Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 03:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b148b9e5aab63e764124beb7975de030N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
b148b9e5aab63e764124beb7975de030N.exe
-
Size
353KB
-
MD5
b148b9e5aab63e764124beb7975de030
-
SHA1
6acf6c0dbd6fae52230fe6ca737d29a409753b00
-
SHA256
f02111c40e43dec576105338dc53b560aa7aa89a6b31fa8405b15f47766dab7f
-
SHA512
70c97cd17697d8ba1609e8f9150d246d552b78fd6fdc863032e7fa797d50a0f15cf40726e3fff4654597486d42ebdb936bde663d81f37cff31c1dcfd054a7907
-
SSDEEP
6144:4cm7ImGddXvJuzyy/SfVFKpU/sien7NuOpo0HmtDKe0wKyKqiOfm8RCfDK4TrHHF:+7TcBuGy/Sa+/sie0OpncKe/KFBOfmz9
Malware Config
Signatures
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2084-9-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2392-19-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/236-29-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2344-32-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2792-52-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2672-49-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2452-70-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/3000-72-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2984-90-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2984-88-0x00000000001B0000-0x00000000001DD000-memory.dmp family_blackmoon behavioral1/memory/2628-100-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1540-142-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/832-167-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1216-178-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2480-238-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2380-247-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1404-257-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1400-265-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/996-276-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1400-294-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/2120-302-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2040-309-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/3016-341-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2960-399-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2316-412-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/336-425-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/472-432-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/2988-451-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2900-459-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/2184-467-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/2184-466-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2080-486-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1716-499-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/1508-552-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1636-566-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2148-645-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/1216-704-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/880-820-0x0000000000400000-0x000000000042D000-memory.dmp family_blackmoon behavioral1/memory/2748-890-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/2748-909-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon behavioral1/memory/1428-961-0x0000000000220000-0x000000000024D000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2392 fxrlfrx.exe 236 vvdpv.exe 2344 btthnb.exe 2672 vppvj.exe 2792 fxrxffx.exe 2452 7fxrxxf.exe 3000 pjddp.exe 2984 3lxrrxl.exe 2628 bbnnbb.exe 2632 ppppv.exe 2012 rfrrflx.exe 640 hbnnbt.exe 2568 jdvdv.exe 