Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 00:56 UTC
Behavioral task
behavioral1
Sample
9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe
-
Size
331KB
-
MD5
78514fa2e07ac6b487807e4757409701
-
SHA1
87efb991759d3e145d054e7c96ebb799b405d13e
-
SHA256
9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2
-
SHA512
76ca9393cb7aa096ccbd2c255080cbe717123299ce25023c4e33034d6fde1115dbdfa0e7ac9b1686b80cda238a1e4633550528cf2447172615e47833466ede0c
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7t+:94wFHoStJdSjylh2b77BoTMA9gX59sTW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2792-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1356-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1356-16-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/780-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-33-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2912-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2992-44-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2928-51-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2928-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1720-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2692-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2016-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2248-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1148-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2232-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2272-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2480-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1220-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1408-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/680-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/472-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2980-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2148-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2148-339-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2712-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-357-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2196-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1484-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3044-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1200-429-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1448-436-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1448-453-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2908-459-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/368-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2420-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2652-508-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2000-535-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1604-577-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/3032-620-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2116-660-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/640-781-0x00000000001E0000-0x0000000000207000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1356 nllxb.exe 780 ddtvdph.exe 2912 btnnbjj.exe 2992 fhfpb.exe 2928 vvpbj.exe 1720 xrrjh.exe 2776 nvrvd.exe 2596 lbjpbj.exe 2692 xfvhb.exe 2612 xjpdr.exe 2116 ddpvnlb.exe 1484 frnrd.exe 2956 xnhvvh.exe 3064 fdbjr.exe 2200 njjfnpd.exe 2952 nnfvn.exe 2016 lvxfjtn.exe 2248 pjnhj.exe 1148 rvpjlh.exe 2232 xbvnb.exe 2272 rfjpt.exe 2480 njdlx.exe 2684 lbjntxp.exe 1220 bjlljhv.exe 1408 hpfxxd.exe 1644 jrxtxnf.exe 2128 hpfnpj.exe 680 lrxvnh.exe 1816 btplrbd.exe 1396 nfbvhnh.exe 948 fplvt.exe 964 hnblfxp.exe 472 thtpj.exe 2292 hvrdrtx.exe 2384 hdpvpv.exe 884 xhtjvd.exe 2368 rfrpt.exe 1576 rjtbvj.exe 3012 jxpnx.exe 3008 rvfjxpx.exe 2856 jhdbt.exe 2980 nfjtn.exe 2864 nhnnxfd.exe 2316 lxjxb.exe 2148 hhlbn.exe 2736 vvvfvd.exe 2876 bvvbh.exe 2712 rvvfxb.exe 2724 rtpnjh.exe 2196 fnbxh.exe 1660 ftdbbxd.exe 2104 ljrlp.exe 2396 jhdfrh.exe 2092 fptnvpf.exe 1484 nbnhnnr.exe 2500 rrjnrh.exe 3044 hflpvdp.exe 1144 hxvvtjf.exe 2064 npflvx.exe 2972 htvdnf.exe 1200 fdlhd.exe 1448 jjvjpd.exe 1616 vlfxpr.exe 1108 hrjpp.exe -
