Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf5801eea0161cb9c708de6c44e76e4c685fc27a9a2da7a87839ecb3a9760e10N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cf5801eea0161cb9c708de6c44e76e4c685fc27a9a2da7a87839ecb3a9760e10N.exe
-
Size
454KB
-
MD5
fb3ecb77ac1b70d896546195ab3982f0
-
SHA1
fc4a1902eda9da4b0c090f3286c063f1dd77a168
-
SHA256
cf5801eea0161cb9c708de6c44e76e4c685fc27a9a2da7a87839ecb3a9760e10
-
SHA512
4e13782d007af3225c804efe43be513ecede86ade354a21b174250b930c3e5420c53ae9cdbf6948e0986b72a16c0c46d4ba331a1c98114ce702fb6ce765df0c4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4260-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-1048-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3572 pjpjj.exe 3520 frfxrrl.exe 1572 djjvd.exe 800 hbtntb.exe 3536 fxfffrr.exe 4556 5xlllrl.exe 4972 tntbbt.exe 4608 lfffrlf.exe 2964 rfrfxlf.exe 1476 nhtttt.exe 3908 djvpp.exe 4136 rrxxxff.exe 4432 tbbntb.exe 2228 fxllrrx.exe 4756 nhbbht.exe 4160 bbtttt.exe 2316 5pjdd.exe 3856 bbbthh.exe 4340 pjvjp.exe 4048 rrffflr.exe 1596 xlllrxx.exe 1868 nnbhhb.exe 2348 bbbhhn.exe 2940 jjvdp.exe 3364 rllllrx.exe 1592 ddjjp.exe 3408 rxflrxf.exe 904 dpjjv.exe 3080 bntbhn.exe 4108 ddvvp.exe 3288 jjjjj.exe 2712 bhthtb.exe 2564 vvdvp.exe 4220 tttnnt.exe 1896 dpddp.exe 1580 rfllllf.exe 4124 bttnhn.exe 1676 bnbbtb.exe 4720 ddpjv.exe 2872 xxfffff.exe 1036 bttnhh.exe 3920 hhhbnb.exe 4932 rlllllf.exe 2460 ttbbnn.exe 2072 nhnhhh.exe 32 rrrrrff.exe 3440 fllllll.exe 4424 bhttnt.exe 1916 pjjdp.exe 4352 lflfxrl.exe 4260 ppdvp.exe 3680 xflrxfl.exe 2600 btttth.exe 5112 rxllrrx.exe 4528 fffxxrl.exe 1256 tntnnn.exe 3860 dppjj.exe 5000 rrxrrll.exe 3712 btbbbb.exe 896 ddvdd.exe 2584 ffxfrxx.exe 1932 bbbbnn.exe 3888 pjjjp.exe 4080 xrxfflr.exe -
resource yara_rule behavioral2/memory/4260-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-886-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4260 wrote to memory of 3572 4260 cf5801eea0161cb9c708de6c44e76e4c685fc27a9a2da7a87839ecb3a9760e10N.exe 82 PID 4260 wrote to memory of 3572 4260 cf5801eea0161cb9c708de6c44e76e4c685fc27a9a2da7a87839ecb3a9760e10N.exe 82 PID 4260 wrote to memory of 3572 4260 cf5801eea0161cb9c708de6c44e76e4c685fc27a9a2da7a87839ecb3a9760e10N.exe 82 PID 3572 wrote to memory of 3520 3572 pjpjj.exe 83 PID 3572 wrote to memory of 3520 3572 pjpjj.exe 83 PID 3572 wrote to memory of 3520 3572 pjpjj.exe 83 PID 3520 wrote to memory of 1572 3520 frfxrrl.exe 84 PID 3520 wrote to memory of 1572 3520 frfxrrl.exe 84 PID 3520 wrote to memory of 1572 3520 