Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe
-
Size
454KB
-
MD5
f7bcb760b7a13f8ce99619ccd1970e62
-
SHA1
f779eea2724b76cf2257a3444725125805f74659
-
SHA256
cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f
-
SHA512
8b3a6cd420217e1348ce440e69fd9e2e5e6502b28877668028f5d4fbce09eb792629c1f1a246018e122c518dc6ec45961d73704b635ae4d02a3a6b633a6ee7a7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2336-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-1045-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-1073-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-1644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3852 xxxrrrr.exe 4564 7djjj.exe 880 nttnhb.exe 2228 5lrrllf.exe 2000 pvjvj.exe 4620 nhbttt.exe 1420 rllfrll.exe 2152 ntbbtb.exe 4344 5jjdd.exe 5008 xlxflfr.exe 2864 vvvpj.exe 224 3nnbtt.exe 4200 pjjvj.exe 1968 nhnbtn.exe 212 bbttbt.exe 4928 rxfrllf.exe 2432 1tbhbb.exe 216 rxxrfrl.exe 3740 3pjjd.exe 4692 xlxrlfr.exe 4064 vvddd.exe 1252 rlxxrfx.exe 2656 httbhh.exe 1704 lxrfxrl.exe 2172 1pdvj.exe 1148 ffxxxxx.exe 4316 djpdp.exe 3928 9lrlfrl.exe 4156 ddjdv.exe 2104 xrxrflf.exe 2776 1btnhh.exe 1072 dvpjd.exe 1556 vpjdv.exe 2984 9fxlfrf.exe 2372 dpjvp.exe 768 flxxxxx.exe 1628 hnbbnn.exe 1840 dvvvv.exe 3548 xrxrllf.exe 3284 thhtnb.exe 1436 dpdvv.exe 4788 7rlxlfx.exe 4340 frxrllf.exe 4568 bthtnh.exe 2460 dpjdv.exe 4892 llllrff.exe 1544 tnthtn.exe 3752 9hbthh.exe 3204 vdvpj.exe 4428 hnnnbb.exe 4740 jddvj.exe 3424 7flfllr.exe 4040 flxrfxr.exe 5108 9bnhnn.exe 1412 jddvp.exe 1532 frfrxxx.exe 2944 btnnhn.exe 2624 hthnbb.exe 4224 5vjvj.exe 1348 rrlxrrf.exe 452 hhtnnn.exe 3696 bbtnhh.exe 4824 vjjjd.exe 1464 frrxfxx.exe -
resource yara_rule behavioral2/memory/2336-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 3852 2336 cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe 82 PID 2336 wrote to memory of 3852 2336 cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe 82 PID 2336 wrote to memory of 3852 2336 cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe 82 PID 3852 wrote to memory of 4564 3852 xxxrrrr.exe 83 PID 3852 wrote to memory of 4564 3852 xxxrrrr.exe 83 PID 3852 wrote to memory of 4564 3852 xxxrrrr.exe 83 PID 4564 wrote to memory of 880 4564 7djjj.exe 84 PID 4564 wrote to memory of 880 4564 7djjj.exe 84 PID 4564 wrote to memory of 880 4564 7djjj.exe 84 PID 880 wrote to memory of 2228 880 nttnhb.exe 85 PID 880 wrote to memory of 2228 880 nttnhb.exe 85 PID 880 wrote to memory of 2228 880 nttnhb.exe 85 PID 2228 wrote to memory of 2000 2228 5lrrllf.exe 86 PID 2228 wrote to memory of 2000 2228 5lrrllf.exe 86 PID 2228 wrote to memory of 2000 2228 5lrrllf.exe 86 PID 2000 wrote to memory of 4620 2000 pvjvj.exe 87 PID 2000 wrote to memory of 4620 2000 pvjvj.exe 87 PID 2000 wrote to memory of 4620 2000 pvjvj.exe 87 PID 4620 wrote to memory of 1420 4620 nhbttt.exe 88 PID 4620 wrote to memory of 1420 4620 nhbttt.exe 88 PID 4620 wrote to memory of 1420 4620 nhbttt.exe 88 PID 1420 wrote to memory of 2152 1420 rllfrll.exe 89 PID 1420 wrote to memory of 2152 1420 rllfrll.exe 89 PID 1420 wrote to memory of 2152 1420 rllfrll.exe 