Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe
-
Size
454KB
-
MD5
d5ad9ccfcee051f1fb8a244b31e85e67
-
SHA1
b031d76d5a819a9613c9c57a62f9c04380454f30
-
SHA256
c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b
-
SHA512
11ec03cc9a9306d2c789942c3b3747d5698158e0b0aa02f920008e940669c72062f2b5a7fcbc4c8f4bdb53d9368d17c96f9c99820c713e0339a061a14aacde14
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4804-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-940-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-1205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2044 rlfxrll.exe 3116 tbbnhb.exe 3912 vvdvv.exe 4844 5bnhtb.exe 2200 rffrllf.exe 1992 rffxrlf.exe 3496 hhnbth.exe 2580 fllxrlx.exe 4812 xfrflff.exe 2500 jvjdd.exe 3272 bhtnhh.exe 3784 pppjv.exe 1784 tnnbbb.exe 4464 dddvj.exe 404 nhhbtn.exe 5044 jjpjp.exe 1864 rrxrfxr.exe 1480 xrllfxl.exe 4400 bbbhbn.exe 1524 vpjdp.exe 1576 rfllrfr.exe 4032 rllffxx.exe 4108 nhtnhb.exe 5008 jpvpv.exe 872 5hhtnh.exe 1844 ddvjd.exe 2944 bnthtn.exe 4080 xrrlfrx.exe 1580 ddjdv.exe 4392 xllxlll.exe 4060 rxfxrlf.exe 4040 hntntt.exe 3928 5jdvp.exe 3416 xlfrrxf.exe 4708 hnbtnn.exe 1544 jddvj.exe 2780 fxrlxlx.exe 1356 ntbhbt.exe 1824 1djdv.exe 4424 3rlfxrr.exe 760 9tthbt.exe 4460 pjpjv.exe 3600 fllllll.exe 4780 nhntnh.exe 3728 dppdp.exe 3756 5lfrffx.exe 4844 lrfxllf.exe 3200 hbbnhb.exe 4496 ddvpj.exe 3532 lflxxrl.exe 4732 3nbhhh.exe 2580 dvdvj.exe 2628 lfrlrrr.exe 4848 1thttt.exe 952 jppdv.exe 2500 djjvv.exe 2952 rrxrllf.exe 1936 7bhbbt.exe 3000 dvvjd.exe 5100 3llfrrl.exe 4588 thhbtn.exe 5076 hhhnbh.exe 5044 9jjjv.exe 4412 frxrffr.exe -
resource yara_rule behavioral2/memory/4804-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-783-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lllfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4804 wrote to memory of 2044 4804 c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe 83 PID 4804 wrote to memory of 2044 4804 c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe 83 PID 4804 wrote to memory of 2044 4804 c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe 83 PID 2044 wrote to memory of 3116 2044 rlfxrll.exe 84 PID 2044 wrote to memory of 3116 2044 rlfxrll.exe 84 PID 2044 wrote to memory of 3116 2044 rlfxrll.exe 84 PID 3116 wrote to memory of 3912 3116 tbbnhb.exe 85 PID 3116 wrote to memory of 3912 3116 tbbnhb.exe 85 PID 3116 wrote to memory of 3912 3116 tbbnhb.exe 85 PID 3912 wrote to memory of 4844 3912 vvdvv.exe 86 PID 3912 wrote to memory of 4844 3912 vvdvv.exe 86 PID 3912 wrote to memory of 4844 3912 vvdvv.exe 86 PID 4844 wrote to memory of 2200 4844 5bnhtb.exe 87 PID 4844 wrote to memory of 2200 4844 5bnhtb.exe 87 PID 4844 wrote to memory of 2200 4844 5bnhtb.exe 87 PID 2200 wrote to memory of 1992 2200 rffrllf.exe 88 PID 2200 wrote to memory of 1992 2200 rffrllf.exe 88 PID 2200 wrote to memory of 1992 2200 rffrllf.exe 88 PID 1992 wrote to memory of 3496 1992 rffxrlf.exe 89 PID 1992 wrote to memory of 3496 1992 rffxrlf.exe 89 PID 1992 wrote to memory of 3496 1992 rffxrlf.exe 89 PID 3496 wrote to memory of 2580 3496 hhnbth.exe 90 PID 3496 wrote to memory of 2580 3496 hhnbth.exe 