Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2025, 23:53
Static task
static1
1 signatures
General
-
Target
6170bf2d446afadcb82de1c887497b9e19809379111dfa7642e904957e2443ca.exe
-
Size
459KB
-
MD5
8570eec6e9bdf9952afd0fbe7e75b862
-
SHA1
fe93b0f56643df1bfcc712c2e0f11b1d028bbb4f
-
SHA256
6170bf2d446afadcb82de1c887497b9e19809379111dfa7642e904957e2443ca
-
SHA512
241a505e822e8aa5b4f4d31cb12a4f3fe6a8110c8d4b3bf8cf516241aead9dd76ef939ab75ba29b5e63b9c636b1e33fcc21fb9ae48b266373f6c9183f243d23c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral1/memory/4992-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5308-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4460-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/232-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5008-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5060-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/432-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/6084-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4528-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4800-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4916-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5612-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3664-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5328-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/6032-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1428-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4908-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/6124-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5492-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4272-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/516-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5028-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4328-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5360-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5948-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4308-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3856-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5108-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/6000-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5288-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3980-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3544-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4084-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4576-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4560-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4976-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3824-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3340-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4796-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3584-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/6084-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4648-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/820-1164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5544-1777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2816 xxrlflx.exe 5308 hntbnn.exe 5008 vvppj.exe 5060 pjpjd.exe 232 hnhhhn.exe 2264 xrllffx.exe 4460 hhtbbb.exe 1708 vjddj.exe 432 xfxrflf.exe 2996 rlllflf.exe 6084 htbntn.exe 3180 pvjvd.exe 2912 9llxlfr.exe 2836 ddjpv.exe 4528 9bhhnt.exe 4492 ttbtnn.exe 4664 nnhhtt.exe 4844 jjpdj.exe 1124 9jjdv.exe 2972 3frlxrf.exe 3676 hnhnnb.exe 2400 flfffll.exe 4800 pvpjv.exe 3776 fflxxrr.exe 2808 fxxlfxr.exe 4916 jpjdv.exe 5612 bhnbth.exe 4736 