89 PID 2152 wrote to memory of 4344 2152 ntbbtb.exe 90 PID 2152 wrote to memory of 4344 2152 ntbbtb.exe 90 PID 2152 wrote to memory of 4344 2152 ntbbtb.exe 90 PID 4344 wrote to memory of 5008 4344 5jjdd.exe 91 PID 4344 wrote to memory of 5008 4344 5jjdd.exe 91 PID 4344 wrote to memory of 5008 4344 5jjdd.exe 91 PID 5008 wrote to memory of 2864 5008 xlxflfr.exe 92 PID 5008 wrote to memory of 2864 5008 xlxflfr.exe 92 PID 5008 wrote to memory of 2864 5008 xlxflfr.exe 92 PID 2864 wrote to memory of 224 2864 vvvpj.exe 93 PID 2864 wrote to memory of 224 2864 vvvpj.exe 93 PID 2864 wrote to memory of 224 2864 vvvpj.exe 93 PID 224 wrote to memory of 4200 224 3nnbtt.exe 94 PID 224 wrote to memory of 4200 224 3nnbtt.exe 94 PID 224 wrote to memory of 4200 224 3nnbtt.exe 94 PID 4200 wrote to memory of 1968 4200 pjjvj.exe 95 PID 4200 wrote to memory of 1968 4200 pjjvj.exe 95 PID 4200 wrote to memory of 1968 4200 pjjvj.exe 95 PID 1968 wrote to memory of 212 1968 nhnbtn.exe 96 PID 1968 wrote to memory of 212 1968 nhnbtn.exe 96 PID 1968 wrote to memory of 212 1968 nhnbtn.exe 96 PID 212 wrote to memory of 4928 212 bbttbt.exe 97 PID 212 wrote to memory of 4928 212 bbttbt.exe 97 PID 212 wrote to memory of 4928 212 bbttbt.exe 97 PID 4928 wrote to memory of 2432 4928 rxfrllf.exe 98 PID 4928 wrote to memory of 2432 4928 rxfrllf.exe 98 PID 4928 wrote to memory of 2432 4928 rxfrllf.exe 98 PID 2432 wrote to memory of 216 2432 1tbhbb.exe 99 PID 2432 wrote to memory of 216 2432 1tbhbb.exe 99 PID 2432 wrote to memory of 216 2432 1tbhbb.exe 99 PID 216 wrote to memory of 3740 216 rxxrfrl.exe 100 PID 216 wrote to memory of 3740 216 rxxrfrl.exe 100 PID 216 wrote to memory of 3740 216 rxxrfrl.exe 100 PID 3740 wrote to memory of 4692 3740 3pjjd.exe 101 PID 3740 wrote to memory of 4692 3740 3pjjd.exe 101 PID 3740 wrote to memory of 4692 3740 3pjjd.exe 101 PID 4692 wrote to memory of 4064 4692 xlxrlfr.exe 102 PID 4692 wrote to memory of 4064 4692 xlxrlfr.exe 102 PID 4692 wrote to memory of 4064 4692 xlxrlfr.exe 102 PID 4064 wrote to memory of 1252 4064 vvddd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe"C:\Users\Admin\AppData\Local\Temp\cf4c6141e55e4604763d06fe39eb794cb53a711d4fc4350bfaf1b6dc27e7f21f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\7djjj.exec:\7djjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\nttnhb.exec:\nttnhb.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\5lrrllf.exec:\5lrrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\pvjvj.exec:\pvjvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\nhbttt.exec:\nhbttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\rllfrll.exec:\rllfrll.