90 PID 3496 wrote to memory of 2580 3496 hhnbth.exe 90 PID 2580 wrote to memory of 4812 2580 fllxrlx.exe 91 PID 2580 wrote to memory of 4812 2580 fllxrlx.exe 91 PID 2580 wrote to memory of 4812 2580 fllxrlx.exe 91 PID 4812 wrote to memory of 2500 4812 xfrflff.exe 92 PID 4812 wrote to memory of 2500 4812 xfrflff.exe 92 PID 4812 wrote to memory of 2500 4812 xfrflff.exe 92 PID 2500 wrote to memory of 3272 2500 jvjdd.exe 93 PID 2500 wrote to memory of 3272 2500 jvjdd.exe 93 PID 2500 wrote to memory of 3272 2500 jvjdd.exe 93 PID 3272 wrote to memory of 3784 3272 bhtnhh.exe 94 PID 3272 wrote to memory of 3784 3272 bhtnhh.exe 94 PID 3272 wrote to memory of 3784 3272 bhtnhh.exe 94 PID 3784 wrote to memory of 1784 3784 pppjv.exe 95 PID 3784 wrote to memory of 1784 3784 pppjv.exe 95 PID 3784 wrote to memory of 1784 3784 pppjv.exe 95 PID 1784 wrote to memory of 4464 1784 tnnbbb.exe 96 PID 1784 wrote to memory of 4464 1784 tnnbbb.exe 96 PID 1784 wrote to memory of 4464 1784 tnnbbb.exe 96 PID 4464 wrote to memory of 404 4464 dddvj.exe 97 PID 4464 wrote to memory of 404 4464 dddvj.exe 97 PID 4464 wrote to memory of 404 4464 dddvj.exe 97 PID 404 wrote to memory of 5044 404 nhhbtn.exe 98 PID 404 wrote to memory of 5044 404 nhhbtn.exe 98 PID 404 wrote to memory of 5044 404 nhhbtn.exe 98 PID 5044 wrote to memory of 1864 5044 jjpjp.exe 99 PID 5044 wrote to memory of 1864 5044 jjpjp.exe 99 PID 5044 wrote to memory of 1864 5044 jjpjp.exe 99 PID 1864 wrote to memory of 1480 1864 rrxrfxr.exe 100 PID 1864 wrote to memory of 1480 1864 rrxrfxr.exe 100 PID 1864 wrote to memory of 1480 1864 rrxrfxr.exe 100 PID 1480 wrote to memory of 4400 1480 xrllfxl.exe 101 PID 1480 wrote to memory of 4400 1480 xrllfxl.exe 101 PID 1480 wrote to memory of 4400 1480 xrllfxl.exe 101 PID 4400 wrote to memory of 1524 4400 bbbhbn.exe 102 PID 4400 wrote to memory of 1524 4400 bbbhbn.exe 102 PID 4400 wrote to memory of 1524 4400 bbbhbn.exe 102 PID 1524 wrote to memory of 1576 1524 vpjdp.exe 103 PID 1524 wrote to memory of 1576 1524 vpjdp.exe 103 PID 1524 wrote to memory of 1576 1524 vpjdp.exe 103 PID 1576 wrote to memory of 4032 1576 rfllrfr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe"C:\Users\Admin\AppData\Local\Temp\c0b9a166155083f6fdb7b86d13dd03b568754fd4c55ccc03bcf0b8e97e29107b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\rlfxrll.exec:\rlfxrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\tbbnhb.exec:\tbbnhb.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\vvdvv.exec:\vvdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\5bnhtb.exec:\5bnhtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\rffrllf.exec:\rffrllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\rffxrlf.exec:\rffxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\hhnbth.exec:\hhnbth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\fllxrlx.exec:\fllxrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\xfrflff.exec:\xfrflff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\jvjdd.exec:\jvjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\bhtnhh.exec:\bhtnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\pppjv.exec:\pppjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\tnnbbb.exec:\tnnbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\dddvj.exec:\dddvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\nhhbtn.exec:\nhhbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\jjpjp.exec:\jjpjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\rrxrfxr.exec:\rrxrfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\xrllfxl.exec:\xrllfxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\bbbhbn.exec:\bbbhbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\vpjdp.exec:\vpjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\rfllrfr.exec:\rfllrfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\rllffxx.exec:\rllffxx.exe23⤵
- Executes dropped EXE
PID:4032 -
\??\c:\nhtnhb.exec:\nhtnhb.exe24⤵
- Executes dropped EXE
PID:4108 -
\??\c:\jpvpv.exec:\jpvpv.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5008 -
\??\c:\5hhtnh.exec:\5hhtnh.exe26⤵
- Executes dropped EXE
PID:872 -
\??\c:\ddvjd.exec:\ddvjd.exe27⤵
- Executes dropped EXE
PID:1844 -
\??\c:\bnthtn.exec:\bnthtn.exe28⤵
- Executes dropped EXE
PID:2944 -
\??\c:\xrrlfrx.exec:\xrrlfrx.exe29⤵
- Executes dropped EXE
PID:4080 -
\??\c:\ddjdv.exec:\ddjdv.exe30⤵
- Executes dropped EXE
PID:1580 -
\??\c:\xllxlll.exec:\xllxlll.exe31⤵
- Executes dropped EXE
PID:4392 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe32⤵
- Executes dropped EXE
PID:4060 -
\??\c:\hntntt.exec:\hntntt.exe33⤵
- Executes dropped EXE
PID:4040 -
\??\c:\5jdvp.exec:\5jdvp.exe34⤵
- Executes dropped EXE
PID:3928 -
\??\c:\xlfrrxf.exec:\xlfrrxf.exe35⤵
- Executes dropped EXE
PID:3416 -
\??\c:\hnbtnn.exec:\hnbtnn.exe36⤵
- Executes dropped EXE
PID:4708 -
\??\c:\jddvj.exec:\jddvj.exe37⤵
- Executes dropped EXE
PID:1544 -
\??\c:\fxrlxlx.exec:\fxrlxlx.exe38⤵
- Executes dropped EXE
PID:2780 -
\??\c:\ntbhbt.exec:\ntbhbt.exe39⤵
- Executes dropped EXE
PID:1356 -
\??\c:\1djdv.exec:\1djdv.exe40⤵
- Executes dropped EXE
PID:1824 -
\??\c:\3rlfxrr.exec:\3rlfxrr.exe41⤵
- Executes dropped EXE
PID:4424 -
\??\c:\9tthbt.exec:\9tthbt.exe42⤵
- Executes dropped EXE
PID:760 -
\??\c:\pjpjv.exec:\pjpjv.exe43⤵
- Executes dropped EXE
PID:4460 -
\??\c:\fllllll.exec:\fllllll.exe44⤵
- Executes dropped EXE
PID:3600 -
\??\c:\nhntnh.exec:\nhntnh.exe45⤵
- Executes dropped EXE
PID:4780 -
\??\c:\dppdp.exec:\dppdp.exe46⤵
- Executes dropped EXE
PID:3728 -
\??\c:\5lfrffx.exec:\5lfrffx.exe47⤵
- Executes dropped EXE
PID:3756 -
\??\c:\lrfxllf.exec:\lrfxllf.exe48⤵
- Executes dropped EXE
PID:4844 -
\??\c:\hbbnhb.exec:\hbbnhb.exe49⤵
- Executes dropped EXE
PID:3200 -
\??\c:\ddvpj.exec:\ddvpj.exe50⤵
- Executes dropped EXE
PID:4496 -
\??\c:\lflxxrl.exec:\lflxxrl.exe51⤵
- Executes dropped EXE
PID:3532 -
\??\c:\3nbhhh.exec:\3nbhhh.exe52⤵
- Executes dropped EXE
PID:4732 -
\??\c:\dvdvj.exec:\dvdvj.exe53⤵
- Executes dropped EXE
PID:2580 -
\??\c:\lfrlrrr.exec:\lfrlrrr.exe54⤵
- Executes dropped EXE
PID:2628 -
\??\c:\1thttt.exec:\1thttt.exe55⤵
- Executes dropped EXE
PID:4848 -
\??\c:\jppdv.exec:\jppdv.exe56⤵
- Executes dropped EXE
PID:952 -
\??\c:\djjvv.exec:\djjvv.exe57⤵
- Executes dropped EXE
PID:2500 -
\??\c:\rrxrllf.exec:\rrxrllf.exe58⤵
