Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 21:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2fde290448a3b95a3e61387da7d09fde6ac701bcaf19ba4de1f9acf5eea455d6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2fde290448a3b95a3e61387da7d09fde6ac701bcaf19ba4de1f9acf5eea455d6.exe
-
Size
454KB
-
MD5
91de9db8849e1cbb5b08f49a2d28acca
-
SHA1
3578e27ab5792b358d9f8a18c7a3e5d24b3987f0
-
SHA256
2fde290448a3b95a3e61387da7d09fde6ac701bcaf19ba4de1f9acf5eea455d6
-
SHA512
32a6b63d8eac9db090fd8a5ccce67ff8f0e9a5caf19b38e489338975d7f2abf13b8c16d9c87ff7f8d13e94df3c31bddde0cb1f9f422194008aa8ee703f7eb9f6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2588-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-1014-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2600 1ffxxll.exe 1064 hnnbtn.exe 1884 hnnhbt.exe 2608 vvpdp.exe 3760 pddvp.exe 2208 thhtht.exe 4084 fxxrfxf.exe 3284 1hhbhh.exe 1140 frrfrlf.exe 2260 pvvpj.exe 1588 5ffxrrl.exe 3040 thhtnh.exe 1344 flffxrx.exe 544 thhthb.exe 3500 frxxrrl.exe 228 1hhbnn.exe 3348 9pvpp.exe 1896 fxxrffx.exe 2612 hbhbnn.exe 4820 pjdvj.exe 3352 hbbnhn.exe 4584 djvvp.exe 2984 3pdvv.exe 772 5pvpp.exe 1728 rlrlrll.exe 2076 ppppj.exe 1292 pvdvj.exe 4836 5ppjj.exe 4684 djjvv.exe 3788 lllfrlf.exe 3428 llffxxr.exe 3236 hbnhnh.exe 4824 lrfxlll.exe 5020 7hhbbn.exe 1304 dpdvp.exe 208 lxxrllf.exe 900 5bbttb.exe 2968 jdppd.exe 3136 5vvpv.exe 556 ffllrxx.exe 1708 thtttn.exe 1228 nbntnt.exe 3868 pdjdd.exe 4028 3lxlfxx.exe 4216 httnhh.exe 1608 nnnnhh.exe 3440 pdjdj.exe 1520 flllfxx.exe 4420 tttnhh.exe 4312 nhhbnn.exe 4296 jdjjj.exe 2588 9xfxlxr.exe 2620 bbnhnt.exe 4324 9ddvj.exe 3808 5flfxxx.exe 4164 rrrxxxx.exe 4352 nnbbhh.exe 4664 pdjdd.exe 2616 jdpvv.exe 4872 7rxrffr.exe 1044 nthhbb.exe 4524 9ddpp.exe 2960 rlfxlfx.exe 4688 xrxrrlx.exe -
resource yara_rule behavioral2/memory/2588-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-712-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfxr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2600 2588 2fde290448a3b95a3e61387da7d09fde6ac701bcaf19ba4de1f9acf5eea455d6.exe 82 PID 2588 wrote to memory of 2600 2588 2fde290448a3b95a3e61387da7d09fde6ac701bcaf19ba4de1f9acf5eea455d6.exe 82 PID 2588 wrote to memory of 2600 2588 2fde290448a3b95a3e61387da7d09fde6ac701bcaf19ba4de1f9acf5eea455d6.exe 82 PID 2600 wrote to memory of 1064 2600 1ffxxll.exe 83 PID 2600 wrote to memory of 1064 2600 1ffxxll.exe 83 PID 2600 wrote to memory of 1064 2600 1ffxxll.exe 83 PID 1064 wrote to memory of 1884 1064 hnnbtn.exe 84 PID 1064 wrote to memory of 1884 1064 