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\ntbbtb.exec:\ntbbtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\5jjdd.exec:\5jjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\xlxflfr.exec:\xlxflfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\vvvpj.exec:\vvvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\3nnbtt.exec:\3nnbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\pjjvj.exec:\pjjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\nhnbtn.exec:\nhnbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\bbttbt.exec:\bbttbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\rxfrllf.exec:\rxfrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\1tbhbb.exec:\1tbhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\rxxrfrl.exec:\rxxrfrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\3pjjd.exec:\3pjjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\xlxrlfr.exec:\xlxrlfr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\vvddd.exec:\vvddd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\rlxxrfx.exec:\rlxxrfx.exe23⤵
- Executes dropped EXE
PID:1252 -
\??\c:\httbhh.exec:\httbhh.exe24⤵
- Executes dropped EXE
PID:2656 -
\??\c:\lxrfxrl.exec:\lxrfxrl.exe25⤵
- Executes dropped EXE
PID:1704 -
\??\c:\1pdvj.exec:\1pdvj.exe26⤵
- Executes dropped EXE
PID:2172 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe27⤵
- Executes dropped EXE
PID:1148 -
\??\c:\djpdp.exec:\djpdp.exe28⤵
- Executes dropped EXE
PID:4316 -
\??\c:\9lrlfrl.exec:\9lrlfrl.exe29⤵
- Executes dropped EXE
PID:3928 -
\??\c:\ddjdv.exec:\ddjdv.exe30⤵
- Executes dropped EXE
PID:4156 -
\??\c:\xrxrflf.exec:\xrxrflf.exe31⤵
- Executes dropped EXE
PID:2104 -
\??\c:\1btnhh.exec:\1btnhh.exe32⤵
- Executes dropped EXE
PID:2776 -
\??\c:\dvpjd.exec:\dvpjd.exe33⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vpjdv.exec:\vpjdv.exe34⤵
- Executes dropped EXE
PID:1556 -
\??\c:\9fxlfrf.exec:\9fxlfrf.exe35⤵
- Executes dropped EXE
PID:2984 -
\??\c:\dpjvp.exec:\dpjvp.exe36⤵
- Executes dropped EXE
PID:2372 -
\??\c:\flxxxxx.exec:\flxxxxx.exe37⤵
- Executes dropped EXE
PID:768 -
\??\c:\hnbbnn.exec:\hnbbnn.exe38⤵
- Executes dropped EXE
PID:1628 -
\??\c:\dvvvv.exec:\dvvvv.exe39⤵
- Executes dropped EXE
PID:1840 -
\??\c:\xrxrllf.exec:\xrxrllf.exe40⤵
- Executes dropped EXE
PID:3548 -
\??\c:\thhtnb.exec:\thhtnb.exe41⤵
- Executes dropped EXE
PID:3284 -
\??\c:\dpdvv.exec:\dpdvv.exe42⤵
- Executes dropped EXE
PID:1436 -
\??\c:\7rlxlfx.exec:\7rlxlfx.exe43⤵
- Executes dropped EXE
PID:4788 -
\??\c:\frxrllf.exec:\frxrllf.exe44⤵
- Executes dropped EXE
PID:4340 -
\??\c:\bthtnh.exec:\bthtnh.exe45⤵
- Executes dropped EXE
PID:4568 -
\??\c:\dpjdv.exec:\dpjdv.exe46⤵
- Executes dropped EXE
PID:2460 -
\??\c:\llllrff.exec:\llllrff.exe47⤵
- Executes dropped EXE
PID:4892 -
\??\c:\tnthtn.exec:\tnthtn.exe48⤵
- Executes dropped EXE
PID:1544 -
\??\c:\9hbthh.exec:\9hbthh.exe49⤵
- Executes dropped EXE
PID:3752 -
\??\c:\vdvpj.exec:\vdvpj.exe50⤵
- Executes dropped EXE
PID:3204 -
\??\c:\hnnnbb.exec:\hnnnbb.exe51⤵
- Executes dropped EXE
PID:4428 -
\??\c:\jddvj.exec:\jddvj.exe52⤵
- Executes dropped EXE
PID:4740 -
\??\c:\7flfllr.exec:\7flfllr.exe53⤵
- Executes dropped EXE
PID:3424 -
\??\c:\flxrfxr.exec:\flxrfxr.exe54⤵
- Executes dropped EXE
PID:4040 -
\??\c:\9bnhnn.exec:\9bnhnn.exe55⤵
- Executes dropped EXE
PID:5108 -
\??\c:\jddvp.exec:\jddvp.exe56⤵
- Executes dropped EXE
PID:1412 -
\??\c:\frfrxxx.exec:\frfrxxx.exe57⤵
- Executes dropped EXE
PID:1532 -
\??\c:\btnnhn.exec:\btnnhn.exe58⤵
- Executes dropped EXE
PID:2944 -
\??\c:\hthnbb.exec:\hthnbb.exe59⤵
