Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 09:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5b68df54699a5e79c8055bcc740f4c0N.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
120 seconds
General
-
Target
a5b68df54699a5e79c8055bcc740f4c0N.exe
-
Size
486KB
-
MD5
a5b68df54699a5e79c8055bcc740f4c0
-
SHA1
9fdfd3f11e5806ba3c02a69ff9994a4a4416ffd5
-
SHA256
07f7b4eaf910a946d5feca5715ec46488b0fa47a29fee11aacce2585519cbb9e
-
SHA512
e4c8a30fc83140027bda28676349cc5d649ff372490acdb59e705463fc1d2a01a0823f7bb533823d0562aa6c6ca95ff96e99008344480617df3ecfc6bf900a1a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwu1b26X1wjhtSizjnv:q7Tc2NYHUrAwqzcR
Malware Config
Signatures
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2484-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-23-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2432-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-144-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1816-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-1007-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-435-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/300-285-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2988-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-183-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-1069-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-1166-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2484 nhtntb.exe 1792 1rlrrxf.exe 2432 3bbnbt.exe 1852 1dvvj.exe 2776 rxllrxl.exe 2696 bnbbnn.exe 2732 3rlrxxx.exe 2708 btnnbn.exe 2568 jddpv.exe 2172 llfrxfr.exe 1240 bbtnbh.exe 1056 ddvjj.exe 1488 rrxfxxl.exe 1584 bnhhnb.exe 1388 9pvjp.exe 1816 hhhthn.exe 2860 1pjjp.exe 2888 5rflrxx.exe 2160 btnnbh.exe 2196 djjpv.exe 2008 tnhbhb.exe 928 pjdpv.exe 1560 lrlxlrf.exe 1972 3nnbth.exe 2256 ppjpd.exe 1332 rxrfrxl.exe 2208 ffrlfxf.exe 1656 tnhhnn.exe 2988 1pddj.exe 300 frflllr.exe 2312 hhbbnn.exe 1704 dvjpp.exe 2484 nhttbb.exe 1988 7jvvd.exe 2796 rxxfllx.exe 2412 ttnthh.exe 2864 bnttbt.exe 2804 dvdjp.exe 2676 lllxllr.exe 2916 llllfxx.exe 2812 9bnbhn.exe 2780 vjvvd.exe 2604 dvjvp.exe 2944 llflrxl.exe 2572 nnhnbh.exe 1240 bnthhb.exe 1056 pvjjv.exe 3064 vpjpp.exe 2076 xrllrxf.exe 1324 5hbhnn.exe 1968 bnhhbb.exe 2672 pjdjv.exe 1020 7jvjd.exe 2900 lxrrfff.exe 2192 tbthnb.exe 2120 nhttnn.exe 2160 1vjpv.exe 1948 5dvjp.exe 2884 rxxllrf.exe 1556 lxrxffr.exe 1740 5bbnnt.exe 3048 jddpd.exe 528 jpdvp.exe 2216 rfrrrlx.exe -