hnnbtn.exe 84 PID 1064 wrote to memory of 1884 1064 hnnbtn.exe 84 PID 1884 wrote to memory of 2608 1884 hnnhbt.exe 85 PID 1884 wrote to memory of 2608 1884 hnnhbt.exe 85 PID 1884 wrote to memory of 2608 1884 hnnhbt.exe 85 PID 2608 wrote to memory of 3760 2608 vvpdp.exe 86 PID 2608 wrote to memory of 3760 2608 vvpdp.exe 86 PID 2608 wrote to memory of 3760 2608 vvpdp.exe 86 PID 3760 wrote to memory of 2208 3760 pddvp.exe 87 PID 3760 wrote to memory of 2208 3760 pddvp.exe 87 PID 3760 wrote to memory of 2208 3760 pddvp.exe 87 PID 2208 wrote to memory of 4084 2208 thhtht.exe 88 PID 2208 wrote to memory of 4084 2208 thhtht.exe 88 PID 2208 wrote to memory of 4084 2208 thhtht.exe 88 PID 4084 wrote to memory of 3284 4084 fxxrfxf.exe 89 PID 4084 wrote to memory of 3284 4084 fxxrfxf.exe 89 PID 4084 wrote to memory of 3284 4084 fxxrfxf.exe 89 PID 3284 wrote to memory of 1140 3284 1hhbhh.exe 90 PID 3284 wrote to memory of 1140 3284 1hhbhh.exe 90 PID 3284 wrote to memory of 1140 3284 1hhbhh.exe 90 PID 1140 wrote to memory of 2260 1140 frrfrlf.exe 91 PID 1140 wrote to memory of 2260 1140 frrfrlf.exe 91 PID 1140 wrote to memory of 2260 1140 frrfrlf.exe 91 PID 2260 wrote to memory of 1588 2260 pvvpj.exe 92 PID 2260 wrote to memory of 1588 2260 pvvpj.exe 92 PID 2260 wrote to memory of 1588 2260 pvvpj.exe 92 PID 1588 wrote to memory of 3040 1588 5ffxrrl.exe 93 PID 1588 wrote to memory of 3040 1588 5ffxrrl.exe 93 PID 1588 wrote to memory of 3040 1588 5ffxrrl.exe 93 PID 3040 wrote to memory of 1344 3040 thhtnh.exe 94 PID 3040 wrote to memory of 1344 3040 thhtnh.exe 94 PID 3040 wrote to memory of 1344 3040 thhtnh.exe 94 PID 1344 wrote to memory of 544 1344 flffxrx.exe 95 PID 1344 wrote to memory of 544 1344 flffxrx.exe 95 PID 1344 wrote to memory of 544 1344 flffxrx.exe 95 PID 544 wrote to memory of 3500 544 thhthb.exe 96 PID 544 wrote to memory of 3500 544 thhthb.exe 96 PID 544 wrote to memory of 3500 544 thhthb.exe 96 PID 3500 wrote to memory of 228 3500 frxxrrl.exe 97 PID 3500 wrote to memory of 228 3500 frxxrrl.exe 97 PID 3500 wrote to memory of 228 3500 frxxrrl.exe 97 PID 228 wrote to memory of 3348 228 1hhbnn.exe 98 PID 228 wrote to memory of 3348 228 1hhbnn.exe 98 PID 228 wrote to memory of 3348 228 1hhbnn.exe 98 PID 3348 wrote to memory of 1896 3348 9pvpp.exe 99 PID 3348 wrote to memory of 1896 3348 9pvpp.exe 99 PID 3348 wrote to memory of 1896 3348 9pvpp.exe 99 PID 1896 wrote to memory of 2612 1896 fxxrffx.exe 100 PID 1896 wrote to memory of 2612 1896 fxxrffx.exe 100 PID 1896 wrote to memory of 2612 1896 fxxrffx.exe 100 PID 2612 wrote