- Executes dropped EXE
PID:2952 -
\??\c:\7bhbbt.exec:\7bhbbt.exe59⤵
- Executes dropped EXE
PID:1936 -
\??\c:\dvvjd.exec:\dvvjd.exe60⤵
- Executes dropped EXE
PID:3000 -
\??\c:\3llfrrl.exec:\3llfrrl.exe61⤵
- Executes dropped EXE
PID:5100 -
\??\c:\thhbtn.exec:\thhbtn.exe62⤵
- Executes dropped EXE
PID:4588 -
\??\c:\hhhnbh.exec:\hhhnbh.exe63⤵
- Executes dropped EXE
PID:5076 -
\??\c:\9jjjv.exec:\9jjjv.exe64⤵
- Executes dropped EXE
PID:5044 -
\??\c:\frxrffr.exec:\frxrffr.exe65⤵
- Executes dropped EXE
PID:4412 -
\??\c:\tbbtnn.exec:\tbbtnn.exe66⤵PID:4324
-
\??\c:\jjjdd.exec:\jjjdd.exe67⤵PID:4444
-
\??\c:\pjjvj.exec:\pjjvj.exe68⤵PID:1728
-
\??\c:\fllfffx.exec:\fllfffx.exe69⤵PID:2004
-
\??\c:\hntnbt.exec:\hntnbt.exe70⤵PID:688
-
\??\c:\jdpjv.exec:\jdpjv.exe71⤵PID:4280
-
\??\c:\vvvpd.exec:\vvvpd.exe72⤵PID:4988
-
\??\c:\3llflll.exec:\3llflll.exe73⤵PID:3804
-
\??\c:\xllfxrl.exec:\xllfxrl.exe74⤵PID:4356
-
\??\c:\nbbbtt.exec:\nbbbtt.exe75⤵PID:1532
-
\??\c:\dvjdp.exec:\dvjdp.exe76⤵PID:3488
-
\??\c:\fxflrrr.exec:\fxflrrr.exe77⤵PID:1072
-
\??\c:\1xlxxxl.exec:\1xlxxxl.exe78⤵PID:3016
-
\??\c:\9tnhhh.exec:\9tnhhh.exe79⤵PID:4752
-
\??\c:\jvjdv.exec:\jvjdv.exe80⤵PID:1844
-
\??\c:\lflxlfx.exec:\lflxlfx.exe81⤵PID:4056
-
\??\c:\9htnhb.exec:\9htnhb.exe82⤵PID:2944
-
\??\c:\hbhbtt.exec:\hbhbtt.exe83⤵PID:4472
-
\??\c:\dddvp.exec:\dddvp.exe84⤵PID:4540
-
\??\c:\3llxlfr.exec:\3llxlfr.exe85⤵PID:2924
-
\??\c:\nbtnbn.exec:\nbtnbn.exe86⤵PID:2656
-
\??\c:\7ddvp.exec:\7ddvp.exe87⤵PID:4392
-
\??\c:\xlxrffx.exec:\xlxrffx.exe88⤵PID:4060
-
\??\c:\rxffffx.exec:\rxffffx.exe89⤵PID:4764
-
\??\c:\htnhbb.exec:\htnhbb.exe90⤵PID:3996
-
\??\c:\ddvpd.exec:\ddvpd.exe91⤵PID:3772
-
\??\c:\rffxlfx.exec:\rffxlfx.exe92⤵PID:836
-
\??\c:\hbttnh.exec:\hbttnh.exe93⤵PID:4024
-
\??\c:\bnbntt.exec:\bnbntt.exe94⤵PID:1840
-
\??\c:\pvpjd.exec:\pvpjd.exe95⤵PID:5080
-
\??\c:\1xfxlfr.exec:\1xfxlfr.exe96⤵PID:3592
-
\??\c:\hhtnhh.exec:\hhtnhh.exe97⤵PID:4304
-
\??\c:\1vvpd.exec:\1vvpd.exe98⤵PID:2556
-
\??\c:\xrxrxxx.exec:\xrxrxxx.exe99⤵PID:1492
-
\??\c:\1ntnnn.exec:\1ntnnn.exe100⤵PID:220
-
\??\c:\pppdp.exec:\pppdp.exe101⤵PID:2044
-
\??\c:\pjjdp.exec:\pjjdp.exe102⤵PID:4064
-
\??\c:\xrxrflx.exec:\xrxrflx.exe103⤵PID:3324
-
\??\c:\7ntnht.exec:\7ntnht.exe104⤵PID:4076
-
\??\c:\nhhhtn.exec:\nhhhtn.exe105⤵PID:1276
-
\??\c:\vpddj.exec:\vpddj.exe106⤵PID:3756
-
\??\c:\dpddv.exec:\dpddv.exe107⤵PID:1424
-
\??\c:\7llfrrl.exec:\7llfrrl.exe108⤵PID:3292
-
\??\c:\nthbtt.exec:\nthbtt.exe109⤵PID:3200
-
\??\c:\3ttnhb.exec:\3ttnhb.exe110⤵PID:2068
-
\??\c:\pjvpp.exec:\pjvpp.exe111⤵PID:4872
-
\??\c:\fxlrfxf.exec:\fxlrfxf.exe112⤵PID:2616
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe113⤵PID:1100
-
\??\c:\hbhbht.exec:\hbhbht.exe114⤵PID:1060
-
\??\c:\vvvdp.exec:\vvvdp.exe115⤵PID:2792
-
\??\c:\5rrlfxx.exec:\5rrlfxx.exe116⤵PID:1488
-
\??\c:\7bhbbb.exec:\7bhbbb.exe117⤵PID:4132
-
\??\c:\pjdpj.exec:\pjdpj.exe118⤵PID:4420
-
\??\c:\pvdjd.exec:\pvdjd.exe119⤵PID:2952
-
\??\c:\5rrlxxr.exec:\5rrlxxr.exe120⤵PID:1936
-
\??\c:\tnnhbb.exec:\tnnhbb.exe121⤵
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\nntnhb.exec:\nntnhb.exe122⤵PID:3244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-