resource yara_rule behavioral1/memory/2484-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-144-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1816-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-1007-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-1018-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-1179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-1241-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1292 wrote to memory of 2484 1292 a5b68df54699a5e79c8055bcc740f4c0N.exe 63 PID 1292 wrote to memory of 2484 1292 a5b68df54699a5e79c8055bcc740f4c0N.exe 63 PID 1292 wrote to memory of 2484 1292 a5b68df54699a5e79c8055bcc740f4c0N.exe 63 PID 1292 wrote to memory of 2484 1292 a5b68df54699a5e79c8055bcc740f4c0N.exe 63 PID 2484 wrote to memory of 1792 2484 nhtntb.exe 147 PID 2484 wrote to memory of 1792 2484 nhtntb.exe 147 PID 2484 wrote to memory of 1792 2484 nhtntb.exe 147 PID 2484 wrote to memory of 1792 2484 nhtntb.exe 147 PID 1792 wrote to memory of 2432 1792 1rlrrxf.exe 33 PID 1792 wrote to memory of 2432 1792 1rlrrxf.exe 33 PID 1792 wrote to memory of 2432 1792 1rlrrxf.exe 33 PID 1792 wrote to memory of 2432 1792 1rlrrxf.exe 33 PID 2432 wrote to memory of 1852 2432 3bbnbt.exe 34 PID 2432 wrote to memory of 1852 2432 3bbnbt.exe 34 PID 2432 wrote to memory of 1852 2432 3bbnbt.exe 34 PID 2432 wrote to memory of 1852 2432 3bbnbt.exe 34 PID 1852 wrote to memory of 2776 1852 1dvvj.exe 35 PID 1852 wrote to memory of 2776 1852 1dvvj.exe 35 PID 1852 wrote to memory of 2776 1852 1dvvj.exe 35 PID 1852 wrote to memory of 2776 1852 1dvvj.exe 35 PID 2776 wrote to memory of 2696 2776 rxllrxl.exe 36 PID 2776 wrote to memory of 2696 2776 rxllrxl.exe 36 PID 2776 wrote to memory of 2696 2776 rxllrxl.exe 36 PID 2776 wrote to memory of 2696 2776 rxllrxl.exe 36 PID 2696 wrote to memory of 2732 2696 bnbbnn.exe 37 PID 2696 wrote to memory of 2732 2696 bnbbnn.exe 37 PID 2696 wrote to memory of 2732 2696 bnbbnn.exe 37 PID 2696 wrote to memory of 2732 2696 bnbbnn.exe 37 PID 2732 wrote to memory of 2708 2732 3rlrxxx.exe 38 PID 2732 wrote to memory of 2708 2732 3rlrxxx.exe 38 PID 2732 wrote to memory of 2708 2732 3rlrxxx.exe 38 PID 2732 wrote to memory of 2708 2732 3rlrxxx.exe 38 PID 2708 wrote to memory of 2568 2708 btnnbn.exe 39 PID 2708 wrote to memory of 2568 2708 btnnbn.exe 39 PID 2708 wrote to memory of 2568 2708 btnnbn.exe 39 PID 2708 wrote to memory of 2568 2708 btnnbn.exe 39 PID 2568 wrote to memory of 2172 2568 jddpv.exe 116 PID 2568 wrote to memory of 2172 2568 jddpv.exe 116 PID 2568 wrote to memory of 2172 2568 jddpv.exe 116 PID 2568 wrote to memory of 2172 2568 jddpv.exe 116 PID 2172 wrote to memory of 1240 2172 llfrxfr.exe 41 PID 2172 wrote to memory of 1240 2172 llfrxfr.exe 41 PID 2172 wrote to memory of 1240 2172 llfrxfr.exe 41 PID 2172 wrote to memory of 1240 2172 llfrxfr.exe 41 PID 1240 wrote to memory of 1056 1240 bbtnbh.exe 77 PID 1240 wrote to memory of 1056 1240 bbtnbh.exe 77 PID 1240 wrote to memory