Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-01-2025 06:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe
-
Size
456KB
-
MD5
75ecf0f1e5b5e84fd0676e4a3ce49ae7
-
SHA1
adca04000e1f81a2cf9c2f3151749e272716ead3
-
SHA256
cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c
-
SHA512
16b1931a0aa94d411c637cd95b911b5ccb9c36269181fdfec325fec439a9590d97013d913dd33d3a443d0fc34ca8ecd8b0d95a19368ec05df376912bffe6302d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/1868-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2344-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/616-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/616-109-0x0000000000270000-0x000000000029A000-memory.dmp family_blackmoon behavioral1/memory/704-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-238-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1628-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-240-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2232-246-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2232-251-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2120-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-369-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2612-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1060-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-408-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1484-406-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1716-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-409-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1252-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-566-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/884-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-585-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2064-611-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2592-647-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1564-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1404-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-763-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1608-881-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2428-1108-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1780 tntbnn.exe 2200 jjdjv.exe 2628 dpddp.exe 2740 rfrrrxx.exe 2688 jdppj.exe 2784 rlffrxf.exe 2560 3jppp.exe 2476 7jppp.exe 2344 nbntbb.exe 2580 pdppp.exe 616 7nbbtn.exe 1508 djddp.exe 704 3httbn.exe 1500 jvjdd.exe 320 3nbbtn.exe 864 jvjjv.exe 1764 9hbhnt.exe 2860 pvjpd.exe 2420 pjvdd.exe 1316 rxllxrx.exe 1364 hbnbnh.exe 1740 lxrrrrx.exe 912 llxrxrf.exe 1628 frrxffr.exe 2232 9fxrxrf.exe 1588 xlxxllr.exe 1760 ffxxllx.exe 2120 hbnhhh.exe 820 1lffrrx.exe 2168 1bhntt.exe 2908 jdpdj.exe 1992 7frxrxx.exe 2100 jpjdp.exe 3056 7lxrrrl.exe 2212 3lfflrf.exe 2208 9nnhtb.exe 2744 vpdjv.exe 2372 jvjdj.exe 2688 rlxrxxf.exe 2896 hthntt.exe 2724 7btntb.exe 2560 jjjvp.exe 2612 xrxrrrx.exe 1060 fxlflrr.exe 1280 vpvpd.exe 1484 fxlfllx.exe 1716 bthntb.exe 1732 btntnn.exe 1252 5ppvj.exe 552 lrrlrfx.exe 1960 7thhhn.exe 1404 5tbhnn.exe 808 ddpvj.exe 2524 dvjjp.exe 2872 lfxflrf.exe 2624 thnhnh.exe 2096 bnnnbh.exe 2420 5vpvp.exe 828 lxllllr.exe 2060 bbnntb.exe 1364 1hnnhn.exe 900 vpvpp.exe 932 fffrlrx.exe 568 5nbbnn.exe -
