Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe
-
Size
454KB
-
MD5
d5ad9ccfcee051f1fb8a244b31e85e67
-
SHA1
b031d76d5a819a9613c9c57a62f9c04380454f30
-
SHA256
c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b
-
SHA512
11ec03cc9a9306d2c789942c3b3747d5698158e0b0aa02f920008e940669c72062f2b5a7fcbc4c8f4bdb53d9368d17c96f9c99820c713e0339a061a14aacde14
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/1568-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-133-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1972-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-155-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1316-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-193-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1460-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-376-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1136-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-441-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1972-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-520-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/764-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-741-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2180-794-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1292-804-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/848-997-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1872 rfrrxxf.exe 1828 nhnthh.exe 2456 xxlffxx.exe 1532 thttbh.exe 2708 vpddv.exe 2668 fxxxflr.exe 2792 bbtbnt.exe 2848 jvjjv.exe 2292 hthhtt.exe 2588 1vjjp.exe 3008 rrfxfxf.exe 1644 nhthnn.exe 1356 1pdpv.exe 1272 rffrrrf.exe 1972 lxrrrrx.exe 1316 jjvdj.exe 1860 llfflfr.exe 1892 tnbbhn.exe 2256 lflfrll.exe 2844 lfffrrl.exe 2856 pjvvj.exe 1480 hbhnnh.exe 3068 3vpvj.exe 2608 pjjdv.exe 1460 5hntbn.exe 1224 jjvvd.exe 1468 1hhnbh.exe 588 pdvvj.exe 1560 nbhnnb.exe 2168 thtttn.exe 1424 3jvvv.exe 3048 lfffllr.exe 1524 5jpjd.exe 1872 rfrlxxf.exe 2088 llrxlrx.exe 2108 hthbtn.exe 3060 dpvdd.exe 2616 xrxxxxx.exe 2720 tbhbbt.exe 2184 3nhhbb.exe 2668 vjpjd.exe 2864 lxlrxxf.exe 2692 lrxxrrl.exe 2808 btnnbb.exe 2568 vpddp.exe 2788 pjddj.exe 3012 5lrxrlf.exe 1136 hthntn.exe 1548 1tnbhh.exe 1356 dpppd.exe 1980 lrfrrff.exe 1576 xrlrxfl.exe 1972 bnhntt.exe 2300 bnbbtb.exe 1732 vjvpv.exe 1724 3xllllr.exe 1892 frlfxll.exe 3000 1bhbhb.exe 2860 jjpjp.exe 2996 xfllrrr.exe 2028 nbbhhb.exe 2500 9bbhbt.exe 2476 1vjdv.exe 832 lffflfl.exe -
