Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
03/03/2025, 01:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7bc15ccac5dcb58a154b105d40b426d60df230d1af1e1afe1eb80cd32425edea.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7bc15ccac5dcb58a154b105d40b426d60df230d1af1e1afe1eb80cd32425edea.exe
-
Size
454KB
-
MD5
860b35e7e0e7f31379307c9ec6a3dafa
-
SHA1
a0821a737569d19a140827fe9b9eaddfeec2123d
-
SHA256
7bc15ccac5dcb58a154b105d40b426d60df230d1af1e1afe1eb80cd32425edea
-
SHA512
633b46c5b5fcaaa6337c60274c0aaec750d686c68b7290e1ea65830a5fa4d5b1e37134caf16b48793561a13971feab50b49da1bf745858569bcbe24d78fc00f2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3100-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-1003-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-1124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-1411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3512 nhhtnh.exe 3692 pppjd.exe 1732 xrlxrfr.exe 864 nbthnh.exe 1192 nbthtn.exe 1168 vvppj.exe 4024 5xxrfxr.exe 1460 dpjvv.exe 3496 bthtth.exe 2852 ppvpp.exe 4560 ntbtnh.exe 4356 7ntnbb.exe 3436 xrrfxrl.exe 348 jvvjv.exe 4940 pjdvj.exe 3764 lrxrxxr.exe 2520 jppdp.exe 4484 lxxlfrx.exe 4408 5ttnbt.exe 4268 dppdv.exe 1428 nhtbtn.exe 5032 ntbnhb.exe 1464 3vpjv.exe 2256 djdpd.exe 2904 9llxlfr.exe 2576 jdvvp.exe 1408 rxrxllf.exe 4448 hnnhbb.exe 3400 pjdvj.exe 3052 jpvpv.exe 4364 1ntntn.exe 3444 vdpjd.exe 924 xlrllfl.exe 1192 httnhb.exe 1168 pjvdv.exe 4048 pvvpj.exe 2252 lxxrlfx.exe 4248 vpvpv.exe 3496 ffrxflr.exe 2280 ffxrrll.exe 2400 httnnn.exe 1596 ppjvj.exe 4972 fllxlfr.exe 3208 9llfxrf.exe 3776 thnnht.exe 1956 pvvjd.exe 3096 lxxlxrl.exe 404 hntnbt.exe 208 btnbnh.exe 3980 fxlllll.exe 1356 rflfxxr.exe 2520 hbthnt.exe 2924 ddpdp.exe 5108 5vpjv.exe 4884 fxlllll.exe 2676 bbbbtt.exe 4268 pdjjj.exe 1008 llfxrxr.exe 2516 xflrlrf.exe 4016 hbhhhh.exe 388 jdjdd.exe 1820 rflfxxr.exe 64 rrrfxff.exe 2492 nhtntt.exe -
resource yara_rule behavioral2/memory/3100-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-942-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3100 wrote to memory of 3512 3100 7bc15ccac5dcb58a154b105d40b426d60df230d1af1e1afe1eb80cd32425edea.exe 85 PID 3100 wrote to memory of 3512 3100 7bc15ccac5dcb58a154b105d40b426d60df230d1af1e1afe1eb80cd32425edea.exe 85 PID 3100 wrote to memory of 3512 3100 7bc15ccac5dcb58a154b105d40b426d60df230d1af1e1afe1eb80cd32425edea.exe 85 PID 3512 wrote to memory of 3692 3512 nhhtnh.exe 86 PID 3512 wrote to memory of 3692 3512 nhhtnh.exe 86 PID 3512 wrote to memory of 3692 3512 nhhtnh.exe 86 PID 3692 