frfxrrl.exe 84 PID 1572 wrote to memory of 800 1572 djjvd.exe 85 PID 1572 wrote to memory of 800 1572 djjvd.exe 85 PID 1572 wrote to memory of 800 1572 djjvd.exe 85 PID 800 wrote to memory of 3536 800 hbtntb.exe 86 PID 800 wrote to memory of 3536 800 hbtntb.exe 86 PID 800 wrote to memory of 3536 800 hbtntb.exe 86 PID 3536 wrote to memory of 4556 3536 fxfffrr.exe 87 PID 3536 wrote to memory of 4556 3536 fxfffrr.exe 87 PID 3536 wrote to memory of 4556 3536 fxfffrr.exe 87 PID 4556 wrote to memory of 4972 4556 5xlllrl.exe 88 PID 4556 wrote to memory of 4972 4556 5xlllrl.exe 88 PID 4556 wrote to memory of 4972 4556 5xlllrl.exe 88 PID 4972 wrote to memory of 4608 4972 tntbbt.exe 89 PID 4972 wrote to memory of 4608 4972 tntbbt.exe 89 PID 4972 wrote to memory of 4608 4972 tntbbt.exe 89 PID 4608 wrote to memory of 2964 4608 lfffrlf.exe 90 PID 4608 wrote to memory of 2964 4608 lfffrlf.exe 90 PID 4608 wrote to memory of 2964 4608 lfffrlf.exe 90 PID 2964 wrote to memory of 1476 2964 rfrfxlf.exe 91 PID 2964 wrote to memory of 1476 2964 rfrfxlf.exe 91 PID 2964 wrote to memory of 1476 2964 rfrfxlf.exe 91 PID 1476 wrote to memory of 3908 1476 nhtttt.exe 92 PID 1476 wrote to memory of 3908 1476 nhtttt.exe 92 PID 1476 wrote to memory of 3908 1476 nhtttt.exe 92 PID 3908 wrote to memory of 4136 3908 djvpp.exe 93 PID 3908 wrote to memory of 4136 3908 djvpp.exe 93 PID 3908 wrote to memory of 4136 3908 djvpp.exe 93 PID 4136 wrote to memory of 4432 4136 rrxxxff.exe 94 PID 4136 wrote to memory of 4432 4136 rrxxxff.exe 94 PID 4136 wrote to memory of 4432 4136 rrxxxff.exe 94 PID 4432 wrote to memory of 2228 4432 tbbntb.exe 95 PID 4432 wrote to memory of 2228 4432 tbbntb.exe 95 PID 4432 wrote to memory of 2228 4432 tbbntb.exe 95 PID 2228 wrote to memory of 4756 2228 fxllrrx.exe 96 PID 2228 wrote to memory of 4756 2228 fxllrrx.exe 96 PID 2228 wrote to memory of 4756 2228 fxllrrx.exe 96 PID 4756 wrote to memory of 4160 4756 nhbbht.exe 97 PID 4756 wrote to memory of 4160 4756 nhbbht.exe 97 PID 4756 wrote to memory of 4160 4756 nhbbht.exe 97 PID 4160 wrote to memory of 2316 4160 bbtttt.exe 98 PID 4160 wrote to memory of 2316 4160 bbtttt.exe 98 PID 4160 wrote to memory of 2316 4160 bbtttt.exe 98 PID 2316 wrote to memory of 3856 2316 5pjdd.exe 99 PID 2316 wrote to memory of 3856 2316 5pjdd.exe 99 PID 2316 wrote to memory of 3856 2316 5pjdd.exe 99 PID 3856 wrote to memory of 4340 3856 bbbthh.exe 100 PID 3856 wrote to memory of 4340 3856 bbbthh.exe 100 PID 3856 wrote to memory of 4340 3856 bbbthh.exe 100 PID 4340 wrote to memory