1540 llllxrl.exe 2920 1bnthh.exe 2640 ddvdp.exe 832 hbbhbn.exe 1216 5btnbb.exe 2884 lfrrxlx.exe 2200 lfrxlrr.exe 2552 vpdvd.exe 2080 xxrxlxl.exe 1656 bbthnt.exe 1524 ddpdp.exe 2480 fxlxflr.exe 2380 thbbhh.exe 1404 jjpvv.exe 1400 7lxxlfl.exe 996 vpjjv.exe 3036 lfrxfrf.exe 2384 bthnbh.exe 2120 pjjvd.exe 2040 lfxflrx.exe 2844 3bhhbh.exe 1552 dvvjp.exe 2672 dvpvj.exe 2732 xrxxfxx.exe 3016 hntbnt.exe 1624 nhbbnb.exe 2956 dpddj.exe 2692 fxffrrf.exe 2840 lfrrflx.exe 2628 bnbbtn.exe 2592 dvjjv.exe 2132 jdvjp.exe 2144 rrlxfrl.exe 2960 lfrrrxl.exe 2864 bbnnbh.exe 1972 3pddd.exe 2316 lllffxl.exe 336 lrllxlx.exe 472 tntnhh.exe 1520 ddvjv.exe 1676 dvpvp.exe 2988 ffrxxrx.exe 2900 3hhnth.exe 2184 3vjpd.exe 2256 dpdjp.exe 440 fxlrxxf.exe 2080 tnbhth.exe 960 hhttbb.exe 1716 jdvdj.exe 1336 rllrfrf.exe 556 5hbhtt.exe -
resource yara_rule behavioral1/memory/2084-9-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2392-19-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/236-29-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2344-32-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2792-52-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2672-49-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2452-70-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3000-72-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2984-90-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2628-100-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2012-109-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/640-118-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1540-142-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/832-167-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1216-178-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2480-238-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2380-247-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1404-257-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1400-265-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/996-276-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2120-302-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2040-309-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/3016-341-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2592-374-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2960-399-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2316-412-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/336-425-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/472-432-0x0000000000220000-0x000000000024D000-memory.dmp upx behavioral1/memory/2988-451-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2184-467-0x0000000000220000-0x000000000024D000-memory.dmp upx behavioral1/memory/2184-466-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2080-486-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/960-487-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1716-499-0x0000000000220000-0x000000000024D000-memory.dmp upx behavioral1/memory/1508-552-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1872-553-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1636-566-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2148-645-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1436-674-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2904-697-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/1216-704-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2352-756-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/880-813-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/880-820-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2488-821-0x0000000000400000-0x000000000042D000-memory.dmp