resource yara_rule behavioral1/memory/1568-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-46-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2668-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-193-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1460-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-264-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1560-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-294-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1424-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-520-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/764-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-940-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-1055-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-1080-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9flxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1568 wrote to memory of 1872 1568 c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe 30 PID 1568 wrote to memory of 1872 1568 c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe 30 PID 1568 wrote to memory of 1872 1568 c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe 30 PID 1568 wrote to memory of 1872 1568 c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe 30 PID 1872 wrote to memory of 1828 1872 rfrrxxf.exe 31 PID 1872 wrote to memory of 1828 1872 rfrrxxf.exe 31 PID 1872 wrote to memory of 1828 1872 rfrrxxf.exe 31 PID 1872 wrote to memory of 1828 1872 rfrrxxf.exe 31 PID 1828 wrote to memory of 2456 1828 nhnthh.exe 32 PID 1828 wrote to memory of 2456 1828 nhnthh.exe 32 PID 1828 wrote to memory of 2456 1828 nhnthh.exe 32 PID 1828 wrote to memory of 2456 1828 nhnthh.exe 32 PID 2456 wrote to memory of 1532 2456 xxlffxx.exe 33 PID 2456 wrote to memory of 1532 2456 xxlffxx.exe 33 PID 2456 wrote to memory of 1532 2456 xxlffxx.exe 33 PID 2456 wrote to memory of 1532 2456 xxlffxx.exe 33 PID 1532 wrote to memory of 2708 1532 thttbh.exe 34 PID 1532 wrote to memory of 2708 1532 thttbh.exe 34 PID 1532 wrote to memory of 2708 1532 thttbh.exe 34 PID 1532 wrote to memory of 2708 1532 thttbh.exe 34 PID 2708 wrote to memory of 2668 2708 vpddv.exe 35 PID 2708 wrote to memory of 2668 2708 vpddv.exe 35 PID 2708 wrote to memory of 2668 2708 vpddv.exe 35 PID 2708 wrote to memory of 2668 2708 vpddv.exe 35 PID 2668 wrote to memory of 2792 2668 fxxxflr.exe 36 PID 2668 wrote to memory of 2792 2668 fxxxflr.exe 36 PID 2668 wrote to memory of 2792 2668 fxxxflr.exe 36 PID 2668 wrote to memory of 2792 2668 fxxxflr.exe 36 PID 2792 wrote to memory of 2848 2792 bbtbnt.exe 37 PID 2792 wrote to memory of 2848 2792 bbtbnt.exe 37 PID 2792 wrote to memory of 2848 2792 bbtbnt.exe 37 PID 2792 wrote to memory of 2848 2792 bbtbnt.exe 37 PID 2848 wrote to memory of 2292 2848 jvjjv.exe 38 PID 2848 wrote to memory of 2292 2848 jvjjv.exe 38 PID 2848 wrote to memory of 2292 2848 jvjjv.exe 38 PID 2848 wrote to memory of 2292 2848 jvjjv.exe 38 PID 2292 wrote to memory of 2588 2292 hthhtt.exe 39 PID 2292 wrote to memory of 2588 2292 hthhtt.exe 39 PID 2292 wrote to memory of 2588 2292 hthhtt.exe 39 PID 2292 wrote to memory of 2588 2292 hthhtt.exe 39 PID 