wrote to memory of 1732 3692 pppjd.exe 87 PID 3692 wrote to memory of 1732 3692 pppjd.exe 87 PID 3692 wrote to memory of 1732 3692 pppjd.exe 87 PID 1732 wrote to memory of 864 1732 xrlxrfr.exe 88 PID 1732 wrote to memory of 864 1732 xrlxrfr.exe 88 PID 1732 wrote to memory of 864 1732 xrlxrfr.exe 88 PID 864 wrote to memory of 1192 864 nbthnh.exe 89 PID 864 wrote to memory of 1192 864 nbthnh.exe 89 PID 864 wrote to memory of 1192 864 nbthnh.exe 89 PID 1192 wrote to memory of 1168 1192 nbthtn.exe 90 PID 1192 wrote to memory of 1168 1192 nbthtn.exe 90 PID 1192 wrote to memory of 1168 1192 nbthtn.exe 90 PID 1168 wrote to memory of 4024 1168 vvppj.exe 92 PID 1168 wrote to memory of 4024 1168 vvppj.exe 92 PID 1168 wrote to memory of 4024 1168 vvppj.exe 92 PID 4024 wrote to memory of 1460 4024 5xxrfxr.exe 93 PID 4024 wrote to memory of 1460 4024 5xxrfxr.exe 93 PID 4024 wrote to memory of 1460 4024 5xxrfxr.exe 93 PID 1460 wrote to memory of 3496 1460 dpjvv.exe 94 PID 1460 wrote to memory of 3496 1460 dpjvv.exe 94 PID 1460 wrote to memory of 3496 1460 dpjvv.exe 94 PID 3496 wrote to memory of 2852 3496 bthtth.exe 95 PID 3496 wrote to memory of 2852 3496 bthtth.exe 95 PID 3496 wrote to memory of 2852 3496 bthtth.exe 95 PID 2852 wrote to memory of 4560 2852 ppvpp.exe 96 PID 2852 wrote to memory of 4560 2852 ppvpp.exe 96 PID 2852 wrote to memory of 4560 2852 ppvpp.exe 96 PID 4560 wrote to memory of 4356 4560 ntbtnh.exe 97 PID 4560 wrote to memory of 4356 4560 ntbtnh.exe 97 PID 4560 wrote to memory of 4356 4560 ntbtnh.exe 97 PID 4356 wrote to memory of 3436 4356 7ntnbb.exe 99 PID 4356 wrote to memory of 3436 4356 7ntnbb.exe 99 PID 4356 wrote to memory of 3436 4356 7ntnbb.exe 99 PID 3436 wrote to memory of 348 3436 xrrfxrl.exe 100 PID 3436 wrote to memory of 348 3436 xrrfxrl.exe 100 PID 3436 wrote to memory of 348 3436 xrrfxrl.exe 100 PID 348 wrote to memory of 4940 348 jvvjv.exe 101 PID 348 wrote to memory of 4940 348 jvvjv.exe 101 PID 348 wrote to memory of 4940 348 jvvjv.exe 101 PID 4940 wrote to memory of 3764 4940 pjdvj.exe 102 PID 4940 wrote to memory of 3764 4940 pjdvj.exe 102 PID 4940 wrote to memory of 3764 4940 pjdvj.exe 102 PID 3764 wrote to memory of 2520 3764 lrxrxxr.exe 103 PID 3764 wrote to memory of 2520 3764 lrxrxxr.exe 103 PID 3764 wrote to memory of 2520 3764 lrxrxxr.exe 103 PID 2520 wrote to memory of 4484 2520 jppdp.exe 104 PID 2520 wrote to memory of 4484 2520 jppdp.exe 104 PID 2520 wrote to memory of 4484 2520 jppdp.exe 104 PID 4484 wrote to memory of 4408 4484 lxxlfrx.exe 105 PID 4484 wrote to memory of 4408 4484 