nbhbbb.exe 3664 tnnnhb.exe 5328 hnttbh.exe 6032 rxlfxrl.exe 992 pvvvv.exe 1428 3nhtnt.exe 756 djpdd.exe 2116 lxfrlfx.exe 2476 hhbbbb.exe 4908 tbnnnt.exe 6124 flrlffx.exe 5492 nhnnnn.exe 2028 pjppp.exe 4272 5httnn.exe 4064 xxrrrrx.exe 516 jjpvd.exe 5028 nhtttt.exe 5724 jpjjj.exe 4328 thhhhb.exe 5360 bntbtt.exe 5012 tnhbtn.exe 2648 jvvvv.exe 3348 lrflrxx.exe 1020 5tnhbb.exe 536 vpjjd.exe 5948 dpvpj.exe 4308 fxxxxrx.exe 4112 nbbtnn.exe 4996 3pdvd.exe 3016 jppjd.exe 4380 llfrflx.exe 3856 bthhbb.exe 3940 dpddv.exe 820 pdjpj.exe 5108 lfxrrxr.exe 4376 nbntbb.exe 5536 vpppj.exe -
resource yara_rule behavioral1/memory/4992-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5308-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5308-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4460-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/232-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5008-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5060-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/432-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/432-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6084-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4528-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3676-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4800-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4916-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5612-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3664-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5328-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6032-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4908-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6124-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5492-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4272-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/516-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5028-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4328-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5360-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5948-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4308-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3856-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5108-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6000-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5288-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3980-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3544-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4084-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4576-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4560-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4976-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3824-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4136-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3340-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4796-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3584-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6084-678-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrlxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrlf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4992 wrote to memory of 2816 4992 6170bf2d446afadcb82de1c887497b9e19809379111dfa7642e904957e2443ca.exe 84 PID 4992 wrote to memory of 2816 4992 6170bf2d446afadcb82de1c887497b9e19809379111dfa7642e904957e2443ca.exe 84 PID 4992 wrote to memory of 2816 4992 