbbhh.exec:\tnbbhh.exe53⤵
- Executes dropped EXE
PID:2856 -
\??\c:\1vjpj.exec:\1vjpj.exe54⤵
- Executes dropped EXE
PID:2548 -
\??\c:\dpddv.exec:\dpddv.exe55⤵
- Executes dropped EXE
PID:536 -
\??\c:\rrllrlr.exec:\rrllrlr.exe56⤵
- Executes dropped EXE
PID:1892 -
\??\c:\bnbttn.exec:\bnbttn.exe57⤵
- Executes dropped EXE
PID:1044 -
\??\c:\9thtnn.exec:\9thtnn.exe58⤵
- Executes dropped EXE
PID:2428 -
\??\c:\pjvpp.exec:\pjvpp.exe59⤵
- Executes dropped EXE
PID:1352 -
\??\c:\xlxrrrx.exec:\xlxrrrx.exe60⤵
- Executes dropped EXE
PID:1536 -
\??\c:\xlxrrrx.exec:\xlxrrrx.exe61⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nnhnnt.exec:\nnhnnt.exe62⤵
- Executes dropped EXE
PID:2204 -
\??\c:\5ntnnh.exec:\5ntnnh.exe63⤵
- Executes dropped EXE
PID:2208 -
\??\c:\pvjdj.exec:\pvjdj.exe64⤵
- Executes dropped EXE
PID:1640 -
\??\c:\rfrlflf.exec:\rfrlflf.exe65⤵
- Executes dropped EXE
PID:1900 -
\??\c:\rfllflr.exec:\rfllflr.exe66⤵PID:2816
-
\??\c:\bntttn.exec:\bntttn.exe67⤵PID:704
-
\??\c:\pdpjj.exec:\pdpjj.exe68⤵PID:1800
-
\??\c:\3xllllr.exec:\3xllllr.exe69⤵PID:1824
-
\??\c:\9lrlflr.exec:\9lrlflr.exe70⤵PID:1860
-
\??\c:\nnbhnt.exec:\nnbhnt.exe71⤵PID:1052
-
\??\c:\djvvv.exec:\djvvv.exe72⤵PID:1844
-
\??\c:\jdpjj.exec:\jdpjj.exe73⤵PID:1292
-
\??\c:\rfrrxrx.exec:\rfrrxrx.exe74⤵PID:352
-
\??\c:\7tbbhb.exec:\7tbbhb.exe75⤵PID:2084
-
\??\c:\thnntn.exec:\thnntn.exe76⤵PID:2608
-
\??\c:\vjvvv.exec:\vjvvv.exe77⤵PID:2264
-
\??\c:\9rlfxff.exec:\9rlfxff.exe78⤵PID:2412
-
\??\c:\7rxrlll.exec:\7rxrlll.exe79⤵PID:1372
-
\??\c:\9nhhhn.exec:\9nhhhn.exe80⤵PID:2596
-
\??\c:\vppjp.exec:\vppjp.exe81⤵PID:3064
-
\??\c:\vpdvv.exec:\vpdvv.exe82⤵PID:2788
-
\??\c:\5xfxxrx.exec:\5xfxxrx.exe83⤵PID:2724
-
\??\c:\5lxrfff.exec:\5lxrfff.exe84⤵PID:2740
-
\??\c:\9ntnnn.exec:\9ntnnn.exe85⤵PID:2748
-
\??\c:\jpdvv.exec:\jpdvv.exe86⤵
- System Location Discovery: System Language Discovery
PID:2852 -
\??\c:\frrlfxr.exec:\frrlfxr.exe87⤵PID:2952
-
\??\c:\rrfllfl.exec:\rrfllfl.exe88⤵PID:2644
-
\??\c:\hhtttn.exec:\hhtttn.exe89⤵PID:2704
-
\??\c:\dpddd.exec:\dpddd.exe90⤵PID:2364
-
\??\c:\djpdd.exec:\djpdd.exe91⤵PID:2356
-
\??\c:\flrlflf.exec:\flrlflf.exe92⤵PID:1988
-
\??\c:\thnttt.exec:\thnttt.exe93⤵PID:1512
-
\??\c:\bthhhn.exec:\bthhhn.exe94⤵PID:592
-
\??\c:\vjvpv.exec:\vjvpv.exe95⤵PID:784
-
\??\c:\pvdpp.exec:\pvdpp.exe96⤵PID:316
-
\??\c:\rfrlllr.exec:\rfrlllr.exe97⤵PID:320
-
\??\c:\bthnnt.exec:\bthnnt.exe98⤵PID:2700
-
\??\c:\pppjp.exec:\pppjp.exe99⤵PID:648
-
\??\c:\pdjdp.exec:\pdjdp.exe100⤵PID:2044
-
\??\c:\frfxfxf.exec:\frfxfxf.exe101⤵PID:324
-
\??\c:\xrffffl.exec:\xrffffl.exe102⤵PID:2248
-
\??\c:\9nbbbt.exec:\9nbbbt.exe103⤵PID:1596
-
\??\c:\pdppd.exec:\pdppd.exe104⤵PID:2336
-
\??\c:\9frrrrx.exec:\9frrrrx.exe105⤵PID:1264
-
\??\c:\xlrlrll.exec:\xlrlrll.exe106⤵PID:1384
-
\??\c:\3bhbbt.exec:\3bhbbt.exe107⤵PID:1932
-
\??\c:\pdjpp.exec:\pdjpp.exe108⤵PID:1168
-
\??\c:\lxfxxfr.exec:\lxfxxfr.exe109⤵PID:2128
-
\??\c:\fxlrrxf.exec:\fxlrrxf.exe110⤵PID:1572
-
\??\c:\bthtbh.exec:\bthtbh.exe111⤵PID:1724
-
\??\c:\htnntt.exec:\htnntt.exe112⤵PID:1756
-
\??\c:\dpjvv.exec:\dpjvv.exe113⤵PID:1660
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe114⤵PID:620
-
\??\c:\flfflfl.exec:\flfflfl.exe115⤵PID:1364
-
\??\c:\1thhnh.exec:\1thhnh.exe116⤵PID:2076
-
\??\c:\3bnnbh.exec:\3bnnbh.exe117⤵PID:1108
-
\??\c:\5pdvp.exec:\5pdvp.exe118⤵PID:2360
-
\??\c:\llxrxxf.exec:\llxrxxf.exe119⤵PID:2600
-
\??\c:\3htttn.exec:\3htttn.exe120⤵PID:1704
-
\??\c:\ntnnnn.exec:\ntnnnn.exe121⤵PID:2316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-