resource yara_rule behavioral1/memory/2792-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2792-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2792-2-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000a00000001225c-6.dat upx behavioral1/memory/1356-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000018b05-18.dat upx behavioral1/files/0x0007000000018b50-26.dat upx behavioral1/memory/780-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018b54-34.dat upx behavioral1/memory/2912-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2992-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018b59-43.dat upx behavioral1/files/0x0009000000018b71-52.dat upx behavioral1/memory/2928-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018b89-61.dat upx behavioral1/memory/1720-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2776-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0003000000018334-70.dat upx behavioral1/memory/2596-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001975a-77.dat upx behavioral1/memory/2692-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019761-86.dat upx behavioral1/memory/2612-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000197fd-93.dat upx behavioral1/files/0x0005000000019820-101.dat upx behavioral1/memory/1484-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001998d-108.dat upx behavioral1/memory/3064-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf5-116.dat upx behavioral1/files/0x0005000000019bf6-123.dat upx behavioral1/files/0x0005000000019bf9-130.dat upx behavioral1/files/0x0005000000019c3c-137.dat upx behavioral1/memory/2016-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d61-145.dat upx behavioral1/memory/2248-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2248-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d62-153.dat upx behavioral1/memory/1148-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d6d-162.dat upx behavioral1/files/0x0005000000019e92-170.dat upx behavioral1/memory/2232-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019fd4-181.dat upx behavioral1/memory/2480-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2272-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019fdd-188.dat upx behavioral1/memory/2480-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a03c-199.dat upx behavioral1/memory/1220-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1220-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a049-206.dat upx behavioral1/memory/1408-211-0x00000000002C0000-0x00000000002E7000-memory.dmp upx behavioral1/memory/1408-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a0b6-216.dat upx behavioral1/files/0x000500000001a309-222.dat upx behavioral1/files/0x000500000001a3ab-231.dat upx behavioral1/memory/2128-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/680-237-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a3f6-238.dat upx behavioral1/files/0x000500000001a3f8-246.dat upx behavioral1/files/0x000500000001a3fd-253.dat upx behavioral1/files/0x000500000001a400-263.dat upx behavioral1/memory/472-274-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2292-276-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2980-323-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtphjxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbbhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hftpjhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxdhnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvvbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnpjbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbnrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxdxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vprnrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frhfhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjfpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tfnvhnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prbdlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljrrvrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxdfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxtfpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njtxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnppt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tftpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntvrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxdnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttfddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvxfjtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddtvdph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbhjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlfxllp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbxft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tfjjtr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljhpfbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvfdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxnvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2792 wrote to memory of 1356 2792 9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe 29 PID 2792 wrote to memory of 1356 2792 9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe 29 PID 2792 wrote to memory of 1356 2792 9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe 29 PID 2792 wrote to memory of 1356 2792 9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe 29 PID 1356 wrote to memory of 780 1356 nllxb.exe 30 PID 1356 wrote to memory of 780 1356 nllxb.exe 30 PID 1356 wrote to memory of 780 1356 nllxb.exe 30 PID 1356 wrote to memory of 780 1356 nllxb.exe 30 PID 780 wrote to memory of 2912 780 ddtvdph.exe 31 PID 780 wrote to memory of 2912 780 ddtvdph.exe 31 PID 780 wrote to memory of 2912 780 ddtvdph.exe 31 PID 780 wrote to memory of 2912 780 ddtvdph.exe 31 PID 2912 wrote to memory of 2992 2912 btnnbjj.exe 32 PID 2912 wrote to memory of 2992 2912 btnnbjj.exe 32 PID 2912 wrote to memory of 2992 2912 btnnbjj.exe 32 PID 2912 wrote to memory of 2992 2912 btnnbjj.exe 32 PID 2992 wrote to memory of 2928 2992 fhfpb.exe 33 PID 2992 wrote to memory of 2928 2992 fhfpb.exe 33 PID 2992 wrote to memory of 2928 2992 fhfpb.exe 33 PID 2992 wrote to memory of 2928 2992 fhfpb.exe 33 PID 2928 wrote to memory of 1720 2928 vvpbj.exe 34 PID 2928 wrote to memory of 1720 2928 vvpbj.exe 34 PID 2928 wrote to memory of 1720 2928 vvpbj.exe 34 PID 2928 wrote to memory of 1720 2928 vvpbj.exe 34 PID 1720 wrote to memory of 2776 1720 xrrjh.exe 35 PID 1720 wrote to memory of 2776 1720 xrrjh.exe 35 PID 1720 wrote to memory of 2776 1720 xrrjh.exe 35 PID 1720 wrote to memory of 2776 1720 xrrjh.exe 35 PID 2776 wrote to memory of 2596 2776 nvrvd.exe 36 PID 2776 wrote to memory of 2596 2776 nvrvd.exe 36 PID 2776 wrote to memory of 2596 2776 nvrvd.exe 36 PID 2776 wrote to memory of 2596 2776 nvrvd.exe 36 PID 2596 wrote to memory of 2692 2596 lbjpbj.exe 37 PID 2596 wrote to memory of 2692 2596 lbjpbj.exe 37 PID 2596 wrote to memory of 2692 2596 lbjpbj.exe 37 PID 2596 wrote to memory of 2692 2596 lbjpbj.exe 37 PID 2692 wrote to memory of 2612 2692 xfvhb.exe 38 PID 2692 wrote to memory of 2612 2692 xfvhb.exe 38 PID 2692 wrote to memory of 2612 2692 xfvhb.exe 38 PID 2692 wrote to memory of 2612 2692 xfvhb.exe 38 PID 2612 wrote to memory of 2116 2612 xjpdr.exe 39 PID 2612 wrote to memory of 2116 2612 xjpdr.exe 39 PID 2612 wrote to memory of 2116 2612 xjpdr.exe 39 PID 2612 wrote to memory of 2116 2612 xjpdr.exe 39 PID 2116 wrote to memory of 1484 2116 ddpvnlb.exe 40 PID 2116 wrote to memory of 1484 2116 ddpvnlb.exe 40 PID 2116 wrote to memory of 1484 2116 ddpvnlb.exe 40 PID 2116 wrote to memory of 1484 2116 ddpvnlb.exe 40 PID 1484 wrote to memory of 2956 1484 frnrd.exe 41 PID 1484 wrote to memory of 2956 1484 frnrd.exe 41 PID 1484 wrote to memory of 2956 1484 frnrd.exe 41 PID 1484 wrote to memory of 2956 1484 