6170bf2d446afadcb82de1c887497b9e19809379111dfa7642e904957e2443ca.exe 84 PID 2816 wrote to memory of 5308 2816 xxrlflx.exe 85 PID 2816 wrote to memory of 5308 2816 xxrlflx.exe 85 PID 2816 wrote to memory of 5308 2816 xxrlflx.exe 85 PID 5308 wrote to memory of 5008 5308 hntbnn.exe 86 PID 5308 wrote to memory of 5008 5308 hntbnn.exe 86 PID 5308 wrote to memory of 5008 5308 hntbnn.exe 86 PID 5008 wrote to memory of 5060 5008 vvppj.exe 87 PID 5008 wrote to memory of 5060 5008 vvppj.exe 87 PID 5008 wrote to memory of 5060 5008 vvppj.exe 87 PID 5060 wrote to memory of 232 5060 pjpjd.exe 88 PID 5060 wrote to memory of 232 5060 pjpjd.exe 88 PID 5060 wrote to memory of 232 5060 pjpjd.exe 88 PID 232 wrote to memory of 2264 232 hnhhhn.exe 89 PID 232 wrote to memory of 2264 232 hnhhhn.exe 89 PID 232 wrote to memory of 2264 232 hnhhhn.exe 89 PID 2264 wrote to memory of 4460 2264 xrllffx.exe 90 PID 2264 wrote to memory of 4460 2264 xrllffx.exe 90 PID 2264 wrote to memory of 4460 2264 xrllffx.exe 90 PID 4460 wrote to memory of 1708 4460 hhtbbb.exe 91 PID 4460 wrote to memory of 1708 4460 hhtbbb.exe 91 PID 4460 wrote to memory of 1708 4460 hhtbbb.exe 91 PID 1708 wrote to memory of 432 1708 vjddj.exe 92 PID 1708 wrote to memory of 432 1708 vjddj.exe 92 PID 1708 wrote to memory of 432 1708 vjddj.exe 92 PID 432 wrote to memory of 2996 432 xfxrflf.exe 93 PID 432 wrote to memory of 2996 432 xfxrflf.exe 93 PID 432 wrote to memory of 2996 432 xfxrflf.exe 93 PID 2996 wrote to memory of 6084 2996 rlllflf.exe 94 PID 2996 wrote to memory of 6084 2996 rlllflf.exe 94 PID 2996 wrote to memory of 6084 2996 rlllflf.exe 94 PID 6084 wrote to memory of 3180 6084 htbntn.exe 95 PID 6084 wrote to memory of 3180 6084 htbntn.exe 95 PID 6084 wrote to memory of 3180 6084 htbntn.exe 95 PID 3180 wrote to memory of 2912 3180 pvjvd.exe 97 PID 3180 wrote to memory of 2912 3180 pvjvd.exe 97 PID 3180 wrote to memory of 2912 3180 pvjvd.exe 97 PID 2912 wrote to memory of 2836 2912 9llxlfr.exe 99 PID 2912 wrote to memory of 2836 2912 9llxlfr.exe 99 PID 2912 wrote to memory of 2836 2912 9llxlfr.exe 99 PID 2836 wrote to memory of 4528 2836 ddjpv.exe 100 PID 2836 wrote to memory of 4528 2836 ddjpv.exe 100 PID 2836 wrote to memory of 4528 2836 ddjpv.exe 100 PID 4528 wrote to memory of 4492 4528 9bhhnt.exe 101 PID 4528 wrote to memory of 4492 4528 9bhhnt.exe 101 PID 4528 wrote to memory of 4492 4528 9bhhnt.exe 101 PID 4492 wrote to memory of 4664 4492 ttbtnn.exe 103 PID 4492 wrote to memory of 4664 4492 ttbtnn.exe 103 PID 4492 wrote to memory of 4664 4492 ttbtnn.exe 103 PID 4664 wrote to memory of 4844 4664 nnhhtt.exe 104 PID 4664 wrote to memory of 4844 4664 nnhhtt.exe 104 PID 4664 wrote to memory of 4844 4664 nnhhtt.exe 104 PID 4844 wrote to memory of 1124 4844 jjpdj.exe 105 PID 4844 wrote to memory of 1124 4844 jjpdj.exe 105 PID 4844 wrote to memory of 1124 4844 jjpdj.exe 105 PID 1124 wrote to memory of 2972 1124 9jjdv.exe 106 PID 1124 wrote to memory of 2972 1124 9jjdv.exe 106 PID 1124 wrote to memory of 2972 1124 9jjdv.exe 106 PID 2972 wrote to memory of 3676 2972 3frlxrf.exe 107 PID 2972 wrote to memory of 3676 2972 3frlxrf.exe 107 PID 2972 wrote to memory of 3676 2972 3frlxrf.exe 107 PID 3676 wrote to memory of 2400 3676 hnhnnb.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\6170bf2d446afadcb82de1c887497b9e19809379111dfa7642e904957e2443ca.exe"C:\Users\Admin\AppData\Local\Temp\6170bf2d446afadcb82de1c887497b9e19809379111dfa7642e904957e2443ca.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\xxrlflx.exec:\xxrlflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\hntbnn.exec:\hntbnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5308 -
