Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe
-
Size
456KB
-
MD5
75ecf0f1e5b5e84fd0676e4a3ce49ae7
-
SHA1
adca04000e1f81a2cf9c2f3151749e272716ead3
-
SHA256
cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c
-
SHA512
16b1931a0aa94d411c637cd95b911b5ccb9c36269181fdfec325fec439a9590d97013d913dd33d3a443d0fc34ca8ecd8b0d95a19368ec05df376912bffe6302d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1256-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-1213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-1268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-1299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-1804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1972 tntbtn.exe 2688 1jjdv.exe 3360 1rlfffx.exe 2344 nbhhht.exe 2604 jvjjd.exe 4572 pjppp.exe 2324 hnbtbt.exe 4180 jddvp.exe 1716 rlflxrf.exe 5016 5ffxrff.exe 2904 vpjdv.exe 4288 9lxrrff.exe 4916 jvdpp.exe 4196 rlxrlfx.exe 1884 jvdvp.exe 2176 3tbnhh.exe 4356 1vpdp.exe 3036 jdvjd.exe 380 ttnnnn.exe 3524 pdjdd.exe 1012 1lxrlll.exe 1264 vppjd.exe 4696 5jjvp.exe 2072 dvpjp.exe 2708 xrrfrrl.exe 2148 hhnhnn.exe 4120 hthbtn.exe 1996 1jjpd.exe 5072 tbnbtn.exe 3840 jvvjd.exe 3732 btnhhb.exe 3004 1jpjj.exe 4836 lxrrllf.exe 900 pdvpp.exe 3128 3pvpj.exe 2564 fffxrlf.exe 1740 btbtnn.exe 4988 dddvp.exe 2360 xfrlfff.exe 4404 thnbbt.exe 3520 dvjdv.exe 4796 vjdpp.exe 332 llrxxxf.exe 792 tnnhbt.exe 4856 dvjdd.exe 4556 rffxrrl.exe 1456 nhhtnh.exe 2036 htttnn.exe 2236 dpdvp.exe 5116 lrfrlfx.exe 4412 nhtttn.exe 4476 7djdp.exe 2792 flrlfxx.exe 3352 lffxrrl.exe 1072 thtnht.exe 3568 vvvvp.exe 2112 xlrfxrx.exe 3588 lrxrrrr.exe 1684 tntntt.exe 2604 vppjd.exe 4884 jdjdv.exe 1056 flfxrrl.exe 2592 nbbnhh.exe 2840 vjpjd.exe -
resource yara_rule behavioral2/memory/1256-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-883-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1256 wrote to memory of 1972 1256 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 82 PID 1256 wrote to memory of 1972 1256 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 82 PID 1256 wrote to memory of 1972 1256 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 82 PID 1972 wrote to memory of 2688 1972 tntbtn.exe 83 PID 1972 wrote to memory of 2688 1972 tntbtn.exe 83 PID 1972 wrote to memory of 2688 1972 tntbtn.exe 83 PID 2688 wrote to memory of 3360 2688 1jjdv.exe 84 PID 2688 wrote to memory of 3360 2688 1jjdv.exe 84 PID 2688 wrote to memory of 3360 2688 1jjdv.exe 84 PID 3360 wrote to memory of 2344 3360 1rlfffx.exe 85 PID 3360 wrote to memory of 2344 3360 1rlfffx.exe 85 PID 3360 wrote to memory of 2344 3360 1rlfffx.exe 85 PID 2344 wrote to memory of 2604 2344 nbhhht.exe 86 PID 2344 wrote to memory of 2604 2344 nbhhht.exe 86 PID 2344 wrote to memory of 2604 2344 nbhhht.exe 86 PID 2604 wrote to memory of 4572 2604 jvjjd.exe 87 PID 2604 wrote to memory of 4572 2604 jvjjd.exe 87 PID 2604 wrote to memory of 4572 2604 jvjjd.exe 87 PID 4572 wrote to memory of 2324 4572 pjppp.exe 88 PID 4572 wrote to memory of 2324 4572 pjppp.exe 88 PID 4572 wrote to memory of 2324 4572 pjppp.exe 88 PID 2324 wrote to memory of 4180 2324 hnbtbt.exe 