to memory of 4820 2612 hbhbnn.exe 101 PID 2612 wrote to memory of 4820 2612 hbhbnn.exe 101 PID 2612 wrote to memory of 4820 2612 hbhbnn.exe 101 PID 4820 wrote to memory of 3352 4820 pjdvj.exe 102 PID 4820 wrote to memory of 3352 4820 pjdvj.exe 102 PID 4820 wrote to memory of 3352 4820 pjdvj.exe 102 PID 3352 wrote to memory of 4584 3352 hbbnhn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fde290448a3b95a3e61387da7d09fde6ac701bcaf19ba4de1f9acf5eea455d6.exe"C:\Users\Admin\AppData\Local\Temp\2fde290448a3b95a3e61387da7d09fde6ac701bcaf19ba4de1f9acf5eea455d6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\1ffxxll.exec:\1ffxxll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\hnnbtn.exec:\hnnbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\hnnhbt.exec:\hnnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\vvpdp.exec:\vvpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\pddvp.exec:\pddvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\thhtht.exec:\thhtht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\fxxrfxf.exec:\fxxrfxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\1hhbhh.exec:\1hhbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\frrfrlf.exec:\frrfrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\pvvpj.exec:\pvvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\5ffxrrl.exec:\5ffxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\thhtnh.exec:\thhtnh.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\flffxrx.exec:\flffxrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\thhthb.exec:\thhthb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\frxxrrl.exec:\frxxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\1hhbnn.exec:\1hhbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\9pvpp.exec:\9pvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\fxxrffx.exec:\fxxrffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\hbhbnn.exec:\hbhbnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\pjdvj.exec:\pjdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\hbbnhn.exec:\hbbnhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\djvvp.exec:\djvvp.exe23⤵
- Executes dropped EXE
PID:4584 -
\??\c:\3pdvv.exec:\3pdvv.exe24⤵
- Executes dropped EXE
PID:2984 -
\??\c:\5pvpp.exec:\5pvpp.exe25⤵
- Executes dropped EXE
PID:772 -
\??\c:\rlrlrll.exec:\rlrlrll.exe26⤵
- Executes dropped EXE
PID:1728 -
\??\c:\ppppj.exec:\ppppj.exe27⤵
- Executes dropped EXE
PID:2076 -
\??\c:\pvdvj.exec:\pvdvj.exe28⤵
- Executes dropped EXE
PID:1292 -
\??\c:\5ppjj.exec:\5ppjj.exe29⤵
- Executes dropped EXE