upx behavioral1/memory/2552-995-0x0000000000400000-0x000000000042D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2392 2084 b148b9e5aab63e764124beb7975de030N.exe 31 PID 2084 wrote to memory of 2392 2084 b148b9e5aab63e764124beb7975de030N.exe 31 PID 2084 wrote to memory of 2392 2084 b148b9e5aab63e764124beb7975de030N.exe 31 PID 2084 wrote to memory of 2392 2084 b148b9e5aab63e764124beb7975de030N.exe 31 PID 2392 wrote to memory of 236 2392 fxrlfrx.exe 32 PID 2392 wrote to memory of 236 2392 fxrlfrx.exe 32 PID 2392 wrote to memory of 236 2392 fxrlfrx.exe 32 PID 2392 wrote to memory of 236 2392 fxrlfrx.exe 32 PID 236 wrote to memory of 2344 236 vvdpv.exe 33 PID 236 wrote to memory of 2344 236 vvdpv.exe 33 PID 236 wrote to memory of 2344 236 vvdpv.exe 33 PID 236 wrote to memory of 2344 236 vvdpv.exe 33 PID 2344 wrote to memory of 2672 2344 btthnb.exe 34 PID 2344 wrote to memory of 2672 2344 btthnb.exe 34 PID 2344 wrote to memory of 2672 2344 btthnb.exe 34 PID 2344 wrote to memory of 2672 2344 btthnb.exe 34 PID 2672 wrote to memory of 2792 2672 vppvj.exe 35 PID 2672 wrote to memory of 2792 2672 vppvj.exe 35 PID 2672 wrote to memory of 2792 2672 vppvj.exe 35 PID 2672 wrote to memory of 2792 2672 vppvj.exe 35 PID 2792 wrote to memory of 2452 2792 fxrxffx.exe 36 PID 2792 wrote to memory of 2452 2792 fxrxffx.exe 36 PID 2792 wrote to memory of 2452 2792 fxrxffx.exe 36 PID 2792 wrote to memory of 2452 2792 fxrxffx.exe 36 PID 2452 wrote to memory of 3000 2452 7fxrxxf.exe 37 PID 2452 wrote to memory of 3000 2452 7fxrxxf.exe 37 PID 2452 wrote to memory of 3000 2452 7fxrxxf.exe 37 PID 2452 wrote to memory of 3000 2452 7fxrxxf.exe 37 PID 3000 wrote to memory of 2984 3000 pjddp.exe 38 PID 3000 wrote to memory of 2984 3000 pjddp.exe 38 PID 3000 wrote to memory of 2984 3000 pjddp.exe 38 PID 3000 wrote to memory of 2984 3000 pjddp.exe 38 PID 2984 wrote to memory of 2628 2984 3lxrrxl.exe 39 PID 2984 wrote to memory of 2628 2984 3lxrrxl.exe 39 PID 2984 wrote to memory of 2628 2984 3lxrrxl.exe 39 PID 2984 wrote to memory of 2628 2984 3lxrrxl.exe 39 PID 2628 wrote to memory of 2632 2628 bbnnbb.exe 40 PID 2628 wrote to memory of 2632 2628 bbnnbb.exe 40 PID 2628 wrote to memory of 2632 2628 bbnnbb.exe 40 PID 2628 wrote to memory of 2632 2628 bbnnbb.exe 40 PID 2632 wrote to memory of 2012 2632 ppppv.exe 41 PID 2632 wrote to memory of 2012 2632 ppppv.exe 41 PID 2632 wrote to memory of 2012 2632 ppppv.exe 41 PID 2632 wrote to memory of 2012 2632 ppppv.exe 41 PID 2012 wrote to memory of 640 2012 rfrrflx.exe 42 PID 2012 wrote to memory of 640 2012 rfrrflx.exe 42 PID 2012 wrote to memory of 640 2012 rfrrflx.exe 42 PID 2012 wrote to memory of 640 2012 rfrrflx.exe 42 PID 640 wrote to memory of 2568 640 hbnnbt.exe 43 PID 640 wrote to memory of 2568 640 hbnnbt.exe 43 PID 640 wrote to memory of 2568 640 hbnnbt.exe 43 PID 640 wrote to memory of 2568 640 hbnnbt.exe 43 PID 2568 wrote to memory of 1540 2568 jdvdv.exe 44 PID 2568 wrote to memory of 1540 2568 jdvdv.exe 44 PID 2568 wrote to memory of 1540 2568 jdvdv.exe 44 PID 2568 wrote to memory of 1540 2568 jdvdv.exe 44 PID 1540 wrote to memory of 2920 1540 llllxrl.exe 45 PID 1540 wrote to memory of 2920 1540 llllxrl.exe 45 PID 1540 wrote to memory of 2920 1540 llllxrl.exe 45 PID 1540 wrote to memory of 2920 1540 llllxrl.exe 45 PID 2920 wrote to memory of 2640 2920 1bnthh.exe 46 PID 2920 wrote to memory of 2640 2920 1bnthh.exe 46 PID 2920 wrote to memory of 2640 2920 1bnthh.exe 46 PID 2920 wrote to memory of 2640 2920 1bnthh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\b148b9e5aab63e764124beb7975de030N.exe"C:\Users\Admin\AppData\Local\Temp\b148b9e5aab63e764124beb7975de030N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\fxrlfrx.exec:\fxrlfrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\vvdpv.exec:\vvdpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:236 -