2588 wrote to memory of 3008 2588 1vjjp.exe 40 PID 2588 wrote to memory of 3008 2588 1vjjp.exe 40 PID 2588 wrote to memory of 3008 2588 1vjjp.exe 40 PID 2588 wrote to memory of 3008 2588 1vjjp.exe 40 PID 3008 wrote to memory of 1644 3008 rrfxfxf.exe 41 PID 3008 wrote to memory of 1644 3008 rrfxfxf.exe 41 PID 3008 wrote to memory of 1644 3008 rrfxfxf.exe 41 PID 3008 wrote to memory of 1644 3008 rrfxfxf.exe 41 PID 1644 wrote to memory of 1356 1644 nhthnn.exe 42 PID 1644 wrote to memory of 1356 1644 nhthnn.exe 42 PID 1644 wrote to memory of 1356 1644 nhthnn.exe 42 PID 1644 wrote to memory of 1356 1644 nhthnn.exe 42 PID 1356 wrote to memory of 1272 1356 1pdpv.exe 43 PID 1356 wrote to memory of 1272 1356 1pdpv.exe 43 PID 1356 wrote to memory of 1272 1356 1pdpv.exe 43 PID 1356 wrote to memory of 1272 1356 1pdpv.exe 43 PID 1272 wrote to memory of 1972 1272 rffrrrf.exe 44 PID 1272 wrote to memory of 1972 1272 rffrrrf.exe 44 PID 1272 wrote to memory of 1972 1272 rffrrrf.exe 44 PID 1272 wrote to memory of 1972 1272 rffrrrf.exe 44 PID 1972 wrote to memory of 1316 1972 lxrrrrx.exe 45 PID 1972 wrote to memory of 1316 1972 lxrrrrx.exe 45 PID 1972 wrote to memory of 1316 1972 lxrrrrx.exe 45 PID 1972 wrote to memory of 1316 1972 lxrrrrx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe"C:\Users\Admin\AppData\Local\Temp\c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\rfrrxxf.exec:\rfrrxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\nhnthh.exec:\nhnthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\xxlffxx.exec:\xxlffxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\thttbh.exec:\thttbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\vpddv.exec:\vpddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\fxxxflr.exec:\fxxxflr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\bbtbnt.exec:\bbtbnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\jvjjv.exec:\jvjjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\hthhtt.exec:\hthhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\1vjjp.exec:\1vjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\rrfxfxf.exec:\rrfxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\nhthnn.exec:\nhthnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\1pdpv.exec:\1pdpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\rffrrrf.exec:\rffrrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\lxrrrrx.exec:\lxrrrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\jjvdj.exec:\jjvdj.exe17⤵
- Executes dropped EXE
PID:1316 -
\??\c:\llfflfr.exec:\llfflfr.exe18⤵
- Executes dropped EXE
PID:1860 -
\??\c:\tnbbhn.exec:\tnbbhn.exe19⤵
- Executes dropped EXE
PID:1892 -
\??\c:\lflfrll.exec:\lflfrll.exe20⤵
- Executes dropped EXE
PID:2256 -
\??\c:\lfffrrl.exec:\lfffrrl.exe21⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pjvvj.exec:\pjvvj.exe22⤵