resource yara_rule behavioral1/memory/1868-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/704-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-391-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1280-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-408-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1484-406-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1716-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-585-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1564-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-1070-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-1095-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-1157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-1188-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1780 1868 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 31 PID 1868 wrote to memory of 1780 1868 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 31 PID 1868 wrote to memory of 1780 1868 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 31 PID 1868 wrote to memory of 1780 1868 cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe 31 PID 1780 wrote to memory of 2200 1780 tntbnn.exe 32 PID 1780 wrote to memory of 2200 1780 tntbnn.exe 32 PID 1780 wrote to memory of 2200 1780 tntbnn.exe 32 PID 1780 wrote to memory of 2200 1780 tntbnn.exe 32 PID 2200 wrote to memory of 2628 2200 jjdjv.exe 33 PID 2200 wrote to memory of 2628 2200 jjdjv.exe 33 PID 2200 wrote to memory of 2628 2200 jjdjv.exe 33 PID 2200 wrote to memory of 2628 2200 jjdjv.exe 33 PID 2628 wrote to memory of 2740 2628 dpddp.exe 34 PID 2628 wrote to memory of 2740 2628 dpddp.exe 34 PID 2628 wrote to memory of 2740 2628 dpddp.exe 34 PID 2628 wrote to memory of 2740 2628 dpddp.exe 34 PID 2740 wrote to memory of 2688 2740 rfrrrxx.exe 35 PID 2740 wrote to memory of 2688 2740 rfrrrxx.exe 35 PID 2740 wrote to memory of 2688 2740 rfrrrxx.exe 35 PID 2740 wrote to memory of 2688 2740 rfrrrxx.exe 35 PID 2688 wrote to memory of 2784 2688 jdppj.exe 36 PID 2688 wrote to memory of 2784 2688 jdppj.exe 36 PID 2688 wrote to memory of 2784 2688 jdppj.exe 36 PID 2688 wrote to memory of 2784 2688 jdppj.exe 36 PID 2784 wrote to memory of 2560 2784 rlffrxf.exe 37 PID 2784 wrote to memory of 2560 2784 rlffrxf.exe 37 PID 2784 wrote to memory of 2560 2784 rlffrxf.exe 37 PID 2784 wrote to memory of 2560 2784 rlffrxf.exe 37 PID 2560 wrote to memory of 2476 2560 3jppp.exe 38 PID 2560 wrote to memory of 2476 2560 3jppp.exe 38 PID 2560 wrote to memory of 2476 2560 3jppp.exe 38 PID 2560 wrote to memory of 2476 2560 3jppp.exe 38 PID 2476 wrote to memory of 2344 2476 7jppp.exe 39 PID 2476 wrote to memory of 2344 2476 7jppp.exe 39 PID 2476 wrote to memory of 2344 2476 7jppp.exe 39 PID 2476 wrote to memory of 2344 2476 7jppp.exe 39 PID 2344 wrote to memory of 2580 2344 nbntbb.exe 40 PID 2344 wrote to memory of 2580 2344 nbntbb.exe 40 PID 2344 wrote to memory of 2580 2344 nbntbb.exe 40 PID 2344 wrote to memory of 2580 2344 nbntbb.exe 40 PID 2580 wrote to memory of 616 2580 pdppp.exe 41 PID 2580 wrote to memory of 616 2580 pdppp.exe 41 PID 2580 wrote to memory of 616 2580 pdppp.exe 41 PID 2580 wrote to memory of 616 2580 pdppp.exe 41 PID 616 wrote to memory of 1508 616 7nbbtn.exe 42 PID 616 wrote to memory of 1508 616 7nbbtn.exe 42 PID 616 wrote to memory of 1508 616 7nbbtn.exe 42 PID 616 wrote to memory of 1508 616 7nbbtn.exe 42 PID 1508 wrote to memory of 704 1508 djddp.exe 43 PID 1508 wrote to memory of 704 1508 djddp.exe 43 PID 1508 wrote to memory of 704 1508 djddp.exe 43 PID 1508 wrote to memory of 704 1508 djddp.exe 43 PID 704 wrote to memory of 1500 704 3httbn.exe 44 PID 704 wrote to memory of 1500 704 3httbn.exe 44 PID 704 wrote to memory of 1500 704 3httbn.exe 44 PID 704 wrote to memory of 1500 704 3httbn.exe 44 PID 1500 wrote to memory of 320 1500 jvjdd.exe 45 PID 1500 wrote to memory of 320 1500 jvjdd.exe 45 PID 1500 wrote to memory of 320 1500 jvjdd.exe 45 PID 1500 wrote to memory of 320 1500 jvjdd.exe 45 PID 320 wrote to memory of 864 320 3nbbtn.exe 46 PID 320 wrote to memory of 864 320 3nbbtn.exe 46 PID 320 wrote to memory of 864 320 3nbbtn.exe 46 PID 320 wrote to memory of 864 320 3nbbtn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe"C:\Users\Admin\AppData\Local\Temp\cf4e40fa9c7f045f3e2116a721dd34a461ffd52b290a15350c29f552d179390c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\tntbnn.exec:\tntbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\jjdjv.exec:\jjdjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\dpddp.exec:\dpddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\rfrrrxx.exec:\rfrrrxx.