PID:4836 -
\??\c:\djjvv.exec:\djjvv.exe30⤵
- Executes dropped EXE
PID:4684 -
\??\c:\lllfrlf.exec:\lllfrlf.exe31⤵
- Executes dropped EXE
PID:3788 -
\??\c:\llffxxr.exec:\llffxxr.exe32⤵
- Executes dropped EXE
PID:3428 -
\??\c:\hbnhnh.exec:\hbnhnh.exe33⤵
- Executes dropped EXE
PID:3236 -
\??\c:\lrfxlll.exec:\lrfxlll.exe34⤵
- Executes dropped EXE
PID:4824 -
\??\c:\7hhbbn.exec:\7hhbbn.exe35⤵
- Executes dropped EXE
PID:5020 -
\??\c:\dpdvp.exec:\dpdvp.exe36⤵
- Executes dropped EXE
PID:1304 -
\??\c:\lxxrllf.exec:\lxxrllf.exe37⤵
- Executes dropped EXE
PID:208 -
\??\c:\5bbttb.exec:\5bbttb.exe38⤵
- Executes dropped EXE
PID:900 -
\??\c:\jdppd.exec:\jdppd.exe39⤵
- Executes dropped EXE
PID:2968 -
\??\c:\5vvpv.exec:\5vvpv.exe40⤵
- Executes dropped EXE
PID:3136 -
\??\c:\ffllrxx.exec:\ffllrxx.exe41⤵
- Executes dropped EXE
PID:556 -
\??\c:\thtttn.exec:\thtttn.exe42⤵
- Executes dropped EXE
PID:1708 -
\??\c:\nbntnt.exec:\nbntnt.exe43⤵
- Executes dropped EXE
PID:1228 -
\??\c:\pdjdd.exec:\pdjdd.exe44⤵
- Executes dropped EXE
PID:3868 -
\??\c:\3lxlfxx.exec:\3lxlfxx.exe45⤵
- Executes dropped EXE
PID:4028 -
\??\c:\httnhh.exec:\httnhh.exe46⤵
- Executes dropped EXE
PID:4216 -
\??\c:\nnnnhh.exec:\nnnnhh.exe47⤵
- Executes dropped EXE
PID:1608 -
\??\c:\pdjdj.exec:\pdjdj.exe48⤵
- Executes dropped EXE
PID:3440 -
\??\c:\flllfxx.exec:\flllfxx.exe49⤵
- Executes dropped EXE
PID:1520 -
\??\c:\tttnhh.exec:\tttnhh.exe50⤵
- Executes dropped EXE
PID:4420 -
\??\c:\nhhbnn.exec:\nhhbnn.exe51⤵
- Executes dropped EXE
PID:4312 -
\??\c:\jdjjj.exec:\jdjjj.exe52⤵
- Executes dropped EXE
PID:4296 -
\??\c:\9xfxlxr.exec:\9xfxlxr.exe53⤵
- Executes dropped EXE
PID:2588 -
\??\c:\bbnhnt.exec:\bbnhnt.exe54⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9ddvj.exec:\9ddvj.exe55⤵
- Executes dropped EXE
PID:4324 -
\??\c:\5flfxxx.exec:\5flfxxx.exe56⤵
- Executes dropped EXE
PID:3808 -
\??\c:\rrrxxxx.exec:\rrrxxxx.exe57⤵
- Executes dropped EXE
PID:4164 -
\??\c:\nnbbhh.exec:\nnbbhh.exe58⤵
- Executes dropped EXE
PID:4352 -
\??\c:\pdjdd.exec:\pdjdd.exe59⤵
- Executes dropped EXE
PID:4664 -
\??\c:\jdpvv.exec:\jdpvv.exe60⤵
- Executes dropped EXE
PID:2616 -
\??\c:\7rxrffr.exec:\7rxrffr.exe61⤵
- Executes dropped EXE
PID:4872 -
\??\c:\nthhbb.exec:\nthhbb.exe62⤵
- Executes dropped EXE
PID:1044 -
\??\c:\9ddpp.exec:\9ddpp.exe63⤵
- Executes dropped EXE
PID:4524 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe64⤵
- Executes dropped EXE
PID:2960 -
\??\c:\xrxrrlx.exec:\xrxrrlx.exe65⤵
- Executes dropped EXE
PID:4688 -
\??\c:\3ttnhh.exec:\3ttnhh.exe66⤵PID:3768
-