\??\c:\btthnb.exec:\btthnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\vppvj.exec:\vppvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\fxrxffx.exec:\fxrxffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\7fxrxxf.exec:\7fxrxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\pjddp.exec:\pjddp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\3lxrrxl.exec:\3lxrrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\bbnnbb.exec:\bbnnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\ppppv.exec:\ppppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\rfrrflx.exec:\rfrrflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\hbnnbt.exec:\hbnnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\jdvdv.exec:\jdvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\llllxrl.exec:\llllxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\1bnthh.exec:\1bnthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\ddvdp.exec:\ddvdp.exe17⤵
- Executes dropped EXE
PID:2640 -
\??\c:\hbbhbn.exec:\hbbhbn.exe18⤵
- Executes dropped EXE
PID:832 -
\??\c:\5btnbb.exec:\5btnbb.exe19⤵
- Executes dropped EXE
PID:1216 -
\??\c:\lfrrxlx.exec:\lfrrxlx.exe20⤵
- Executes dropped EXE
PID:2884 -
\??\c:\lfrxlrr.exec:\lfrxlrr.exe21⤵
- Executes dropped EXE
PID:2200 -
\??\c:\vpdvd.exec:\vpdvd.exe22⤵
- Executes dropped EXE
PID:2552 -
\??\c:\xxrxlxl.exec:\xxrxlxl.exe23⤵
- Executes dropped EXE
PID:2080 -
\??\c:\bbthnt.exec:\bbthnt.exe24⤵
- Executes dropped EXE
PID:1656 -
\??\c:\ddpdp.exec:\ddpdp.exe25⤵
- Executes dropped EXE
PID:1524 -
\??\c:\fxlxflr.exec:\fxlxflr.exe26⤵
- Executes dropped EXE
PID:2480 -
\??\c:\thbbhh.exec:\thbbhh.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
\??\c:\jjpvv.exec:\jjpvv.exe28⤵
- Executes dropped EXE
PID:1404 -
\??\c:\7lxxlfl.exec:\7lxxlfl.exe29⤵
- Executes dropped EXE
PID:1400 -
\??\c:\vpjjv.exec:\vpjjv.exe30⤵
- Executes dropped EXE
PID:996 -
\??\c:\lfrxfrf.exec:\lfrxfrf.exe31⤵
- Executes dropped EXE
PID:3036 -
\??\c:\bthnbh.exec:\bthnbh.exe32⤵
- Executes dropped EXE
PID:2384 -
\??\c:\pjjvd.exec:\pjjvd.exe33⤵
- Executes dropped EXE
PID:2120 -
\??\c:\lfxflrx.exec:\lfxflrx.exe34⤵
- Executes dropped EXE
PID:2040 -
\??\c:\3bhhbh.exec:\3bhhbh.exe35⤵
- Executes dropped EXE
PID:2844 -
\??\c:\dvvjp.exec:\dvvjp.exe36⤵
- Executes dropped EXE
PID:1552 -
\??\c:\dvpvj.exec:\dvpvj.exe37⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xrxxfxx.exec:\xrxxfxx.exe38⤵
- Executes dropped EXE
PID:2732 -
\??\c:\hntbnt.exec:\hntbnt.exe39⤵
- Executes dropped EXE
PID:3016 -
\??\c:\nhbbnb.exec:\nhbbnb.exe40⤵
- Executes dropped EXE
PID:1624 -
\??\c:\dpddj.exec:\dpddj.exe41⤵
- Executes dropped EXE
PID:2956 -
\??\c:\fxffrrf.exec:\fxffrrf.exe42⤵
- Executes dropped EXE
PID:2692 -
\??\c:\lfrrflx.exec:\lfrrflx.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\bnbbtn.exec:\bnbbtn.exe44⤵
- Executes dropped EXE
PID:2628 -
\??\c:\dvjjv.exec:\dvjjv.exe45⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jdvjp.exec:\jdvjp.exe46⤵
- Executes dropped EXE
PID:2132 -
\??\c:\rrlxfrl.exec:\rrlxfrl.exe47⤵
- Executes dropped EXE
PID:2144 -
\??\c:\lfrrrxl.exec:\lfrrrxl.exe48⤵
- Executes dropped EXE
PID:2960 -
\??\c:\bbnnbh.exec:\bbnnbh.exe49⤵
- Executes dropped EXE
PID:2864 -
\??\c:\3pddd.exec:\3pddd.exe50⤵