lxxlfrx.exe 105 PID 4484 wrote to memory of 4408 4484 lxxlfrx.exe 105 PID 4408 wrote to memory of 4268 4408 5ttnbt.exe 106 PID 4408 wrote to memory of 4268 4408 5ttnbt.exe 106 PID 4408 wrote to memory of 4268 4408 5ttnbt.exe 106 PID 4268 wrote to memory of 1428 4268 dppdv.exe 107 PID 4268 wrote to memory of 1428 4268 dppdv.exe 107 PID 4268 wrote to memory of 1428 4268 dppdv.exe 107 PID 1428 wrote to memory of 5032 1428 nhtbtn.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bc15ccac5dcb58a154b105d40b426d60df230d1af1e1afe1eb80cd32425edea.exe"C:\Users\Admin\AppData\Local\Temp\7bc15ccac5dcb58a154b105d40b426d60df230d1af1e1afe1eb80cd32425edea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\nhhtnh.exec:\nhhtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\pppjd.exec:\pppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\xrlxrfr.exec:\xrlxrfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\nbthnh.exec:\nbthnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\nbthtn.exec:\nbthtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\vvppj.exec:\vvppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\5xxrfxr.exec:\5xxrfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\dpjvv.exec:\dpjvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\bthtth.exec:\bthtth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\ppvpp.exec:\ppvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\ntbtnh.exec:\ntbtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\7ntnbb.exec:\7ntnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\jvvjv.exec:\jvvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\pjdvj.exec:\pjdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\lrxrxxr.exec:\lrxrxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\jppdp.exec:\jppdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\lxxlfrx.exec:\lxxlfrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\5ttnbt.exec:\5ttnbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\dppdv.exec:\dppdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\nhtbtn.exec:\nhtbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\ntbnhb.exec:\ntbnhb.exe23⤵
- Executes dropped EXE
PID:5032 -
\??\c:\3vpjv.exec:\3vpjv.exe24⤵
- Executes dropped EXE
PID:1464 -
\??\c:\djdpd.exec:\djdpd.exe25⤵
- Executes dropped EXE
PID:2256 -
\??\c:\9llxlfr.exec:\9llxlfr.exe26⤵
- Executes dropped EXE
PID:2904 -
\??\c:\jdvvp.exec:\jdvvp.exe27⤵
- Executes dropped EXE
PID:2576 -
\??\c:\rxrxllf.exec:\rxrxllf.exe28⤵
- Executes dropped EXE
PID:1408 -
\??\c:\hnnhbb.exec:\hnnhbb.exe29⤵
- Executes dropped EXE