- Executes dropped EXE
PID:2856 -
\??\c:\hbhnnh.exec:\hbhnnh.exe23⤵
- Executes dropped EXE
PID:1480 -
\??\c:\3vpvj.exec:\3vpvj.exe24⤵
- Executes dropped EXE
PID:3068 -
\??\c:\pjjdv.exec:\pjjdv.exe25⤵
- Executes dropped EXE
PID:2608 -
\??\c:\5hntbn.exec:\5hntbn.exe26⤵
- Executes dropped EXE
PID:1460 -
\??\c:\jjvvd.exec:\jjvvd.exe27⤵
- Executes dropped EXE
PID:1224 -
\??\c:\1hhnbh.exec:\1hhnbh.exe28⤵
- Executes dropped EXE
PID:1468 -
\??\c:\pdvvj.exec:\pdvvj.exe29⤵
- Executes dropped EXE
PID:588 -
\??\c:\nbhnnb.exec:\nbhnnb.exe30⤵
- Executes dropped EXE
PID:1560 -
\??\c:\thtttn.exec:\thtttn.exe31⤵
- Executes dropped EXE
PID:2168 -
\??\c:\3jvvv.exec:\3jvvv.exe32⤵
- Executes dropped EXE
PID:1424 -
\??\c:\lfffllr.exec:\lfffllr.exe33⤵
- Executes dropped EXE
PID:3048 -
\??\c:\5jpjd.exec:\5jpjd.exe34⤵
- Executes dropped EXE
PID:1524 -
\??\c:\rfrlxxf.exec:\rfrlxxf.exe35⤵
- Executes dropped EXE
PID:1872 -
\??\c:\llrxlrx.exec:\llrxlrx.exe36⤵
- Executes dropped EXE
PID:2088 -
\??\c:\hthbtn.exec:\hthbtn.exe37⤵
- Executes dropped EXE
PID:2108 -
\??\c:\dpvdd.exec:\dpvdd.exe38⤵
- Executes dropped EXE
PID:3060 -
\??\c:\xrxxxxx.exec:\xrxxxxx.exe39⤵
- Executes dropped EXE
PID:2616 -
\??\c:\tbhbbt.exec:\tbhbbt.exe40⤵
- Executes dropped EXE
PID:2720 -
\??\c:\3nhhbb.exec:\3nhhbb.exe41⤵
- Executes dropped EXE
PID:2184 -
\??\c:\vjpjd.exec:\vjpjd.exe42⤵
- Executes dropped EXE
PID:2668 -
\??\c:\lxlrxxf.exec:\lxlrxxf.exe43⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lrxxrrl.exec:\lrxxrrl.exe44⤵
- Executes dropped EXE
PID:2692 -
\??\c:\btnnbb.exec:\btnnbb.exe45⤵
- Executes dropped EXE
PID:2808 -
\??\c:\vpddp.exec:\vpddp.exe46⤵
- Executes dropped EXE
PID:2568 -
\??\c:\pjddj.exec:\pjddj.exe47⤵
- Executes dropped EXE
PID:2788 -
\??\c:\5lrxrlf.exec:\5lrxrlf.exe48⤵
- Executes dropped EXE
PID:3012 -
\??\c:\hthntn.exec:\hthntn.exe49⤵
- Executes dropped EXE
PID:1136 -
\??\c:\1tnbhh.exec:\1tnbhh.exe50⤵
- Executes dropped EXE
PID:1548 -
\??\c:\dpppd.exec:\dpppd.exe51⤵
- Executes dropped EXE
PID:1356 -
\??\c:\lrfrrff.exec:\lrfrrff.exe52⤵
- Executes dropped EXE
PID:1980 -
\??\c:\xrlrxfl.exec:\xrlrxfl.exe53⤵
- Executes dropped EXE
PID:1576 -
\??\c:\bnhntt.exec:\bnhntt.exe54⤵
- Executes dropped EXE
PID:1972 -
\??\c:\bnbbtb.exec:\bnbbtb.exe55⤵
- Executes dropped EXE
PID:2300 -
\??\c:\vjvpv.exec:\vjvpv.exe56⤵
- Executes dropped EXE
PID:1732 -
\??\c:\3xllllr.exec:\3xllllr.exe57⤵
- Executes dropped EXE
PID:1724 -
\??\c:\frlfxll.exec:\frlfxll.exe58⤵
- Executes dropped EXE
PID:1892 -
\??\c:\1bhbhb.exec:\1bhbhb.exe59⤵
- Executes dropped EXE
PID:3000 -
\??\c:\jjpjp.exec:\jjpjp.exe60⤵
- Executes dropped EXE
PID:2860 -
\??\c:\xfllrrr.exec:\xfllrrr.exe61⤵
- Executes dropped EXE
PID:2996 -
\??\c:\nbbhhb.exec:\nbbhhb.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