frnrd.exe 41 PID 2956 wrote to memory of 3064 2956 xnhvvh.exe 42 PID 2956 wrote to memory of 3064 2956 xnhvvh.exe 42 PID 2956 wrote to memory of 3064 2956 xnhvvh.exe 42 PID 2956 wrote to memory of 3064 2956 xnhvvh.exe 42 PID 3064 wrote to memory of 2200 3064 fdbjr.exe 43 PID 3064 wrote to memory of 2200 3064 fdbjr.exe 43 PID 3064 wrote to memory of 2200 3064 fdbjr.exe 43 PID 3064 wrote to memory of 2200 3064 fdbjr.exe 43 PID 2200 wrote to memory of 2952 2200 njjfnpd.exe 44 PID 2200 wrote to memory of 2952 2200 njjfnpd.exe 44 PID 2200 wrote to memory of 2952 2200 njjfnpd.exe 44 PID 2200 wrote to memory of 2952 2200 njjfnpd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe"C:\Users\Admin\AppData\Local\Temp\9f2d7ee2faabb5748b92d375dea8fa21d3bf38e9f715905ab5cc38b79c2219f2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\nllxb.exec:\nllxb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\ddtvdph.exec:\ddtvdph.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\btnnbjj.exec:\btnnbjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\fhfpb.exec:\fhfpb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\vvpbj.exec:\vvpbj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\xrrjh.exec:\xrrjh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\nvrvd.exec:\nvrvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\lbjpbj.exec:\lbjpbj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\xfvhb.exec:\xfvhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\xjpdr.exec:\xjpdr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\ddpvnlb.exec:\ddpvnlb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\frnrd.exec:\frnrd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\xnhvvh.exec:\xnhvvh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\fdbjr.exec:\fdbjr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\njjfnpd.exec:\njjfnpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\nnfvn.exec:\nnfvn.exe17⤵
- Executes dropped EXE
PID:2952 -
\??\c:\lvxfjtn.exec:\lvxfjtn.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
\??\c:\pjnhj.exec:\pjnhj.exe19⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rvpjlh.exec:\rvpjlh.exe20⤵
- Executes dropped EXE
PID:1148 -
\??\c:\xbvnb.exec:\xbvnb.exe21⤵
- Executes dropped EXE
PID:2232 -
\??\c:\rfjpt.exec:\rfjpt.exe22⤵
- Executes dropped EXE
PID:2272 -
\??\c:\njdlx.exec:\njdlx.exe23⤵
- Executes dropped EXE
PID:2480 -
\??\c:\lbjntxp.exec:\lbjntxp.exe24⤵
- Executes dropped EXE
PID:2684 -
\??\c:\bjlljhv.exec:\bjlljhv.exe25⤵
- Executes dropped EXE
PID:1220 -
\??\c:\hpfxxd.exec:\hpfxxd.exe26⤵
- Executes dropped EXE
PID:1408 -
\??\c:\jrxtxnf.exec:\jrxtxnf.exe27⤵
- Executes dropped EXE
PID:1644 -
\??\c:\hpfnpj.exec:\hpfnpj.exe28⤵
- Executes dropped EXE
PID:2128 -
\??\c:\lrxvnh.exec:\lrxvnh.exe29⤵
- Executes dropped EXE
PID:680 -
\??\c:\btplrbd.exec:\btplrbd.exe30⤵
- Executes dropped EXE
PID:1816 -
\??\c:\nfbvhnh.exec:\nfbvhnh.exe31⤵
- Executes dropped EXE
PID:1396 -
\??\c:\fplvt.exec:\fplvt.exe32⤵
- Executes dropped EXE
PID:948 -
\??\c:\hnblfxp.exec:\hnblfxp.exe33⤵
- Executes dropped EXE
PID:964 -
\??\c:\thtpj.exec:\thtpj.exe34⤵
- Executes dropped EXE
PID:472 -
\??\c:\hvrdrtx.exec:\hvrdrtx.exe35⤵
- Executes dropped EXE
PID:2292 -
\??\c:\hdpvpv.exec:\hdpvpv.exe36⤵
- Executes dropped EXE
PID:2384 -
\??\c:\xhtjvd.exec:\xhtjvd.exe37⤵
- Executes dropped EXE
PID:884 -
\??\c:\rfrpt.exec:\rfrpt.exe38⤵
- Executes dropped EXE
PID:2368 -
\??\c:\rjtbvj.exec:\rjtbvj.exe39⤵
- Executes dropped EXE
PID:1576 -
\??\c:\jxpnx.exec:\jxpnx.exe40⤵
- Executes dropped EXE
PID:3012 -
\??\c:\rvfjxpx.exec:\rvfjxpx.exe41⤵
- Executes dropped EXE
PID:3008 -
\??\c:\jhdbt.exec:\jhdbt.exe42⤵
- Executes dropped EXE
PID:2856 -
\??\c:\nfjtn.exec:\nfjtn.exe43⤵
- Executes dropped EXE
PID:2980 -
\??\c:\nhnnxfd.exec:\nhnnxfd.exe44⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lxjxb.exec:\lxjxb.exe45⤵
- Executes dropped EXE
PID:2316 -
\??\c:\hhlbn.exec:\hhlbn.exe46⤵
- Executes dropped EXE
PID:2148 -