89 PID 2324 wrote to memory of 4180 2324 hnbtbt.exe 89 PID 2324 wrote to memory of 4180 2324 hnbtbt.exe 89 PID 4180 wrote to memory of 1716 4180 jddvp.exe 90 PID 4180 wrote to memory of 1716 4180 jddvp.exe 90 PID 4180 wrote to memory of 1716 4180 jddvp.exe 90 PID 1716 wrote to memory of 5016 1716 rlflxrf.exe 91 PID 1716 wrote to memory of 5016 1716 rlflxrf.exe 91 PID 1716 wrote to memory of 5016 1716 rlflxrf.exe 91 PID 5016 wrote to memory of 2904 5016 5ffxrff.exe 92 PID 5016 wrote to memory of 2904 5016 5ffxrff.exe 92 PID 5016 wrote to memory of 2904 5016 5ffxrff.exe 92 PID 2904 wrote to memory of 4288 2904 vpjdv.exe 93 PID 2904 wrote to memory of 4288 2904 vpjdv.exe 93 PID 2904 wrote to memory of 4288 2904 vpjdv.exe 93 PID 4288 wrote to memory of 4916 4288 9lxrrff.exe 94 PID 4288 wrote to memory of 4916 4288 9lxrrff.exe 94 PID 4288 wrote to memory of 4916 4288 9lxrrff.exe 94 PID 4916 wrote to memory of 4196 4916 jvdpp.exe 95 PID 4916 wrote to memory of 4196 4916 jvdpp.exe 95 PID 4916 wrote to memory of 4196 4916 jvdpp.exe 95 PID 4196 wrote to memory of 1884 4196 rlxrlfx.exe 96 PID 4196 wrote to memory of 1884 4196 rlxrlfx.exe 96 PID 4196 wrote to memory of 1884 4196 rlxrlfx.exe 96 PID 1884 wrote to memory of 2176 1884 jvdvp.exe 97 PID 1884 wrote to memory of 2176 1884 jvdvp.exe 97 PID 1884 wrote to memory of 2176 1884 jvdvp.exe 97 PID 2176 wrote to memory of 4356 2176 3tbnhh.exe 98 PID 2176 wrote to memory of 4356 2176 3tbnhh.exe 98 PID 2176 wrote to memory of 4356 2176 3tbnhh.exe 98 PID 4356 wrote to memory of 3036 4356 1vpdp.exe 99 PID 4356 wrote to memory of 3036 4356 1vpdp.exe 99 PID 4356 wrote to memory of 3036 4356 1vpdp.exe 99 PID 3036 wrote to memory of 380 3036 jdvjd.exe 100 PID 3036 wrote to memory of 380 3036 jdvjd.exe 100 PID 3036 wrote to memory of 380 3036 jdvjd.exe 100 PID 380 wrote to memory of 3524 380 ttnnnn.exe 101 PID 380 wrote to memory of 3524 380 ttnnnn.exe 101 PID 380 wrote to memory of 3524 380 ttnnnn.exe 101 PID 3524 wrote to memory of 1012 3524 pdjdd.exe 102 PID 3524 wrote to memory of 1012 3524 pdjdd.exe 102 PID 3524 wrote to memory of 1012 3524 pdjdd.exe 102 PID 1012 wrote to memory of 1264 1012 1lxrlll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe"C:\Users\Admin\AppData\Local\Temp\cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\tntbtn.exec:\tntbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\1jjdv.exec:\1jjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\1rlfffx.exec:\1rlfffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\nbhhht.exec:\nbhhht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\jvjjd.exec:\jvjjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\pjppp.exec:\pjppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\hnbtbt.exec:\hnbtbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\jddvp.exec:\jddvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\rlflxrf.exec:\rlflxrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\5ffxrff.exec:\5ffxrff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\vpjdv.exec:\vpjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\9lxrrff.exec:\9lxrrff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\jvdpp.exec:\jvdpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\rlxrlfx.exec:\rlxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\jvdvp.exec:\jvdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\3tbnhh.exec:\3tbnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\1vpdp.exec:\1vpdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\jdvjd.exec:\jdvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\ttnnnn.exec:\ttnnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\pdjdd.exec:\pdjdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\1lxrlll.exec:\1lxrlll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\vppjd.exec:\vppjd.exe23⤵
- Executes dropped EXE
PID:1264 -
\??\c:\5jjvp.exec:\5jjvp.exe24⤵
- Executes dropped EXE
PID:4696 -
\??\c:\dvpjp.exec:\dvpjp.exe25⤵
- Executes dropped EXE
PID:2072 -
\??\c:\xrrfrrl.exec:\xrrfrrl.exe26⤵
- Executes dropped EXE
PID:2708 -
\??\c:\hhnhnn.exec:\hhnhnn.exe27⤵
- Executes dropped EXE
PID:2148 -
\??\c:\hthbtn.exec:\hthbtn.exe28⤵
- Executes dropped EXE
PID:4120 -
\??\c:\1jjpd.exec:\1jjpd.exe29⤵
- Executes dropped EXE
PID:1996 -
\??\c:\tbnbtn.exec:\tbnbtn.exe30⤵
- Executes dropped EXE
PID:5072 -
\??\c:\jvvjd.exec:\jvvjd.exe31⤵
- Executes dropped EXE
PID:3840 -
\??\c:\btnhhb.exec:\btnhhb.exe32⤵
- Executes dropped EXE
PID:3732 -
\??\c:\1jpjj.exec:\1jpjj.exe33⤵
- Executes dropped EXE
PID:3004 -
\??\c:\lxrrllf.exec:\lxrrllf.exe34⤵
- Executes dropped EXE
PID:4836 -
\??\c:\pdvpp.exec:\pdvpp.exe35⤵
- Executes dropped EXE
PID:900 -
\??\c:\3pvpj.exec:\3pvpj.exe36⤵
- Executes dropped EXE
PID:3128 -
\??\c:\fffxrlf.exec:\fffxrlf.exe37⤵
- Executes dropped EXE
PID:2564 -
\??\c:\btbtnn.exec:\btbtnn.exe38⤵
- Executes dropped EXE
PID:1740 -
\??\c:\dddvp.exec:\dddvp.exe39⤵
- Executes dropped EXE
PID:4988 -
\??\c:\xfrlfff.exec:\xfrlfff.exe40⤵
- Executes dropped EXE
PID:2360 -
\??\c:\thnbbt.exec:\thnbbt.exe41⤵
- Executes dropped EXE
PID:4404 -
\??\c:\dvjdv.exec:\dvjdv.exe42⤵
- Executes dropped EXE
PID:3520 -
\??\c:\vjdpp.exec:\vjdpp.exe43⤵
- Executes dropped EXE
PID:4796 -
\??\c:\llrxxxf.exec:\llrxxxf.exe44⤵
- Executes dropped EXE
PID:332 -
\??\c:\tnnhbt.exec:\tnnhbt.exe45⤵
- Executes dropped EXE
PID:792 -
\??\c:\dvjdd.exec:\dvjdd.exe46⤵
- Executes dropped EXE
PID:4856 -
\??\c:\rffxrrl.exec:\rffxrrl.exe47⤵
- Executes dropped EXE
PID:4556 -
\??\c:\nhhtnh.exec:\nhhtnh.exe48⤵
- Executes dropped EXE
PID:1456 -
\??\c:\htttnn.exec:\htttnn.exe49⤵
- Executes dropped EXE
PID:2036 -
\??\c:\dpdvp.exec:\dpdvp.exe50⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lrfrlfx.exec:\lrfrlfx.exe51⤵
- Executes dropped EXE
PID:5116 -
\??\c:\nhtttn.exec:\nhtttn.exe52⤵
- Executes dropped EXE
PID:4412 -
\??\c:\7djdp.exec:\7djdp.exe53⤵
- Executes dropped EXE
PID:4476 -
\??\c:\flrlfxx.exec:\flrlfxx.exe54⤵
- Executes dropped EXE
PID:2792 -
\??\c:\lffxrrl.exec:\lffxrrl.exe55⤵
- Executes dropped EXE
PID:3352 -
\??\c:\thtnht.exec:\thtnht.exe56⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vvvvp.exec:\vvvvp.exe57⤵
- Executes dropped EXE
PID:3568 -
\??\c:\xlrfxrx.exec:\xlrfxrx.exe58⤵
- Executes dropped EXE