- Executes dropped EXE
PID:1972 -
\??\c:\lllffxl.exec:\lllffxl.exe51⤵
- Executes dropped EXE
PID:2316 -
\??\c:\lrllxlx.exec:\lrllxlx.exe52⤵
- Executes dropped EXE
PID:336 -
\??\c:\tntnhh.exec:\tntnhh.exe53⤵
- Executes dropped EXE
PID:472 -
\??\c:\ddvjv.exec:\ddvjv.exe54⤵
- Executes dropped EXE
PID:1520 -
\??\c:\dvpvp.exec:\dvpvp.exe55⤵
- Executes dropped EXE
PID:1676 -
\??\c:\ffrxxrx.exec:\ffrxxrx.exe56⤵
- Executes dropped EXE
PID:2988 -
\??\c:\3hhnth.exec:\3hhnth.exe57⤵
- Executes dropped EXE
PID:2900 -
\??\c:\3vjpd.exec:\3vjpd.exe58⤵
- Executes dropped EXE
PID:2184 -
\??\c:\dpdjp.exec:\dpdjp.exe59⤵
- Executes dropped EXE
PID:2256 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe60⤵
- Executes dropped EXE
PID:440 -
\??\c:\tnbhth.exec:\tnbhth.exe61⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hhttbb.exec:\hhttbb.exe62⤵
- Executes dropped EXE
PID:960 -
\??\c:\jdvdj.exec:\jdvdj.exe63⤵
- Executes dropped EXE
PID:1716 -
\??\c:\rllrfrf.exec:\rllrfrf.exe64⤵
- Executes dropped EXE
PID:1336 -
\??\c:\5hbhtt.exec:\5hbhtt.exe65⤵
- Executes dropped EXE
PID:556 -
\??\c:\btbhnb.exec:\btbhnb.exe66⤵PID:2300
-
\??\c:\vvjvd.exec:\vvjvd.exe67⤵PID:1032
-
\??\c:\3fxfrrf.exec:\3fxfrrf.exe68⤵PID:1872
-
\??\c:\frfxlrr.exec:\frfxlrr.exe69⤵PID:1816
-
\??\c:\tnttbt.exec:\tnttbt.exe70⤵PID:1512
-
\??\c:\pdvjj.exec:\pdvjj.exe71⤵PID:1508
-
\??\c:\1dvdp.exec:\1dvdp.exe72⤵PID:1604
-
\??\c:\lffrflf.exec:\lffrflf.exe73⤵PID:1636
-
\??\c:\tthnnt.exec:\tthnnt.exe74⤵PID:2216
-
\??\c:\jdddj.exec:\jdddj.exe75⤵PID:2140
-
\??\c:\9rlrffr.exec:\9rlrffr.exe76⤵PID:2852
-
\??\c:\rfxfllx.exec:\rfxfllx.exe77⤵PID:2824
-
\??\c:\hnnbbb.exec:\hnnbbb.exe78⤵PID:2684
-
\??\c:\1tthtb.exec:\1tthtb.exe79⤵PID:2732
-
\??\c:\dvvpv.exec:\dvvpv.exe80⤵PID:3016
-
\??\c:\fllxrfr.exec:\fllxrfr.exe81⤵PID:1624
-
\??\c:\lxllrxr.exec:\lxllrxr.exe82⤵PID:2948
-
\??\c:\9tbhhh.exec:\9tbhhh.exe83⤵PID:2912
-
\??\c:\ppjdv.exec:\ppjdv.exe84⤵PID:2636
-
\??\c:\ddpdd.exec:\ddpdd.exe85⤵PID:2576
-
\??\c:\rxlxlxx.exec:\rxlxlxx.exe86⤵PID:2148
-
\??\c:\btthth.exec:\btthth.exe87⤵PID:1852
-
\??\c:\pvpvj.exec:\pvpvj.exe88⤵PID:1436
-
\??\c:\lrllffl.exec:\lrllffl.exe89⤵PID:772
-
\??\c:\5ttbhn.exec:\5ttbhn.exe90⤵PID:1600
-
\??\c:\hhhtbn.exec:\hhhtbn.exe91⤵PID:1540
-
\??\c:\5vvdv.exec:\5vvdv.exe92⤵PID:2816
-
\??\c:\xrflrxf.exec:\xrflrxf.exe93⤵PID:2936
-
\??\c:\1tthbh.exec:\1tthbh.exe94⤵PID:1440
-
\??\c:\nntbnb.exec:\nntbnb.exe95⤵PID:2904
-
\??\c:\7dpdd.exec:\7dpdd.exe96⤵PID:1216
-
\??\c:\7fflrxr.exec:\7fflrxr.exe97⤵PID:2896
-
\??\c:\xxrxrxl.exec:\xxrxrxl.exe98⤵PID:2520
-
\??\c:\nnhnht.exec:\nnhnht.exe99⤵PID:2188
-
\??\c:\dpjjp.exec:\dpjjp.exe100⤵PID:2268
-
\??\c:\vvpvp.exec:\vvpvp.exe101⤵PID:1964
-
\??\c:\ffxlxlr.exec:\ffxlxlr.exe102⤵PID:700
-
\??\c:\bnhnnn.exec:\bnhnnn.exe103⤵PID:2060
-
\??\c:\jpddd.exec:\jpddd.exe104⤵PID:2352
-
\??\c:\3flllrx.exec:\3flllrx.exe105⤵PID:1860
-
\??\c:\hbnnbh.exec:\hbnnbh.exe106⤵PID:1336
-
\??\c:\nhhbnt.exec:\nhhbnt.exe107⤵PID:1492
-
\??\c:\3vjpp.exec:\3vjpp.exe108⤵PID:1892
-
\??\c:\1lxlrxl.exec:\1lxlrxl.exe109⤵PID:1400
-
\??\c:\htnbnb.exec:\htnbnb.exe110⤵PID:2108
-
\??\c:\vpdjp.exec:\vpdjp.exe111⤵PID:1516
-
\??\c:\ddpdp.exec:\ddpdp.exe112⤵PID:3036
-
\??\c:\fxxfrfr.exec:\fxxfrfr.exe113⤵PID:880
-
\??\c:\bbnthn.exec:\bbnthn.exe114⤵PID:2488
-
\??\c:\bhbtnb.exec:\bhbtnb.exe115⤵PID:2040
-
\??\c:\vpdjv.exec:\vpdjv.exe116⤵PID:2344
-
\??\c:\fxrrxxf.exec:\fxrrxxf.exe117⤵PID:2980
-
\??\c:\thhttb.exec:\thhttb.exe118⤵PID:2820
-
\??\c:\ttnhth.exec:\ttnhth.exe119⤵PID:2784
-
\??\c:\ppjjd.exec:\ppjjd.exe120⤵PID:2616
-
\??\c:\ppdpv.exec:\ppdpv.exe121⤵PID:2812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-