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\jdppj.exec:\jdppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\rlffrxf.exec:\rlffrxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\3jppp.exec:\3jppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\7jppp.exec:\7jppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\nbntbb.exec:\nbntbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\pdppp.exec:\pdppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\7nbbtn.exec:\7nbbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\djddp.exec:\djddp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\3httbn.exec:\3httbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\jvjdd.exec:\jvjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\3nbbtn.exec:\3nbbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\jvjjv.exec:\jvjjv.exe17⤵
- Executes dropped EXE
PID:864 -
\??\c:\9hbhnt.exec:\9hbhnt.exe18⤵
- Executes dropped EXE
PID:1764 -
\??\c:\pvjpd.exec:\pvjpd.exe19⤵
- Executes dropped EXE
PID:2860 -
\??\c:\pjvdd.exec:\pjvdd.exe20⤵
- Executes dropped EXE
PID:2420 -
\??\c:\rxllxrx.exec:\rxllxrx.exe21⤵
- Executes dropped EXE
PID:1316 -
\??\c:\hbnbnh.exec:\hbnbnh.exe22⤵
- Executes dropped EXE
PID:1364 -
\??\c:\lxrrrrx.exec:\lxrrrrx.exe23⤵
- Executes dropped EXE
PID:1740 -
\??\c:\llxrxrf.exec:\llxrxrf.exe24⤵
- Executes dropped EXE
PID:912 -
\??\c:\frrxffr.exec:\frrxffr.exe25⤵
- Executes dropped EXE
PID:1628 -
\??\c:\9fxrxrf.exec:\9fxrxrf.exe26⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xlxxllr.exec:\xlxxllr.exe27⤵
- Executes dropped EXE
PID:1588 -
\??\c:\ffxxllx.exec:\ffxxllx.exe28⤵
- Executes dropped EXE
PID:1760 -
\??\c:\hbnhhh.exec:\hbnhhh.exe29⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1lffrrx.exec:\1lffrrx.exe30⤵
- Executes dropped EXE
PID:820 -
\??\c:\1bhntt.exec:\1bhntt.exe31⤵
- Executes dropped EXE
PID:2168 -
\??\c:\jdpdj.exec:\jdpdj.exe32⤵
- Executes dropped EXE
PID:2908 -
\??\c:\7frxrxx.exec:\7frxrxx.exe33⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jpjdp.exec:\jpjdp.exe34⤵
- Executes dropped EXE
PID:2100 -
\??\c:\7lxrrrl.exec:\7lxrrrl.exe35⤵
- Executes dropped EXE
PID:3056 -
\??\c:\3lfflrf.exec:\3lfflrf.exe36⤵
- Executes dropped EXE
PID:2212 -
\??\c:\9nnhtb.exec:\9nnhtb.exe37⤵
- Executes dropped EXE
PID:2208 -
\??\c:\vpdjv.exec:\vpdjv.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jvjdj.exec:\jvjdj.exe39⤵
- Executes dropped EXE
PID:2372 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe40⤵
- Executes dropped EXE
PID:2688 -
\??\c:\hthntt.exec:\hthntt.exe41⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7btntb.exec:\7btntb.exe42⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jjjvp.exec:\jjjvp.exe43⤵
- Executes dropped EXE
PID:2560 -
\??\c:\xrxrrrx.exec:\xrxrrrx.exe44⤵
- Executes dropped EXE
PID:2612 -
\??\c:\fxlflrr.exec:\fxlflrr.exe45⤵
- Executes dropped EXE
PID:1060 -
\??\c:\vpvpd.exec:\vpvpd.exe46⤵
- Executes dropped EXE
PID:1280 -
\??\c:\fxlfllx.exec:\fxlfllx.exe47⤵
- Executes dropped EXE
PID:1484 -
\??\c:\bthntb.exec:\bthntb.exe48⤵
- Executes dropped EXE
PID:1716 -
\??\c:\btntnn.exec:\btntnn.exe49⤵
- Executes dropped EXE
PID:1732 -