of 4048 4340 pjvjp.exe 101 PID 4340 wrote to memory of 4048 4340 pjvjp.exe 101 PID 4340 wrote to memory of 4048 4340 pjvjp.exe 101 PID 4048 wrote to memory of 1596 4048 rrffflr.exe 102 PID 4048 wrote to memory of 1596 4048 rrffflr.exe 102 PID 4048 wrote to memory of 1596 4048 rrffflr.exe 102 PID 1596 wrote to memory of 1868 1596 xlllrxx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf5801eea0161cb9c708de6c44e76e4c685fc27a9a2da7a87839ecb3a9760e10N.exe"C:\Users\Admin\AppData\Local\Temp\cf5801eea0161cb9c708de6c44e76e4c685fc27a9a2da7a87839ecb3a9760e10N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\pjpjj.exec:\pjpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\frfxrrl.exec:\frfxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\djjvd.exec:\djjvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\hbtntb.exec:\hbtntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\fxfffrr.exec:\fxfffrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\5xlllrl.exec:\5xlllrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\tntbbt.exec:\tntbbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\lfffrlf.exec:\lfffrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\rfrfxlf.exec:\rfrfxlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\nhtttt.exec:\nhtttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\djvpp.exec:\djvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\rrxxxff.exec:\rrxxxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\tbbntb.exec:\tbbntb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\fxllrrx.exec:\fxllrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\nhbbht.exec:\nhbbht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\bbtttt.exec:\bbtttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\5pjdd.exec:\5pjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\bbbthh.exec:\bbbthh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\pjvjp.exec:\pjvjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\rrffflr.exec:\rrffflr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\xlllrxx.exec:\xlllrxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\nnbhhb.exec:\nnbhhb.exe23⤵
- Executes dropped EXE
PID:1868 -
\??\c:\bbbhhn.exec:\bbbhhn.exe24⤵
- Executes dropped EXE
PID:2348 -
\??\c:\jjvdp.exec:\jjvdp.exe25⤵
- Executes dropped EXE
PID:2940 -
\??\c:\rllllrx.exec:\rllllrx.exe26⤵
- Executes dropped EXE
PID:3364 -
\??\c:\ddjjp.exec:\ddjjp.exe27⤵
- Executes dropped EXE
PID:1592 -
\??\c:\rxflrxf.exec:\rxflrxf.exe28⤵
- Executes dropped EXE
PID:3408 -