PID:4448 -
\??\c:\pjdvj.exec:\pjdvj.exe30⤵
- Executes dropped EXE
PID:3400 -
\??\c:\jpvpv.exec:\jpvpv.exe31⤵
- Executes dropped EXE
PID:3052 -
\??\c:\1ntntn.exec:\1ntntn.exe32⤵
- Executes dropped EXE
PID:4364 -
\??\c:\vdpjd.exec:\vdpjd.exe33⤵
- Executes dropped EXE
PID:3444 -
\??\c:\xlrllfl.exec:\xlrllfl.exe34⤵
- Executes dropped EXE
PID:924 -
\??\c:\httnhb.exec:\httnhb.exe35⤵
- Executes dropped EXE
PID:1192 -
\??\c:\pjvdv.exec:\pjvdv.exe36⤵
- Executes dropped EXE
PID:1168 -
\??\c:\pvvpj.exec:\pvvpj.exe37⤵
- Executes dropped EXE
PID:4048 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe38⤵
- Executes dropped EXE
PID:2252 -
\??\c:\vpvpv.exec:\vpvpv.exe39⤵
- Executes dropped EXE
PID:4248 -
\??\c:\ffrxflr.exec:\ffrxflr.exe40⤵
- Executes dropped EXE
PID:3496 -
\??\c:\ffxrrll.exec:\ffxrrll.exe41⤵
- Executes dropped EXE
PID:2280 -
\??\c:\httnnn.exec:\httnnn.exe42⤵
- Executes dropped EXE
PID:2400 -
\??\c:\ppjvj.exec:\ppjvj.exe43⤵
- Executes dropped EXE
PID:1596 -
\??\c:\fllxlfr.exec:\fllxlfr.exe44⤵
- Executes dropped EXE
PID:4972 -
\??\c:\9llfxrf.exec:\9llfxrf.exe45⤵
- Executes dropped EXE
PID:3208 -
\??\c:\thnnht.exec:\thnnht.exe46⤵
- Executes dropped EXE
PID:3776 -
\??\c:\pvvjd.exec:\pvvjd.exe47⤵
- Executes dropped EXE
PID:1956 -
\??\c:\lxxlxrl.exec:\lxxlxrl.exe48⤵
- Executes dropped EXE
PID:3096 -
\??\c:\hntnbt.exec:\hntnbt.exe49⤵
- Executes dropped EXE
PID:404 -
\??\c:\btnbnh.exec:\btnbnh.exe50⤵
- Executes dropped EXE
PID:208 -
\??\c:\fxlllll.exec:\fxlllll.exe51⤵
- Executes dropped EXE
PID:3980 -
\??\c:\rflfxxr.exec:\rflfxxr.exe52⤵
- Executes dropped EXE
PID:1356 -
\??\c:\hbthnt.exec:\hbthnt.exe53⤵
- Executes dropped EXE
PID:2520 -
\??\c:\ddpdp.exec:\ddpdp.exe54⤵
- Executes dropped EXE
PID:2924 -
\??\c:\5vpjv.exec:\5vpjv.exe55⤵
- Executes dropped EXE
PID:5108 -
\??\c:\fxlllll.exec:\fxlllll.exe56⤵
- Executes dropped EXE
PID:4884 -
\??\c:\bbbbtt.exec:\bbbbtt.exe57⤵
- Executes dropped EXE
PID:2676 -
\??\c:\pdjjj.exec:\pdjjj.exe58⤵
- Executes dropped EXE
PID:4268 -
\??\c:\llfxrxr.exec:\llfxrxr.exe59⤵
- Executes dropped EXE
PID:1008 -
\??\c:\xflrlrf.exec:\xflrlrf.exe60⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hbhhhh.exec:\hbhhhh.exe61⤵
- Executes dropped EXE
PID:4016 -
\??\c:\jdjdd.exec:\jdjdd.exe62⤵
- Executes dropped EXE
PID:388 -
\??\c:\rflfxxr.exec:\rflfxxr.exe63⤵
- Executes dropped EXE
PID:1820 -
\??\c:\rrrfxff.exec:\rrrfxff.exe64⤵
- Executes dropped EXE
PID:64 -
\??\c:\nhtntt.exec:\nhtntt.exe65⤵
- Executes dropped EXE
PID:2492 -
\??\c:\jjpjj.exec:\jjpjj.exe66⤵PID:1248
-
\??\c:\vdpjd.exec:\vdpjd.exe67⤵PID:4240