\??\c:\5ppvj.exec:\5ppvj.exe50⤵
- Executes dropped EXE
PID:1252 -
\??\c:\lrrlrfx.exec:\lrrlrfx.exe51⤵
- Executes dropped EXE
PID:552 -
\??\c:\7thhhn.exec:\7thhhn.exe52⤵
- Executes dropped EXE
PID:1960 -
\??\c:\5tbhnn.exec:\5tbhnn.exe53⤵
- Executes dropped EXE
PID:1404 -
\??\c:\ddpvj.exec:\ddpvj.exe54⤵
- Executes dropped EXE
PID:808 -
\??\c:\dvjjp.exec:\dvjjp.exe55⤵
- Executes dropped EXE
PID:2524 -
\??\c:\lfxflrf.exec:\lfxflrf.exe56⤵
- Executes dropped EXE
PID:2872 -
\??\c:\thnhnh.exec:\thnhnh.exe57⤵
- Executes dropped EXE
PID:2624 -
\??\c:\bnnnbh.exec:\bnnnbh.exe58⤵
- Executes dropped EXE
PID:2096 -
\??\c:\5vpvp.exec:\5vpvp.exe59⤵
- Executes dropped EXE
PID:2420 -
\??\c:\lxllllr.exec:\lxllllr.exe60⤵
- Executes dropped EXE
PID:828 -
\??\c:\bbnntb.exec:\bbnntb.exe61⤵
- Executes dropped EXE
PID:2060 -
\??\c:\1hnnhn.exec:\1hnnhn.exe62⤵
- Executes dropped EXE
PID:1364 -
\??\c:\vpvpp.exec:\vpvpp.exe63⤵
- Executes dropped EXE
PID:900 -
\??\c:\fffrlrx.exec:\fffrlrx.exe64⤵
- Executes dropped EXE
PID:932 -
\??\c:\5nbbnn.exec:\5nbbnn.exe65⤵
- Executes dropped EXE
PID:568 -
\??\c:\nhbhnn.exec:\nhbhnn.exe66⤵PID:1628
-
\??\c:\vjppp.exec:\vjppp.exe67⤵PID:1456
-
\??\c:\frrrrxx.exec:\frrrrxx.exe68⤵PID:1056
-
\??\c:\xlffllr.exec:\xlffllr.exe69⤵PID:2368
-
\??\c:\bbtbhh.exec:\bbtbhh.exe70⤵PID:2428
-
\??\c:\jppvj.exec:\jppvj.exe71⤵PID:980
-
\??\c:\5flffxf.exec:\5flffxf.exe72⤵PID:2972
-
\??\c:\1lrrxrx.exec:\1lrrxrx.exe73⤵PID:884
-
\??\c:\5btbht.exec:\5btbht.exe74⤵PID:2952
-
\??\c:\jvppd.exec:\jvppd.exe75⤵PID:1784
-
\??\c:\xrxxllr.exec:\xrxxllr.exe76⤵PID:2076
-
\??\c:\fxlllfl.exec:\fxlllfl.exe77⤵PID:1608
-
\??\c:\bntntn.exec:\bntntn.exe78⤵PID:2900
-
\??\c:\1vpjp.exec:\1vpjp.exe79⤵PID:2064
-
\??\c:\lfrxllr.exec:\lfrxllr.exe80⤵PID:2788
-
\??\c:\xrxrxfx.exec:\xrxrxfx.exe81⤵PID:2920
-
\??\c:\thbbhh.exec:\thbbhh.exe82⤵PID:2544
-
\??\c:\vjvjv.exec:\vjvjv.exe83⤵PID:2768
-
\??\c:\xrrlxlr.exec:\xrrlxlr.exe84⤵PID:2784
-
\??\c:\rllxxrx.exec:\rllxxrx.exe85⤵PID:2592
-
\??\c:\9htntt.exec:\9htntt.exe86⤵PID:2548
-
\??\c:\5jdjp.exec:\5jdjp.exe87⤵PID:2348
-
\??\c:\jjpjj.exec:\jjpjj.exe88⤵PID:2344
-
\??\c:\rxfrlff.exec:\rxfrlff.exe89⤵PID:1060
-
\??\c:\bhtntt.exec:\bhtntt.exe90⤵PID:1564
-
\??\c:\dpvdv.exec:\dpvdv.exe91⤵PID:2320
-
\??\c:\fxrfllf.exec:\fxrfllf.exe92⤵PID:2512
-
\??\c:\9fxxxxl.exec:\9fxxxxl.exe93⤵PID:1984
-
\??\c:\nbtthh.exec:\nbtthh.exe94⤵PID:1732
-
\??\c:\nhtthn.exec:\nhtthn.exe95⤵PID:1856
-
\??\c:\dpjjp.exec:\dpjjp.exe96⤵PID:552
-
\??\c:\xlflllr.exec:\xlflllr.exe97⤵PID:1960
-
\??\c:\5xlrxxl.exec:\5xlrxxl.exe98⤵PID:1404
-
\??\c:\tnbntn.exec:\tnbntn.exe99⤵PID:852
-
\??\c:\7dppp.exec:\7dppp.exe100⤵PID:2968
-
\??\c:\jjvjp.exec:\jjvjp.exe101⤵PID:2880
-
\??\c:\1frrrxf.exec:\1frrrxf.exe102⤵PID:2376
-
\??\c:\9xfffxx.exec:\9xfffxx.exe103⤵PID:1140
-
\??\c:\tnbbhn.exec:\tnbbhn.exe104⤵PID:1648
-
\??\c:\1dpjd.exec:\1dpjd.exe105⤵PID:1656
-
\??\c:\5jvvj.exec:\5jvvj.exe106⤵PID:1724
-
\??\c:\3rfxxfl.exec:\3rfxxfl.exe107⤵PID:2836
-
\??\c:\hhttbb.exec:\hhttbb.exe108⤵PID:2712
-
\??\c:\tnhnbt.exec:\tnhnbt.exe109⤵PID:1380
-
\??\c:\vjvvv.exec:\vjvvv.exe110⤵PID:1776
-
\??\c:\llxffxf.exec:\llxffxf.exe111⤵PID:1540
-
\??\c:\7flffxl.exec:\7flffxl.exe112⤵PID:2328
-
\??\c:\bthhtt.exec:\bthhtt.exe113⤵PID:2256
-
\??\c:\jdvpp.exec:\jdvpp.exe114⤵PID:1760
-
\??\c:\dvppv.exec:\dvppv.exe115⤵PID:2072
-
\??\c:\xlfxrrx.exec:\xlfxrrx.exe116⤵PID:2924
-
\??\c:\lfrxffl.exec:\lfrxffl.exe117⤵PID:2964
-
\??\c:\hbhntt.exec:\hbhntt.exe118⤵PID:2248
-
\??\c:\dpddj.exec:\dpddj.exe119⤵
- System Location Discovery: System Language Discovery
PID:1920 -
\??\c:\xrlfllx.exec:\xrlfllx.exe120⤵PID:1532
-
\??\c:\fxlfxxf.exec:\fxlfxxf.exe121⤵PID:1576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-