of 1056 1240 bbtnbh.exe 77 PID 1240 wrote to memory of 1056 1240 bbtnbh.exe 77 PID 1056 wrote to memory of 1488 1056 ddvjj.exe 43 PID 1056 wrote to memory of 1488 1056 ddvjj.exe 43 PID 1056 wrote to memory of 1488 1056 ddvjj.exe 43 PID 1056 wrote to memory of 1488 1056 ddvjj.exe 43 PID 1488 wrote to memory of 1584 1488 rrxfxxl.exe 44 PID 1488 wrote to memory of 1584 1488 rrxfxxl.exe 44 PID 1488 wrote to memory of 1584 1488 rrxfxxl.exe 44 PID 1488 wrote to memory of 1584 1488 rrxfxxl.exe 44 PID 1584 wrote to memory of 1388 1584 bnhhnb.exe 124 PID 1584 wrote to memory of 1388 1584 bnhhnb.exe 124 PID 1584 wrote to memory of 1388 1584 bnhhnb.exe 124 PID 1584 wrote to memory of 1388 1584 bnhhnb.exe 124 PID 1388 wrote to memory of 1816 1388 9pvjp.exe 46 PID 1388 wrote to memory of 1816 1388 9pvjp.exe 46 PID 1388 wrote to memory of 1816 1388 9pvjp.exe 46 PID 1388 wrote to memory of 1816 1388 9pvjp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5b68df54699a5e79c8055bcc740f4c0N.exe"C:\Users\Admin\AppData\Local\Temp\a5b68df54699a5e79c8055bcc740f4c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\nhtntb.exec:\nhtntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\1rlrrxf.exec:\1rlrrxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\3bbnbt.exec:\3bbnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\1dvvj.exec:\1dvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\rxllrxl.exec:\rxllrxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\bnbbnn.exec:\bnbbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\3rlrxxx.exec:\3rlrxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\btnnbn.exec:\btnnbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\jddpv.exec:\jddpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\llfrxfr.exec:\llfrxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\bbtnbh.exec:\bbtnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\ddvjj.exec:\ddvjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\rrxfxxl.exec:\rrxfxxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\bnhhnb.exec:\bnhhnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\9pvjp.exec:\9pvjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\hhhthn.exec:\hhhthn.exe17⤵
- Executes dropped EXE
PID:1816 -
\??\c:\1pjjp.exec:\1pjjp.exe18⤵
- Executes dropped EXE
PID:2860 -
\??\c:\5rflrxx.exec:\5rflrxx.exe19⤵
- Executes dropped EXE
PID:2888 -
\??\c:\btnnbh.exec:\btnnbh.exe20⤵
- Executes dropped EXE
PID:2160 -
\??\c:\djjpv.exec:\djjpv.exe21⤵
- Executes dropped EXE
PID:2196 -
\??\c:\tnhbhb.exec:\tnhbhb.exe22⤵
- Executes dropped EXE
PID:2008 -
\??\c:\pjdpv.exec:\pjdpv.exe23⤵
- Executes dropped EXE
PID:928 -
\??\c:\lrlxlrf.exec:\lrlxlrf.exe24⤵
- Executes dropped EXE
PID:1560 -