PID:2112 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe59⤵
- Executes dropped EXE
PID:3588 -
\??\c:\tntntt.exec:\tntntt.exe60⤵
- Executes dropped EXE
PID:1684 -
\??\c:\vppjd.exec:\vppjd.exe61⤵
- Executes dropped EXE
PID:2604 -
\??\c:\jdjdv.exec:\jdjdv.exe62⤵
- Executes dropped EXE
PID:4884 -
\??\c:\flfxrrl.exec:\flfxrrl.exe63⤵
- Executes dropped EXE
PID:1056 -
\??\c:\nbbnhh.exec:\nbbnhh.exe64⤵
- Executes dropped EXE
PID:2592 -
\??\c:\vjpjd.exec:\vjpjd.exe65⤵
- Executes dropped EXE
PID:2840 -
\??\c:\fxxrlrl.exec:\fxxrlrl.exe66⤵PID:1716
-
\??\c:\9tbtbt.exec:\9tbtbt.exe67⤵PID:1452
-
\??\c:\vvvpp.exec:\vvvpp.exe68⤵PID:2412
-
\??\c:\7frlfxf.exec:\7frlfxf.exe69⤵PID:2568
-
\??\c:\fffllrr.exec:\fffllrr.exe70⤵PID:4724
-
\??\c:\1hhnbb.exec:\1hhnbb.exe71⤵PID:3636
-
\??\c:\pjdvd.exec:\pjdvd.exe72⤵PID:3328
-
\??\c:\pvvvv.exec:\pvvvv.exe73⤵PID:116
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe74⤵PID:4964
-
\??\c:\hbhhnh.exec:\hbhhnh.exe75⤵PID:1552
-
\??\c:\jjjdv.exec:\jjjdv.exe76⤵PID:1628
-
\??\c:\pdjdv.exec:\pdjdv.exe77⤵PID:2308
-
\??\c:\xxfffll.exec:\xxfffll.exe78⤵PID:5060
-
\??\c:\1tnhnn.exec:\1tnhnn.exe79⤵PID:3768
-
\??\c:\jpppj.exec:\jpppj.exe80⤵PID:2884
-
\??\c:\rrrfxxr.exec:\rrrfxxr.exe81⤵PID:3752
-
\??\c:\bhhbtt.exec:\bhhbtt.exe82⤵PID:3188
-
\??\c:\vjdvj.exec:\vjdvj.exe83⤵PID:2200
-
\??\c:\fxrlllf.exec:\fxrlllf.exe84⤵
- System Location Discovery: System Language Discovery
PID:4664 -
\??\c:\3xrlflx.exec:\3xrlflx.exe85⤵PID:2436
-
\??\c:\btbhnn.exec:\btbhnn.exe86⤵PID:4120
-
\??\c:\nhbtnn.exec:\nhbtnn.exe87⤵PID:1704
-
\??\c:\jvpjj.exec:\jvpjj.exe88⤵PID:2836
-
\??\c:\flrlxxr.exec:\flrlxxr.exe89⤵PID:3496
-
\??\c:\1bhtbh.exec:\1bhtbh.exe90⤵PID:3324
-
\??\c:\3hhbtn.exec:\3hhbtn.exe91⤵PID:4728
-
\??\c:\ppjdp.exec:\ppjdp.exe92⤵PID:2468
-
\??\c:\rfrlfxr.exec:\rfrlfxr.exe93⤵PID:1432
-
\??\c:\thtnhh.exec:\thtnhh.exe94⤵PID:4792
-
\??\c:\jddvv.exec:\jddvv.exe95⤵PID:4740
-
\??\c:\lrfxffl.exec:\lrfxffl.exe96⤵PID:224
-
\??\c:\nnbtnn.exec:\nnbtnn.exe97⤵PID:2744
-
\??\c:\5ppjd.exec:\5ppjd.exe98⤵PID:3920
-
\??\c:\lrxlffx.exec:\lrxlffx.exe99⤵PID:4264
-
\??\c:\xrrlffx.exec:\xrrlffx.exe100⤵PID:4844
-
\??\c:\nthbhh.exec:\nthbhh.exe101⤵PID:456
-
\??\c:\1vjdp.exec:\1vjdp.exe102⤵PID:1480
-
\??\c:\ffrrrxr.exec:\ffrrrxr.exe103⤵PID:3800
-
\??\c:\rlrlrrl.exec:\rlrlrrl.exe104⤵PID:4800
-
\??\c:\hnnhbb.exec:\hnnhbb.exe105⤵PID:4856
-
\??\c:\vjjdv.exec:\vjjdv.exe106⤵PID:4312
-
\??\c:\pjdvp.exec:\pjdvp.exe107⤵PID:4532
-
\??\c:\rxlfxxx.exec:\rxlfxxx.exe108⤵PID:3152
-
\??\c:\tnhbtn.exec:\tnhbtn.exe109⤵PID:2576
-
\??\c:\9ppdv.exec:\9ppdv.exe110⤵PID:2096
-
\??\c:\jvdjd.exec:\jvdjd.exe111⤵PID:4276
-
\??\c:\ffrlfxx.exec:\ffrlfxx.exe112⤵PID:4508
-
\??\c:\7ttnhh.exec:\7ttnhh.exe113⤵PID:1972
-
\??\c:\ntnnhh.exec:\ntnnhh.exe114⤵PID:2688
-
\??\c:\dpdjv.exec:\dpdjv.exe115⤵PID:3016
-
\??\c:\xffxrrl.exec:\xffxrrl.exe116⤵PID:1072
-
\??\c:\tbtnnn.exec:\tbtnnn.exe117⤵PID:4976
-
\??\c:\jdvpj.exec:\jdvpj.exe118⤵PID:2112
-
\??\c:\jdvvp.exec:\jdvvp.exe119⤵PID:864
-
\??\c:\lrrlxxr.exec:\lrrlxxr.exe120⤵PID:4104
-
\??\c:\tbnbbn.exec:\tbnbbn.exe121⤵PID:4448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-