\??\c:\vvppj.exec:\vvppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\pjpjd.exec:\pjpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\hnhhhn.exec:\hnhhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\xrllffx.exec:\xrllffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\hhtbbb.exec:\hhtbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\vjddj.exec:\vjddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\xfxrflf.exec:\xfxrflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\rlllflf.exec:\rlllflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\htbntn.exec:\htbntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6084 -
\??\c:\pvjvd.exec:\pvjvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\9llxlfr.exec:\9llxlfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\ddjpv.exec:\ddjpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\9bhhnt.exec:\9bhhnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\ttbtnn.exec:\ttbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\nnhhtt.exec:\nnhhtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\jjpdj.exec:\jjpdj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\9jjdv.exec:\9jjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\3frlxrf.exec:\3frlxrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\hnhnnb.exec:\hnhnnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\flfffll.exec:\flfffll.exe23⤵
- Executes dropped EXE
PID:2400 -
\??\c:\pvpjv.exec:\pvpjv.exe24⤵
- Executes dropped EXE
PID:4800 -
\??\c:\fflxxrr.exec:\fflxxrr.exe25⤵
- Executes dropped EXE
PID:3776 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe26⤵
- Executes dropped EXE
PID:2808 -
\??\c:\jpjdv.exec:\jpjdv.exe27⤵
- Executes dropped EXE
PID:4916 -
\??\c:\bhnbth.exec:\bhnbth.exe28⤵
- Executes dropped EXE
PID:5612 -
\??\c:\nbhbbb.exec:\nbhbbb.exe29⤵
- Executes dropped EXE
PID:4736 -
\??\c:\tnnnhb.exec:\tnnnhb.exe30⤵
- Executes dropped EXE
PID:3664 -
\??\c:\hnttbh.exec:\hnttbh.exe31⤵
- Executes dropped EXE
PID:5328 -
\??\c:\rxlfxrl.exec:\rxlfxrl.exe32⤵
- Executes dropped EXE
PID:6032 -
\??\c:\pvvvv.exec:\pvvvv.exe33⤵
- Executes dropped EXE
PID:992 -
\??\c:\3nhtnt.exec:\3nhtnt.exe34⤵
- Executes dropped EXE
PID:1428 -
\??\c:\djpdd.exec:\djpdd.exe35⤵
- Executes dropped EXE
PID:756 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe36⤵
- Executes dropped EXE
PID:2116 -
\??\c:\hhbbbb.exec:\hhbbbb.exe37⤵
- Executes dropped EXE
PID:2476 -
\??\c:\tbnnnt.exec:\tbnnnt.exe38⤵
- Executes dropped EXE
PID:4908 -
\??\c:\flrlffx.exec:\flrlffx.exe39⤵
- Executes dropped EXE
PID:6124 -
\??\c:\nhnnnn.exec:\nhnnnn.exe40⤵
- Executes dropped EXE
PID:5492 -
\??\c:\pjppp.exec:\pjppp.exe41⤵
- Executes dropped EXE
PID:2028 -
\??\c:\5httnn.exec:\5httnn.exe42⤵
- Executes dropped EXE
PID:4272 -
\??\c:\xxrrrrx.exec:\xxrrrrx.exe43⤵
- Executes dropped EXE
PID:4064 -
\??\c:\jjpvd.exec:\jjpvd.exe44⤵
- Executes dropped EXE
PID:516 -
\??\c:\nhtttt.exec:\nhtttt.exe45⤵
- Executes dropped EXE
PID:5028 -
\??\c:\jpjjj.exec:\jpjjj.exe46⤵
- Executes dropped EXE
PID:5724 -
\??\c:\thhhhb.exec:\thhhhb.exe47⤵
- Executes dropped EXE
PID:4328 -
\??\c:\bntbtt.exec:\bntbtt.exe48⤵
- Executes dropped EXE
PID:5360 -
\??\c:\tnhbtn.exec:\tnhbtn.exe49⤵
- Executes dropped EXE
PID:5012 -
\??\c:\jvvvv.exec:\jvvvv.exe50⤵
- Executes dropped EXE
PID:2648 -
\??\c:\lrflrxx.exec:\lrflrxx.exe51⤵
- Executes dropped EXE
PID:3348 -
\??\c:\5tnhbb.exec:\5tnhbb.exe52⤵
- Executes dropped EXE
PID:1020 -
\??\c:\vpjjd.exec:\vpjjd.exe53⤵