\??\c:\3nnbth.exec:\3nnbth.exe25⤵
- Executes dropped EXE
PID:1972 -
\??\c:\ppjpd.exec:\ppjpd.exe26⤵
- Executes dropped EXE
PID:2256 -
\??\c:\rxrfrxl.exec:\rxrfrxl.exe27⤵
- Executes dropped EXE
PID:1332 -
\??\c:\ffrlfxf.exec:\ffrlfxf.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\tnhhnn.exec:\tnhhnn.exe29⤵
- Executes dropped EXE
PID:1656 -
\??\c:\1pddj.exec:\1pddj.exe30⤵
- Executes dropped EXE
PID:2988 -
\??\c:\frflllr.exec:\frflllr.exe31⤵
- Executes dropped EXE
PID:300 -
\??\c:\hhbbnn.exec:\hhbbnn.exe32⤵
- Executes dropped EXE
PID:2312 -
\??\c:\dvjpp.exec:\dvjpp.exe33⤵
- Executes dropped EXE
PID:1704 -
\??\c:\nhttbb.exec:\nhttbb.exe34⤵
- Executes dropped EXE
PID:2484 -
\??\c:\7jvvd.exec:\7jvvd.exe35⤵
- Executes dropped EXE
PID:1988 -
\??\c:\rxxfllx.exec:\rxxfllx.exe36⤵
- Executes dropped EXE
PID:2796 -
\??\c:\ttnthh.exec:\ttnthh.exe37⤵
- Executes dropped EXE
PID:2412 -
\??\c:\bnttbt.exec:\bnttbt.exe38⤵
- Executes dropped EXE
PID:2864 -
\??\c:\dvdjp.exec:\dvdjp.exe39⤵
- Executes dropped EXE
PID:2804 -
\??\c:\lllxllr.exec:\lllxllr.exe40⤵
- Executes dropped EXE
PID:2676 -
\??\c:\llllfxx.exec:\llllfxx.exe41⤵
- Executes dropped EXE
PID:2916 -
\??\c:\9bnbhn.exec:\9bnbhn.exe42⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vjvvd.exec:\vjvvd.exe43⤵
- Executes dropped EXE
PID:2780 -
\??\c:\dvjvp.exec:\dvjvp.exe44⤵
- Executes dropped EXE
PID:2604 -
\??\c:\llflrxl.exec:\llflrxl.exe45⤵
- Executes dropped EXE
PID:2944 -
\??\c:\nnhnbh.exec:\nnhnbh.exe46⤵
- Executes dropped EXE
PID:2572 -
\??\c:\bnthhb.exec:\bnthhb.exe47⤵
- Executes dropped EXE
PID:1240 -
\??\c:\pvjjv.exec:\pvjjv.exe48⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vpjpp.exec:\vpjpp.exe49⤵
- Executes dropped EXE
PID:3064 -
\??\c:\xrllrxf.exec:\xrllrxf.exe50⤵
- Executes dropped EXE
PID:2076 -
\??\c:\5hbhnn.exec:\5hbhnn.exe51⤵
- Executes dropped EXE
PID:1324 -
\??\c:\bnhhbb.exec:\bnhhbb.exe52⤵
- Executes dropped EXE
PID:1968 -
\??\c:\pjdjv.exec:\pjdjv.exe53⤵
- Executes dropped EXE
PID:2672 -
\??\c:\7jvjd.exec:\7jvjd.exe54⤵
- Executes dropped EXE
PID:1020 -
\??\c:\lxrrfff.exec:\lxrrfff.exe55⤵
- Executes dropped EXE
PID:2900 -
\??\c:\tbthnb.exec:\tbthnb.exe56⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nhttnn.exec:\nhttnn.exe57⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1vjpv.exec:\1vjpv.exe58⤵
- Executes dropped EXE
PID:2160 -
\??\c:\5dvjp.exec:\5dvjp.exe59⤵
- Executes dropped EXE
PID:1948 -
\??\c:\rxxllrf.exec:\rxxllrf.exe60⤵
- Executes dropped EXE
PID:2884 -
\??\c:\lxrxffr.exec:\lxrxffr.exe61⤵
- Executes dropped EXE
PID:1556 -
\??\c:\5bbnnt.exec:\5bbnnt.exe62⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jddpd.exec:\jddpd.exe63⤵
- Executes dropped EXE
PID:3048 -
\??\c:\jpdvp.exec:\jpdvp.exe64⤵