\??\c:\dpjjv.exec:\dpjjv.exe29⤵
- Executes dropped EXE
PID:904 -
\??\c:\bntbhn.exec:\bntbhn.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3080 -
\??\c:\ddvvp.exec:\ddvvp.exe31⤵
- Executes dropped EXE
PID:4108 -
\??\c:\jjjjj.exec:\jjjjj.exe32⤵
- Executes dropped EXE
PID:3288 -
\??\c:\bhthtb.exec:\bhthtb.exe33⤵
- Executes dropped EXE
PID:2712 -
\??\c:\vvdvp.exec:\vvdvp.exe34⤵
- Executes dropped EXE
PID:2564 -
\??\c:\tttnnt.exec:\tttnnt.exe35⤵
- Executes dropped EXE
PID:4220 -
\??\c:\dpddp.exec:\dpddp.exe36⤵
- Executes dropped EXE
PID:1896 -
\??\c:\rfllllf.exec:\rfllllf.exe37⤵
- Executes dropped EXE
PID:1580 -
\??\c:\bttnhn.exec:\bttnhn.exe38⤵
- Executes dropped EXE
PID:4124 -
\??\c:\bnbbtb.exec:\bnbbtb.exe39⤵
- Executes dropped EXE
PID:1676 -
\??\c:\ddpjv.exec:\ddpjv.exe40⤵
- Executes dropped EXE
PID:4720 -
\??\c:\xxfffff.exec:\xxfffff.exe41⤵
- Executes dropped EXE
PID:2872 -
\??\c:\bttnhh.exec:\bttnhh.exe42⤵
- Executes dropped EXE
PID:1036 -
\??\c:\hhhbnb.exec:\hhhbnb.exe43⤵
- Executes dropped EXE
PID:3920 -
\??\c:\rlllllf.exec:\rlllllf.exe44⤵
- Executes dropped EXE
PID:4932 -
\??\c:\ttbbnn.exec:\ttbbnn.exe45⤵
- Executes dropped EXE
PID:2460 -
\??\c:\nhnhhh.exec:\nhnhhh.exe46⤵
- Executes dropped EXE
PID:2072 -
\??\c:\rrrrrff.exec:\rrrrrff.exe47⤵
- Executes dropped EXE
PID:32 -
\??\c:\fllllll.exec:\fllllll.exe48⤵
- Executes dropped EXE
PID:3440 -
\??\c:\bhttnt.exec:\bhttnt.exe49⤵
- Executes dropped EXE
PID:4424 -
\??\c:\pjjdp.exec:\pjjdp.exe50⤵
- Executes dropped EXE
PID:1916 -
\??\c:\lflfxrl.exec:\lflfxrl.exe51⤵
- Executes dropped EXE
PID:4352 -
\??\c:\bbnbbn.exec:\bbnbbn.exe52⤵PID:4368
-
\??\c:\ppdvp.exec:\ppdvp.exe53⤵
- Executes dropped EXE
PID:4260 -
\??\c:\xflrxfl.exec:\xflrxfl.exe54⤵
- Executes dropped EXE
PID:3680 -
\??\c:\btttth.exec:\btttth.exe55⤵
- Executes dropped EXE
PID:2600 -
\??\c:\rxllrrx.exec:\rxllrrx.exe56⤵
- Executes dropped EXE
PID:5112 -
\??\c:\fffxxrl.exec:\fffxxrl.exe57⤵
- Executes dropped EXE
PID:4528 -
\??\c:\tntnnn.exec:\tntnnn.exe58⤵
- Executes dropped EXE
PID:1256 -
\??\c:\dppjj.exec:\dppjj.exe59⤵
- Executes dropped EXE
PID:3860 -
\??\c:\rrxrrll.exec:\rrxrrll.exe60⤵
- Executes dropped EXE
PID:5000 -
\??\c:\btbbbb.exec:\btbbbb.exe61⤵
- Executes dropped EXE
PID:3712 -
\??\c:\ddvdd.exec:\ddvdd.exe62⤵
- Executes dropped EXE
PID:896 -
\??\c:\ffxfrxx.exec:\ffxfrxx.exe63⤵
- Executes dropped EXE
PID:2584 -
\??\c:\bbbbnn.exec:\bbbbnn.exe64⤵
- Executes dropped EXE
PID:1932 -
\??\c:\pjjjp.exec:\pjjjp.exe65⤵
- Executes dropped EXE
PID:3888 -
\??\c:\xrxfflr.exec:\xrxfflr.exe66⤵