- Executes dropped EXE
PID:2624 -
\??\c:\5vjvj.exec:\5vjvj.exe60⤵
- Executes dropped EXE
PID:4224 -
\??\c:\rrlxrrf.exec:\rrlxrrf.exe61⤵
- Executes dropped EXE
PID:1348 -
\??\c:\hhtnnn.exec:\hhtnnn.exe62⤵
- Executes dropped EXE
PID:452 -
\??\c:\bbtnhh.exec:\bbtnhh.exe63⤵
- Executes dropped EXE
PID:3696 -
\??\c:\vjjjd.exec:\vjjjd.exe64⤵
- Executes dropped EXE
PID:4824 -
\??\c:\frrxfxx.exec:\frrxfxx.exe65⤵
- Executes dropped EXE
PID:1464 -
\??\c:\bbbttt.exec:\bbbttt.exe66⤵PID:2108
-
\??\c:\jvpvp.exec:\jvpvp.exe67⤵PID:436
-
\??\c:\7rrlflf.exec:\7rrlflf.exe68⤵PID:2364
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe69⤵PID:2956
-
\??\c:\bhhbhb.exec:\bhhbhb.exe70⤵PID:780
-
\??\c:\vvvpp.exec:\vvvpp.exe71⤵PID:2088
-
\??\c:\rxxrlrl.exec:\rxxrlrl.exe72⤵PID:4312
-
\??\c:\jjvdj.exec:\jjvdj.exe73⤵PID:4924
-
\??\c:\dvvvp.exec:\dvvvp.exe74⤵PID:4200
-
\??\c:\7rlfxxr.exec:\7rlfxxr.exe75⤵PID:4864
-
\??\c:\3llllll.exec:\3llllll.exe76⤵PID:2160
-
\??\c:\1thhbt.exec:\1thhbt.exe77⤵PID:2300
-
\??\c:\jjppd.exec:\jjppd.exe78⤵PID:1332
-
\??\c:\lflfxrl.exec:\lflfxrl.exe79⤵PID:2728
-
\??\c:\bhntnh.exec:\bhntnh.exe80⤵PID:4960
-
\??\c:\dvvpj.exec:\dvvpj.exe81⤵PID:1744
-
\??\c:\xrrlfrl.exec:\xrrlfrl.exe82⤵PID:3812
-
\??\c:\xfrlllf.exec:\xfrlllf.exe83⤵PID:2896
-
\??\c:\bbttth.exec:\bbttth.exe84⤵PID:2516
-
\??\c:\ddjjp.exec:\ddjjp.exe85⤵PID:4988
-
\??\c:\fxxlfff.exec:\fxxlfff.exe86⤵PID:2444
-
\??\c:\hbbtnn.exec:\hbbtnn.exe87⤵PID:3096
-
\??\c:\tnbhht.exec:\tnbhht.exe88⤵PID:3220
-
\??\c:\pjjdp.exec:\pjjdp.exe89⤵PID:2936
-
\??\c:\lxfrllx.exec:\lxfrllx.exe90⤵PID:4952
-
\??\c:\tthhnb.exec:\tthhnb.exe91⤵PID:3624
-
\??\c:\hntnhb.exec:\hntnhb.exe92⤵PID:3112
-
\??\c:\vjvvp.exec:\vjvvp.exe93⤵PID:1832
-
\??\c:\lxxxfff.exec:\lxxxfff.exe94⤵PID:3368
-
\??\c:\tbbbhn.exec:\tbbbhn.exe95⤵PID:2420
-
\??\c:\3jjdv.exec:\3jjdv.exe96⤵PID:380
-
\??\c:\lfxrlrl.exec:\lfxrlrl.exe97⤵PID:4436
-
\??\c:\rfllfff.exec:\rfllfff.exe98⤵PID:3408
-
\??\c:\1ntnhh.exec:\1ntnhh.exe99⤵PID:3872
-
\??\c:\nnhbtb.exec:\nnhbtb.exe100⤵PID:3596
-
\??\c:\vpvpp.exec:\vpvpp.exe101⤵PID:3084
-
\??\c:\9lrfrlf.exec:\9lrfrlf.exe102⤵PID:3952
-
\??\c:\thhtnb.exec:\thhtnb.exe103⤵PID:5044
-
\??\c:\nhhthh.exec:\nhhthh.exe104⤵
- System Location Discovery: System Language Discovery
PID:2848 -
\??\c:\rlflxrl.exec:\rlflxrl.exe105⤵PID:4948
-
\??\c:\7bthtt.exec:\7bthtt.exe106⤵PID:4736
-
\??\c:\nbhbtt.exec:\nbhbtt.exe107⤵PID:1840
-
\??\c:\pjvvj.exec:\pjvvj.exe108⤵PID:1872
-
\??\c:\xffrfrf.exec:\xffrfrf.exe109⤵PID:3056
-
\??\c:\hnbtth.exec:\hnbtth.exe110⤵PID:5048
-
\??\c:\jjjdv.exec:\jjjdv.exe111⤵PID:4196
-
\??\c:\xlrrlll.exec:\xlrrlll.exe112⤵PID:3476
-
\??\c:\hnbtnh.exec:\hnbtnh.exe113⤵PID:4464
-
\??\c:\tntnhh.exec:\tntnhh.exe114⤵PID:2288
-
\??\c:\pvjvp.exec:\pvjvp.exe115⤵PID:1016
-
\??\c:\3rlfrrf.exec:\3rlfrrf.exe116⤵PID:3868
-
\??\c:\ntbtnn.exec:\ntbtnn.exe117⤵PID:2784
-
\??\c:\vvpvv.exec:\vvpvv.exe118⤵PID:4420
-
\??\c:\djjdj.exec:\djjdj.exe119⤵PID:3308
-
\??\c:\rrlfffr.exec:\rrlfffr.exe120⤵PID:2268
-
\??\c:\9ttnbb.exec:\9ttnbb.exe121⤵PID:652
-
\??\c:\jjpdv.exec:\jjpdv.exe122⤵PID:4180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-