- Executes dropped EXE
PID:528 -
\??\c:\rfrrrlx.exec:\rfrrrlx.exe65⤵
- Executes dropped EXE
PID:2216 -
\??\c:\tnntbh.exec:\tnntbh.exe66⤵PID:2224
-
\??\c:\9bhhhn.exec:\9bhhhn.exe67⤵PID:1892
-
\??\c:\pjdvd.exec:\pjdvd.exe68⤵PID:1744
-
\??\c:\3pdvv.exec:\3pdvv.exe69⤵PID:1656
-
\??\c:\lrfllff.exec:\lrfllff.exe70⤵PID:884
-
\??\c:\3lrrllx.exec:\3lrrllx.exe71⤵PID:1996
-
\??\c:\bbnntb.exec:\bbnntb.exe72⤵PID:2104
-
\??\c:\vpjvj.exec:\vpjvj.exe73⤵PID:2312
-
\??\c:\jjjvp.exec:\jjjvp.exe74⤵PID:2468
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe75⤵PID:2480
-
\??\c:\llflfxl.exec:\llflfxl.exe76⤵PID:2500
-
\??\c:\htntbt.exec:\htntbt.exe77⤵PID:2032
-
\??\c:\1ntttt.exec:\1ntttt.exe78⤵PID:2716
-
\??\c:\9ddjd.exec:\9ddjd.exe79⤵PID:2984
-
\??\c:\vjppv.exec:\vjppv.exe80⤵PID:2864
-
\??\c:\fxrrrxf.exec:\fxrrrxf.exe81⤵PID:2980
-
\??\c:\ntnthh.exec:\ntnthh.exe82⤵PID:2676
-
\??\c:\nhnthh.exec:\nhnthh.exe83⤵PID:2916
-
\??\c:\7pdjj.exec:\7pdjj.exe84⤵PID:2588
-
\??\c:\3pppp.exec:\3pppp.exe85⤵PID:2780
-
\??\c:\xxxrrff.exec:\xxxrrff.exe86⤵PID:1496
-
\??\c:\lfxfrxr.exec:\lfxfrxr.exe87⤵PID:2172
-
\??\c:\1hhntb.exec:\1hhntb.exe88⤵PID:3004
-
\??\c:\ddvdj.exec:\ddvdj.exe89⤵PID:1732
-
\??\c:\vpdjd.exec:\vpdjd.exe90⤵PID:2460
-
\??\c:\xrrxlxl.exec:\xrrxlxl.exe91⤵PID:1156
-
\??\c:\llxlrrf.exec:\llxlrrf.exe92⤵PID:1720
-
\??\c:\7hhhnt.exec:\7hhhnt.exe93⤵PID:2036
-
\??\c:\bbtbnt.exec:\bbtbnt.exe94⤵PID:1324
-
\??\c:\vvppd.exec:\vvppd.exe95⤵PID:1388
-
\??\c:\llxfrxl.exec:\llxfrxl.exe96⤵PID:2672
-
\??\c:\rrrfxll.exec:\rrrfxll.exe97⤵PID:1020
-
\??\c:\9nhhtb.exec:\9nhhtb.exe98⤵PID:2488
-
\??\c:\htntbt.exec:\htntbt.exe99⤵PID:1180
-
\??\c:\vpppv.exec:\vpppv.exe100⤵PID:2108
-
\??\c:\vvpvd.exec:\vvpvd.exe101⤵PID:948
-
\??\c:\5xrfffl.exec:\5xrfffl.exe102⤵PID:1896
-
\??\c:\7lxxllx.exec:\7lxxllx.exe103⤵PID:328
-
\??\c:\htbnth.exec:\htbnth.exe104⤵PID:2452
-
\??\c:\btntbt.exec:\btntbt.exe105⤵PID:1724
-
\??\c:\dvppv.exec:\dvppv.exe106⤵PID:2448
-
\??\c:\rlffflr.exec:\rlffflr.exe107⤵PID:1596
-
\??\c:\rlrrflf.exec:\rlrrflf.exe108⤵PID:1992
-
\??\c:\btntht.exec:\btntht.exe109⤵PID:1332
-
\??\c:\nthnth.exec:\nthnth.exe110⤵
- System Location Discovery: System Language Discovery
PID:2260 -
\??\c:\dpddp.exec:\dpddp.exe111⤵PID:1532
-
\??\c:\fxlrxxx.exec:\fxlrxxx.exe112⤵PID:1500
-
\??\c:\lfxflxl.exec:\lfxflxl.exe113⤵PID:300
-
\??\c:\7bnttb.exec:\7bnttb.exe114⤵PID:1604
-
\??\c:\nhbhnn.exec:\nhbhnn.exe115⤵PID:800
-
\??\c:\dpddd.exec:\dpddd.exe116⤵PID:2104
-
\??\c:\vvvvd.exec:\vvvvd.exe117⤵PID:2652
-
\??\c:\rrrrffr.exec:\rrrrffr.exe118⤵PID:1792
-
\??\c:\bbthth.exec:\bbthth.exe119⤵PID:2408
-
\??\c:\bhbhhn.exec:\bhbhhn.exe120⤵PID:2796
-
\??\c:\dpppv.exec:\dpppv.exe121⤵PID:2032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-