\??\c:\vjvvp.exec:\vjvvp.exe67⤵PID:980
-
\??\c:\jdpjv.exec:\jdpjv.exe68⤵PID:4480
-
\??\c:\rffxlfx.exec:\rffxlfx.exe69⤵PID:4140
-
\??\c:\bbnhnh.exec:\bbnhnh.exe70⤵PID:2340
-
\??\c:\nhhbtt.exec:\nhhbtt.exe71⤵
- System Location Discovery: System Language Discovery
PID:4160 -
\??\c:\jvdvj.exec:\jvdvj.exe72⤵PID:4464
-
\??\c:\lfrllfl.exec:\lfrllfl.exe73⤵PID:396
-
\??\c:\frxxrrr.exec:\frxxrrr.exe74⤵PID:5064
-
\??\c:\bntnbt.exec:\bntnbt.exe75⤵PID:3652
-
\??\c:\vdddv.exec:\vdddv.exe76⤵PID:3500
-
\??\c:\dppjv.exec:\dppjv.exe77⤵PID:4060
-
\??\c:\rfffrxr.exec:\rfffrxr.exe78⤵PID:32
-
\??\c:\btbttn.exec:\btbttn.exe79⤵PID:4544
-
\??\c:\nhtnnn.exec:\nhtnnn.exe80⤵PID:232
-
\??\c:\5jjjd.exec:\5jjjd.exe81⤵PID:4540
-
\??\c:\frfxxxf.exec:\frfxxxf.exe82⤵PID:548
-
\??\c:\bnttnn.exec:\bnttnn.exe83⤵PID:4604
-
\??\c:\jvdvj.exec:\jvdvj.exe84⤵PID:3104
-
\??\c:\jvpjd.exec:\jvpjd.exe85⤵PID:820
-
\??\c:\rrfrxxx.exec:\rrfrxxx.exe86⤵PID:2452
-
\??\c:\bntthh.exec:\bntthh.exe87⤵PID:2880
-
\??\c:\jvdvp.exec:\jvdvp.exe88⤵PID:1172
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe89⤵PID:1728
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe90⤵PID:2316
-
\??\c:\1tnhbb.exec:\1tnhbb.exe91⤵PID:2976
-
\??\c:\pppjd.exec:\pppjd.exe92⤵PID:1280
-
\??\c:\7xffxxl.exec:\7xffxxl.exe93⤵PID:3708
-
\??\c:\7nhbtt.exec:\7nhbtt.exe94⤵PID:3684
-
\??\c:\dddvv.exec:\dddvv.exe95⤵PID:3852
-
\??\c:\7pdvv.exec:\7pdvv.exe96⤵PID:1820
-
\??\c:\7rlffxr.exec:\7rlffxr.exe97⤵PID:3160
-
\??\c:\flfxxrl.exec:\flfxxrl.exe98⤵PID:4256
-
\??\c:\bthhnh.exec:\bthhnh.exe99⤵PID:1532
-
\??\c:\pvdvp.exec:\pvdvp.exe100⤵PID:2824
-
\??\c:\rflxrrl.exec:\rflxrrl.exe101⤵PID:2564
-
\??\c:\tbhhbt.exec:\tbhhbt.exe102⤵PID:1908
-
\??\c:\5ntntt.exec:\5ntntt.exe103⤵PID:2344
-
\??\c:\dppdv.exec:\dppdv.exe104⤵PID:1528
-
\??\c:\xrfxrll.exec:\xrfxrll.exe105⤵PID:1040
-
\??\c:\hnthbn.exec:\hnthbn.exe106⤵PID:2152
-
\??\c:\djvvp.exec:\djvvp.exe107⤵PID:1384
-
\??\c:\jvdvp.exec:\jvdvp.exe108⤵PID:3772
-
\??\c:\fflfxff.exec:\fflfxff.exe109⤵PID:1664
-
\??\c:\dppjd.exec:\dppjd.exe110⤵PID:3868
-
\??\c:\lfxlxrl.exec:\lfxlxrl.exe111⤵PID:3016
-
\??\c:\nhnbbt.exec:\nhnbbt.exe112⤵PID:1464
-
\??\c:\9nhhth.exec:\9nhhth.exe113⤵PID:1992
-
\??\c:\pdpvp.exec:\pdpvp.exe114⤵PID:1076
-
\??\c:\xxrlrlx.exec:\xxrlrlx.exe115⤵PID:3068
-
\??\c:\1rxrlll.exec:\1rxrlll.exe116⤵PID:5116
-
\??\c:\thhthn.exec:\thhthn.exe117⤵PID:1220
-
\??\c:\vpdpj.exec:\vpdpj.exe118⤵PID:4932
-
\??\c:\fffrlfx.exec:\fffrlfx.exe119⤵PID:4792
-
\??\c:\ttbhbt.exec:\ttbhbt.exe120⤵PID:4492
-
\??\c:\djvdj.exec:\djvdj.exe121⤵PID:4376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-