\??\c:\vvvfvd.exec:\vvvfvd.exe47⤵
- Executes dropped EXE
PID:2736 -
\??\c:\bvvbh.exec:\bvvbh.exe48⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rvvfxb.exec:\rvvfxb.exe49⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rtpnjh.exec:\rtpnjh.exe50⤵
- Executes dropped EXE
PID:2724 -
\??\c:\fnbxh.exec:\fnbxh.exe51⤵
- Executes dropped EXE
PID:2196 -
\??\c:\ftdbbxd.exec:\ftdbbxd.exe52⤵
- Executes dropped EXE
PID:1660 -
\??\c:\ljrlp.exec:\ljrlp.exe53⤵
- Executes dropped EXE
PID:2104 -
\??\c:\jhdfrh.exec:\jhdfrh.exe54⤵
- Executes dropped EXE
PID:2396 -
\??\c:\fptnvpf.exec:\fptnvpf.exe55⤵
- Executes dropped EXE
PID:2092 -
\??\c:\nbnhnnr.exec:\nbnhnnr.exe56⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rrjnrh.exec:\rrjnrh.exe57⤵
- Executes dropped EXE
PID:2500 -
\??\c:\hflpvdp.exec:\hflpvdp.exe58⤵
- Executes dropped EXE
PID:3044 -
\??\c:\hxvvtjf.exec:\hxvvtjf.exe59⤵
- Executes dropped EXE
PID:1144 -
\??\c:\npflvx.exec:\npflvx.exe60⤵
- Executes dropped EXE
PID:2064 -
\??\c:\htvdnf.exec:\htvdnf.exe61⤵
- Executes dropped EXE
PID:2972 -
\??\c:\fdlhd.exec:\fdlhd.exe62⤵
- Executes dropped EXE
PID:1200 -
\??\c:\jjvjpd.exec:\jjvjpd.exe63⤵
- Executes dropped EXE
PID:1448 -
\??\c:\vlfxpr.exec:\vlfxpr.exe64⤵
- Executes dropped EXE
PID:1616 -
\??\c:\hrjpp.exec:\hrjpp.exe65⤵
- Executes dropped EXE
PID:1108 -
\??\c:\rxljt.exec:\rxljt.exe66⤵PID:2488
-
\??\c:\pvxvfnp.exec:\pvxvfnp.exe67⤵PID:2908
-
\??\c:\rfxlnp.exec:\rfxlnp.exe68⤵PID:2272
-
\??\c:\rflvjft.exec:\rflvjft.exe69⤵PID:1652
-
\??\c:\fjltd.exec:\fjltd.exe70⤵PID:368
-
\??\c:\xnndbj.exec:\xnndbj.exe71⤵PID:848
-
\??\c:\hvvvrj.exec:\hvvvrj.exe72⤵PID:2168
-
\??\c:\hdnlvrj.exec:\hdnlvrj.exe73⤵PID:2652
-
\??\c:\brnvv.exec:\brnvv.exe74⤵PID:1408
-
\??\c:\nhrbxjd.exec:\nhrbxjd.exe75⤵PID:2420
-
\??\c:\jfpdnr.exec:\jfpdnr.exe76⤵PID:1636
-
\??\c:\xdhxfdt.exec:\xdhxfdt.exe77⤵PID:388
-
\??\c:\hbpnrnf.exec:\hbpnrnf.exe78⤵PID:1668
-
\??\c:\tfptnd.exec:\tfptnd.exe79⤵PID:2556
-
\??\c:\hvfvdjn.exec:\hvfvdjn.exe80⤵PID:1396
-
\??\c:\thdjp.exec:\thdjp.exe81⤵PID:2000
-
\??\c:\hlttrrd.exec:\hlttrrd.exe82⤵PID:920
-
\??\c:\bbfnvh.exec:\bbfnvh.exe83⤵PID:2132
-
\??\c:\lbbhjh.exec:\lbbhjh.exe84⤵PID:472
-
\??\c:\dxbfhjd.exec:\dxbfhjd.exe85⤵PID:2360
-
\??\c:\bxfxt.exec:\bxfxt.exe86⤵PID:1748
-
\??\c:\tdttd.exec:\tdttd.exe87⤵PID:932
-
\??\c:\jjlbbbr.exec:\jjlbbbr.exe88⤵PID:2380
-
\??\c:\tfjjtr.exec:\tfjjtr.exe89⤵
- System Location Discovery: System Language Discovery
PID:1604 -
\??\c:\tfdhblt.exec:\tfdhblt.exe90⤵PID:2288
-
\??\c:\bvtfn.exec:\bvtfn.exe91⤵PID:1516
-
\??\c:\nphrb.exec:\nphrb.exe92⤵PID:2948
-
\??\c:\bpfvnb.exec:\bpfvnb.exe93⤵PID:2336
-
\??\c:\jxvrpl.exec:\jxvrpl.exe94⤵PID:3004
-
\??\c:\ndrhv.exec:\ndrhv.exe95⤵PID:2316
-
\??\c:\vdtfv.exec:\vdtfv.exe96⤵PID:2456
-
\??\c:\lfdrjr.exec:\lfdrjr.exe97⤵PID:3032
-
\??\c:\hpbjxx.exec:\hpbjxx.exe98⤵PID:2996
-
\??\c:\npdflfx.exec:\npdflfx.exe99⤵PID:3016
-
\??\c:\njtxh.exec:\njtxh.exe100⤵
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\xxtxrrt.exec:\xxtxrrt.exe101⤵PID:2696
-
\??\c:\tfnvhnl.exec:\tfnvhnl.exe102⤵
- System Location Discovery: System Language Discovery
PID:2780 -
\??\c:\jxbpj.exec:\jxbpj.exe103⤵PID:2108
-
\??\c:\lbxpd.exec:\lbxpd.exe104⤵PID:2116
-
\??\c:\lhxbhvv.exec:\lhxbhvv.exe105⤵PID:2112
-
\??\c:\jddvpf.exec:\jddvpf.exe106⤵PID:1168
-
\??\c:\thphxj.exec:\thphxj.exe107⤵PID:1020
-
\??\c:\bdvhbt.exec:\bdvhbt.exe108⤵PID:540
-
\??\c:\pjhbj.exec:\pjhbj.exe109⤵PID:1984
-
\??\c:\bljbpj.exec:\bljbpj.exe110⤵PID:1260
-
\??\c:\xblxphh.exec:\xblxphh.exe111⤵PID:1312
-
\??\c:\hthlvlx.exec:\hthlvlx.exe112⤵PID:2248
-
\??\c:\nxnfx.exec:\nxnfx.exe113⤵PID:2328
-
\??\c:\drjjjd.exec:\drjjjd.exe114⤵PID:1612
-
\??\c:\pdxjj.exec:\pdxjj.exe115⤵PID:2228
-
\??\c:\fnnvlfj.exec:\fnnvlfj.exe116⤵PID:2488
-
\??\c:\btjjrnf.exec:\btjjrnf.exe117⤵PID:1524
-
\??\c:\vvrrfv.exec:\vvrrfv.exe118⤵PID:2080
-
\??\c:\hhnpx.exec:\hhnpx.exe119⤵PID:2220
-
\??\c:\tffhr.exec:\tffhr.exe120⤵PID:1220
-
\??\c:\lpthbx.exec:\lpthbx.exe121⤵PID:1552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-