- Executes dropped EXE
PID:4080 -
\??\c:\rxxxrrf.exec:\rxxxrrf.exe67⤵PID:2376
-
\??\c:\ntbhnt.exec:\ntbhnt.exe68⤵PID:1776
-
\??\c:\vpdjj.exec:\vpdjj.exe69⤵PID:2248
-
\??\c:\lrxffll.exec:\lrxffll.exe70⤵PID:2324
-
\??\c:\bhnthb.exec:\bhnthb.exe71⤵PID:2396
-
\??\c:\pvvvp.exec:\pvvvp.exe72⤵PID:4936
-
\??\c:\xxlllrr.exec:\xxlllrr.exe73⤵PID:4320
-
\??\c:\bbbbnt.exec:\bbbbnt.exe74⤵PID:2228
-
\??\c:\9jvvv.exec:\9jvvv.exe75⤵PID:996
-
\??\c:\lrrlrll.exec:\lrrlrll.exe76⤵PID:3988
-
\??\c:\bhttbh.exec:\bhttbh.exe77⤵PID:1136
-
\??\c:\vpjdj.exec:\vpjdj.exe78⤵PID:680
-
\??\c:\lfxxflr.exec:\lfxxflr.exe79⤵PID:3740
-
\??\c:\nbtbnh.exec:\nbtbnh.exe80⤵PID:4180
-
\??\c:\djvjv.exec:\djvjv.exe81⤵PID:1828
-
\??\c:\xxfflrx.exec:\xxfflrx.exe82⤵PID:3956
-
\??\c:\7ntttb.exec:\7ntttb.exe83⤵PID:4724
-
\??\c:\hbnhhh.exec:\hbnhhh.exe84⤵PID:3940
-
\??\c:\pvvjp.exec:\pvvjp.exe85⤵PID:2348
-
\??\c:\rrffllr.exec:\rrffllr.exe86⤵PID:2224
-
\??\c:\hbnntb.exec:\hbnntb.exe87⤵PID:1656
-
\??\c:\5jjdp.exec:\5jjdp.exe88⤵PID:4504
-
\??\c:\rrxxxfl.exec:\rrxxxfl.exe89⤵PID:2552
-
\??\c:\hnbnhn.exec:\hnbnhn.exe90⤵PID:1552
-
\??\c:\bnhnnb.exec:\bnhnnb.exe91⤵PID:5068
-
\??\c:\dpddp.exec:\dpddp.exe92⤵PID:3696
-
\??\c:\fxfrfll.exec:\fxfrfll.exe93⤵PID:2180
-
\??\c:\tbbbtb.exec:\tbbbtb.exe94⤵PID:4464
-
\??\c:\pjdjv.exec:\pjdjv.exe95⤵PID:3164
-
\??\c:\rxrrrlr.exec:\rxrrrlr.exe96⤵PID:2304
-
\??\c:\hhhbhn.exec:\hhhbhn.exe97⤵PID:1832
-
\??\c:\3nnttb.exec:\3nnttb.exe98⤵PID:4012
-
\??\c:\dppjj.exec:\dppjj.exe99⤵PID:4420
-
\??\c:\xxrllrx.exec:\xxrllrx.exe100⤵PID:4788
-
\??\c:\xxxxxff.exec:\xxxxxff.exe101⤵PID:1364
-
\??\c:\tnbbtb.exec:\tnbbtb.exe102⤵PID:1956
-
\??\c:\jvjjp.exec:\jvjjp.exe103⤵PID:4124
-
\??\c:\flxxllr.exec:\flxxllr.exe104⤵PID:1676
-
\??\c:\bhbbhh.exec:\bhbbhh.exe105⤵PID:4760
-
\??\c:\jpvdj.exec:\jpvdj.exe106⤵PID:2356
-
\??\c:\dpjjd.exec:\dpjjd.exe107⤵PID:3068
-
\??\c:\rlrxfrx.exec:\rlrxfrx.exe108⤵PID:3064
-
\??\c:\hhbhnb.exec:\hhbhnb.exe109⤵PID:4932
-
\??\c:\jjjjp.exec:\jjjjp.exe110⤵PID:4020
-
\??\c:\9lffrxl.exec:\9lffrxl.exe111⤵PID:2072
-
\??\c:\lfrllrx.exec:\lfrllrx.exe112⤵PID:3944
-
\??\c:\tnnntb.exec:\tnnntb.exe113⤵PID:4568
-
\??\c:\ppvjj.exec:\ppvjj.exe114⤵PID:2340
-
\??\c:\rfxxfll.exec:\rfxxfll.exe115⤵PID:4392
-
\??\c:\lfrrrxr.exec:\lfrrrxr.exe116⤵PID:4352
-
\??\c:\ppppj.exec:\ppppj.exe117⤵PID:4492
-
\??\c:\vpppv.exec:\vpppv.exe118⤵PID:4260
-
\??\c:\tbbhhn.exec:\tbbhhn.exe119⤵PID:624
-
\??\c:\dvpjd.exec:\dvpjd.exe120⤵PID:2600
-
\??\c:\ddppj.exec:\ddppj.exe121⤵PID:1572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-