\??\c:\9bbhbt.exec:\9bbhbt.exe63⤵
- Executes dropped EXE
PID:2500 -
\??\c:\1vjdv.exec:\1vjdv.exe64⤵
- Executes dropped EXE
PID:2476 -
\??\c:\lffflfl.exec:\lffflfl.exe65⤵
- Executes dropped EXE
PID:832 -
\??\c:\3tbttt.exec:\3tbttt.exe66⤵PID:1648
-
\??\c:\nhnhhb.exec:\nhnhhb.exe67⤵PID:2972
-
\??\c:\jdjpp.exec:\jdjpp.exe68⤵PID:1696
-
\??\c:\rrrrrrx.exec:\rrrrrrx.exe69⤵PID:892
-
\??\c:\nbbtbt.exec:\nbbtbt.exe70⤵PID:2408
-
\??\c:\tnbbnh.exec:\tnbbnh.exe71⤵PID:764
-
\??\c:\vpvvp.exec:\vpvvp.exe72⤵PID:2928
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe73⤵PID:2876
-
\??\c:\rlxxfxx.exec:\rlxxfxx.exe74⤵PID:2872
-
\??\c:\htbttt.exec:\htbttt.exe75⤵PID:2276
-
\??\c:\htnntt.exec:\htnntt.exe76⤵PID:2232
-
\??\c:\ppddd.exec:\ppddd.exe77⤵PID:1568
-
\??\c:\7fxxxxx.exec:\7fxxxxx.exe78⤵PID:1524
-
\??\c:\rlrllff.exec:\rlrllff.exe79⤵PID:2804
-
\??\c:\nththb.exec:\nththb.exe80⤵PID:2868
-
\??\c:\jjvjd.exec:\jjvjd.exe81⤵PID:2108
-
\??\c:\1ffrxxx.exec:\1ffrxxx.exe82⤵PID:3060
-
\??\c:\xrflxrx.exec:\xrflxrx.exe83⤵PID:2652
-
\??\c:\hnttnn.exec:\hnttnn.exe84⤵PID:2720
-
\??\c:\5ntbtb.exec:\5ntbtb.exe85⤵PID:2744
-
\??\c:\3jvjd.exec:\3jvjd.exe86⤵PID:2880
-
\??\c:\rfxxfxf.exec:\rfxxfxf.exe87⤵PID:2536
-
\??\c:\9xfxxrr.exec:\9xfxxrr.exe88⤵PID:2692
-
\??\c:\hbhhnh.exec:\hbhhnh.exe89⤵PID:2544
-
\??\c:\9pvpj.exec:\9pvpj.exe90⤵PID:2292
-
\??\c:\1fxxxxl.exec:\1fxxxxl.exe91⤵PID:672
-
\??\c:\flfxxlr.exec:\flfxxlr.exe92⤵PID:1096
-
\??\c:\nhhnnn.exec:\nhhnnn.exe93⤵PID:1992
-
\??\c:\vpdvp.exec:\vpdvp.exe94⤵PID:2488
-
\??\c:\7ppjd.exec:\7ppjd.exe95⤵PID:844
-
\??\c:\xrfrlff.exec:\xrfrlff.exe96⤵PID:1352
-
\??\c:\bnnntn.exec:\bnnntn.exe97⤵PID:1956
-
\??\c:\thhhnb.exec:\thhhnb.exe98⤵PID:1540
-
\??\c:\3jppd.exec:\3jppd.exe99⤵PID:1716
-
\??\c:\fxfxxrr.exec:\fxfxxrr.exe100⤵PID:1740
-
\??\c:\nbbbnh.exec:\nbbbnh.exe101⤵PID:1552
-
\??\c:\tbhbhb.exec:\tbhbhb.exe102⤵PID:1032
-
\??\c:\1jvpj.exec:\1jvpj.exe103⤵PID:2976
-
\??\c:\pdppv.exec:\pdppv.exe104⤵PID:3004
-
\??\c:\7fxrrxf.exec:\7fxrrxf.exe105⤵PID:2148
-
\??\c:\httbhh.exec:\httbhh.exe106⤵PID:1396
-
\??\c:\hhhhhn.exec:\hhhhhn.exe107⤵PID:348
-
\??\c:\pjvvp.exec:\pjvvp.exe108⤵PID:2192
-
\??\c:\frfffxf.exec:\frfffxf.exe109⤵PID:836
-
\??\c:\lxllrll.exec:\lxllrll.exe110⤵PID:2180
-
\??\c:\9thhhn.exec:\9thhhn.exe111⤵PID:1292
-
\??\c:\pdjvv.exec:\pdjvv.exe112⤵PID:1916
-
\??\c:\jvddj.exec:\jvddj.exe113⤵PID:1600
-
\??\c:\xxfffrr.exec:\xxfffrr.exe114⤵PID:892
-
\??\c:\nbnnbb.exec:\nbnnbb.exe115⤵PID:2408
-
\??\c:\tntbhb.exec:\tntbhb.exe116⤵PID:764
-
\??\c:\dvjpd.exec:\dvjpd.exe117⤵PID:2280
-
\??\c:\7vvpj.exec:\7vvpj.exe118⤵PID:2104
-
\??\c:\xrflrrf.exec:\xrflrrf.exe119⤵PID:2872
-
\??\c:\bhnhbt.exec:\bhnhbt.exe120⤵PID:3028
-
\??\c:\7tthnt.exec:\7tthnt.exe121⤵PID:2112
-
\??\c:\ppjdj.exec:\ppjdj.exe122⤵PID:2452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-