-
\??\c:\lfrxrxr.exec:\lfrxrxr.exe68⤵PID:4392
-
\??\c:\hnhbbb.exec:\hnhbbb.exe69⤵PID:3936
-
\??\c:\pjjjj.exec:\pjjjj.exe70⤵PID:4968
-
\??\c:\7lffxff.exec:\7lffxff.exe71⤵PID:2856
-
\??\c:\tthbnh.exec:\tthbnh.exe72⤵PID:5044
-
\??\c:\btnnhn.exec:\btnnhn.exe73⤵PID:4796
-
\??\c:\jjvdp.exec:\jjvdp.exe74⤵PID:4528
-
\??\c:\rrlfxxx.exec:\rrlfxxx.exe75⤵PID:5104
-
\??\c:\llrlffx.exec:\llrlffx.exe76⤵PID:4304
-
\??\c:\bttnnn.exec:\bttnnn.exe77⤵PID:4888
-
\??\c:\vpppp.exec:\vpppp.exe78⤵PID:4144
-
\??\c:\pjjpp.exec:\pjjpp.exe79⤵PID:3868
-
\??\c:\lxlfrrl.exec:\lxlfrrl.exe80⤵PID:1216
-
\??\c:\nhnhhh.exec:\nhnhhh.exe81⤵PID:4536
-
\??\c:\ntbbbt.exec:\ntbbbt.exe82⤵PID:1192
-
\??\c:\dvjjd.exec:\dvjjd.exe83⤵PID:3388
-
\??\c:\lxfxflr.exec:\lxfxflr.exe84⤵PID:4876
-
\??\c:\ddvpj.exec:\ddvpj.exe85⤵PID:436
-
\??\c:\1vpjv.exec:\1vpjv.exe86⤵PID:2708
-
\??\c:\7llllrr.exec:\7llllrr.exe87⤵PID:4640
-
\??\c:\bttbtb.exec:\bttbtb.exe88⤵PID:2280
-
\??\c:\djjjj.exec:\djjjj.exe89⤵PID:1736
-
\??\c:\xllfxrl.exec:\xllfxrl.exe90⤵PID:1568
-
\??\c:\7ntnhn.exec:\7ntnhn.exe91⤵PID:1400
-
\??\c:\nbbnhh.exec:\nbbnhh.exe92⤵PID:4356
-
\??\c:\pdvpp.exec:\pdvpp.exe93⤵PID:1920
-
\??\c:\lfflffl.exec:\lfflffl.exe94⤵
- System Location Discovery: System Language Discovery
PID:1016 -
\??\c:\lffxrrl.exec:\lffxrrl.exe95⤵PID:3928
-
\??\c:\btnhnn.exec:\btnhnn.exe96⤵PID:3196
-
\??\c:\vjpdd.exec:\vjpdd.exe97⤵PID:548
-
\??\c:\pjvvj.exec:\pjvvj.exe98⤵PID:2092
-
\??\c:\7lrlllf.exec:\7lrlllf.exe99⤵PID:1392
-
\??\c:\nhbbtt.exec:\nhbbtt.exe100⤵PID:4080
-
\??\c:\vddvp.exec:\vddvp.exe101⤵PID:2408
-
\??\c:\vvdvp.exec:\vvdvp.exe102⤵PID:4572
-
\??\c:\1lrrxrx.exec:\1lrrxrx.exe103⤵PID:2552
-
\??\c:\ttttnn.exec:\ttttnn.exe104⤵
- System Location Discovery: System Language Discovery
PID:456 -
\??\c:\jjjdd.exec:\jjjdd.exe105⤵PID:216
-
\??\c:\xrxrrll.exec:\xrxrrll.exe106⤵PID:4016
-
\??\c:\rllfxrl.exec:\rllfxrl.exe107⤵PID:3192
-
\??\c:\tbttnn.exec:\tbttnn.exe108⤵PID:3644
-
\??\c:\pvvdd.exec:\pvvdd.exe109⤵PID:4580
-
\??\c:\xxxrxrl.exec:\xxxrxrl.exe110⤵PID:4084
-
\??\c:\tntttb.exec:\tntttb.exe111⤵PID:2492
-
\??\c:\ddvvp.exec:\ddvvp.exe112⤵PID:3788
-
\??\c:\dpvjd.exec:\dpvjd.exe113⤵PID:3500
-
\??\c:\fxffxxr.exec:\fxffxxr.exe114⤵PID:3184
-
\??\c:\hbnbhb.exec:\hbnbhb.exe115⤵PID:4388
-
\??\c:\djjpj.exec:\djjpj.exe116⤵PID:4380
-
\??\c:\5fxrrxr.exec:\5fxrrxr.exe117⤵PID:2872
-
\??\c:\fllrfff.exec:\fllrfff.exe118⤵PID:4312
-
\??\c:\tthhnn.exec:\tthhnn.exe119⤵PID:2344
-
\??\c:\7jppj.exec:\7jppj.exe120⤵PID:1220
-
\??\c:\llllfll.exec:\llllfll.exe121⤵PID:3692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-