- Executes dropped EXE
PID:536 -
\??\c:\dpvpj.exec:\dpvpj.exe54⤵
- Executes dropped EXE
PID:5948 -
\??\c:\fxxxxrx.exec:\fxxxxrx.exe55⤵
- Executes dropped EXE
PID:4308 -
\??\c:\nbbtnn.exec:\nbbtnn.exe56⤵
- Executes dropped EXE
PID:4112 -
\??\c:\3pdvd.exec:\3pdvd.exe57⤵
- Executes dropped EXE
PID:4996 -
\??\c:\jppjd.exec:\jppjd.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016 -
\??\c:\llfrflx.exec:\llfrflx.exe59⤵
- Executes dropped EXE
PID:4380 -
\??\c:\bthhbb.exec:\bthhbb.exe60⤵
- Executes dropped EXE
PID:3856 -
\??\c:\dpddv.exec:\dpddv.exe61⤵
- Executes dropped EXE
PID:3940 -
\??\c:\pdjpj.exec:\pdjpj.exe62⤵
- Executes dropped EXE
PID:820 -
\??\c:\lfxrrxr.exec:\lfxrrxr.exe63⤵
- Executes dropped EXE
PID:5108 -
\??\c:\nbntbb.exec:\nbntbb.exe64⤵
- Executes dropped EXE
PID:4376 -
\??\c:\vpppj.exec:\vpppj.exe65⤵
- Executes dropped EXE
PID:5536 -
\??\c:\frxlrlr.exec:\frxlrlr.exe66⤵PID:2592
-
\??\c:\9nnhbt.exec:\9nnhbt.exe67⤵PID:5380
-
\??\c:\ddddp.exec:\ddddp.exe68⤵PID:1184
-
\??\c:\3jvpd.exec:\3jvpd.exe69⤵PID:1576
-
\??\c:\rxfxfff.exec:\rxfxfff.exe70⤵PID:6000
-
\??\c:\nbbnhb.exec:\nbbnhb.exe71⤵PID:5288
-
\??\c:\9vddv.exec:\9vddv.exe72⤵PID:1480
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe73⤵PID:4440
-
\??\c:\fllfrrf.exec:\fllfrrf.exe74⤵PID:1884
-
\??\c:\ttbtbn.exec:\ttbtbn.exe75⤵PID:1776
-
\??\c:\pvdvp.exec:\pvdvp.exe76⤵PID:4264
-
\??\c:\xlxrlff.exec:\xlxrlff.exe77⤵PID:2816
-
\??\c:\hhbnhn.exec:\hhbnhn.exe78⤵PID:3980
-
\??\c:\dvjdv.exec:\dvjdv.exe79⤵PID:1784
-
\??\c:\rffxxxr.exec:\rffxxxr.exe80⤵PID:3160
-
\??\c:\htnnnn.exec:\htnnnn.exe81⤵PID:1080
-
\??\c:\dppdv.exec:\dppdv.exe82⤵PID:1696
-
\??\c:\fffxxxx.exec:\fffxxxx.exe83⤵PID:5248
-
\??\c:\7btnbb.exec:\7btnbb.exe84⤵PID:2108
-
\??\c:\dddpp.exec:\dddpp.exe85⤵PID:552
-
\??\c:\xfxxllf.exec:\xfxxllf.exe86⤵PID:5432
-
\??\c:\bbhbnn.exec:\bbhbnn.exe87⤵PID:3544
-
\??\c:\jvjjj.exec:\jvjjj.exe88⤵
- System Location Discovery: System Language Discovery
PID:1228 -
\??\c:\7xlfllr.exec:\7xlfllr.exe89⤵PID:2248
-
\??\c:\bhhhhn.exec:\bhhhhn.exe90⤵PID:5576
-
\??\c:\jjjdv.exec:\jjjdv.exe91⤵PID:1568
-
\??\c:\5xxrffr.exec:\5xxrffr.exe92⤵PID:2716
-
\??\c:\lffrlrf.exec:\lffrlrf.exe93⤵PID:1712
-
\??\c:\1nhthh.exec:\1nhthh.exe94⤵PID:4520
-
\??\c:\3jvpj.exec:\3jvpj.exe95⤵PID:724
-
\??\c:\tbhbbt.exec:\tbhbbt.exe96⤵PID:4084
-
\??\c:\5nnnhh.exec:\5nnnhh.exe97⤵
- System Location Discovery: System Language Discovery
PID:744 -
\??\c:\1xrlfff.exec:\1xrlfff.exe98⤵PID:4564
-
\??\c:\frrxllf.exec:\frrxllf.exe99⤵PID:4496
-
\??\c:\bnhnbt.exec:\bnhnbt.exe100⤵PID:4576
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe101⤵PID:4480
-
\??\c:\jdvdd.exec:\jdvdd.exe102⤵PID:4560
-
\??\c:\xllrrxx.exec:\xllrrxx.exe103⤵PID:1508
-
\??\c:\tbnnnn.exec:\tbnnnn.exe104⤵PID:656
-
\??\c:\llxrffr.exec:\llxrffr.exe105⤵PID:3432
-
\??\c:\xfxxrxr.exec:\xfxxrxr.exe106⤵PID:380
-
\??\c:\nbbbtt.exec:\nbbbtt.exe107⤵PID:5488
-
\??\c:\ddppd.exec:\ddppd.exe108⤵PID:4788
-
\??\c:\rfrfxrx.exec:\rfrfxrx.exe109⤵PID:4728
-
\??\c:\5nbbnh.exec:\5nbbnh.exe110⤵PID:4760
-
\??\c:\bnnhtn.exec:\bnnhtn.exe111⤵PID:5560
-
\??\c:\jvdpp.exec:\jvdpp.exe112⤵PID:4976
-
\??\c:\1lfxrrr.exec:\1lfxrrr.exe113⤵PID:3824
-
\??\c:\nbhbbb.exec:\nbhbbb.exe114⤵PID:2044
-
\??\c:\pdjvp.exec:\pdjvp.exe115⤵PID:5612
-
\??\c:\xfxxrrl.exec:\xfxxrrl.exe116⤵PID:5396
-
\??\c:\lfrlffx.exec:\lfrlffx.exe117⤵PID:5392
-
\??\c:\bnbntn.exec:\bnbntn.exe118⤵PID:1732
-
\??\c:\vvvpd.exec:\vvvpd.exe119⤵PID:2672
-
\??\c:\3xfxxxf.exec:\3xfxxxf.exe120⤵PID:1436
-
\??\c:\nnbttn.exec:\nnbttn.exe121⤵PID:1232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-