Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe
-
Size
457KB
-
MD5
86c46493d9d3bb1e05562b6e62ce3c6d
-
SHA1
7b41234680b1c6bbcc94cf8b4e4a788d35079220
-
SHA256
bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0
-
SHA512
d05862a2df3bf9d2e6f3458da6f2d45ccf1f76dae18e03972a328cedc0653dac9d298ea4f27239cd46c707c7134fc49a75f95d4ac8ecac31e2955c133b21eed8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRl:q7Tc2NYHUrAwfMp3CDRl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4532-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-1093-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-1160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-1452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-1481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2764 pjjvp.exe 2912 rfrxfrx.exe 5104 fxlfrlx.exe 2120 jdjdv.exe 116 lrxrrlf.exe 232 ttthtn.exe 3024 btnhtn.exe 3116 fxrfxrl.exe 1196 nbtnhh.exe 2104 lrlfxfx.exe 548 pdjvj.exe 3864 tbtnhh.exe 4660 vpjdv.exe 4564 1vjvj.exe 4904 rfxlfxr.exe 1060 ntthtn.exe 4492 rxfxfxr.exe 4584 hhbhbn.exe 3600 vpjdp.exe 5000 9rxrlfx.exe 4760 tnhtnh.exe 1272 dvjdp.exe 3828 rrlffrf.exe 2264 xrrffxl.exe 1504 nttnbn.exe 1648 jvdpd.exe 2528 7rfrfxl.exe 3640 nbntnt.exe 1340 jppjd.exe 2068 9dvjv.exe 4992 frllxrl.exe 3596 flfrlfx.exe 3012 rlfxlfx.exe 2480 bnnhbb.exe 4748 pjpjj.exe 1744 nhbnbt.exe 1860 jdvjd.exe 4592 llfxrxr.exe 3644 rrlffxr.exe 5056 nnbbnh.exe 4388 lxxrffx.exe 4356 bhnbnb.exe 2220 djdvp.exe 1872 xxlfrlf.exe 4940 7rxfrlx.exe 2372 ttnbnb.exe 1068 ddvjd.exe 3660 fxxxfxl.exe 4276 btbbbt.exe 4196 bhnbtn.exe 4532 pvjdp.exe 3128 rrfxlfr.exe 4824 xrrllfx.exe 3404 tntnbt.exe 408 7dpdp.exe 2668 xlrrlfx.exe 4588 nbbtnh.exe 3944 7vpdd.exe 4396 rlxllff.exe 1492 xxxrffr.exe 3460 tntnnh.exe 2236 vdjvv.exe 1580 rlrlxlf.exe 1544 nbhbnh.exe -
resource yara_rule behavioral2/memory/4532-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-1093-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4532 wrote to memory of 2764 4532 bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe 83 PID 4532 wrote to memory of 2764 4532 bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe 83 PID 4532 wrote to memory of 2764 4532 bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe 83 PID 2764 wrote to memory of 2912 2764 pjjvp.exe 84 PID 2764 wrote to memory of 2912 2764 pjjvp.exe 84 PID 2764 wrote to memory of 2912 2764 pjjvp.exe 84 PID 2912 wrote to memory of 5104 2912 rfrxfrx.exe 85 PID 2912 wrote to memory of 5104 2912 rfrxfrx.exe 85 PID 2912 wrote to memory of 5104 2912 rfrxfrx.exe 85 PID 5104 wrote to memory of 2120 5104 fxlfrlx.exe 86 PID 5104 wrote to memory of 2120 5104 fxlfrlx.exe 86 PID 5104 wrote to memory of 2120 5104 fxlfrlx.exe 86 PID 2120 wrote to memory of 116 2120 jdjdv.exe 87 PID 2120 wrote to memory of 116 2120 jdjdv.exe 87 PID 2120 wrote to memory of 116 2120 jdjdv.exe 87 PID 116 wrote to memory of 232 116 lrxrrlf.exe 88 PID 116 wrote to memory of 232 116 lrxrrlf.exe 88 PID 116 wrote to memory of 232 116 lrxrrlf.exe 88 PID 232 wrote to memory of 3024 232 ttthtn.exe 89 PID 232 wrote to memory of 3024 232 ttthtn.exe 89 PID 232 wrote to memory of 3024 232 ttthtn.exe 89 PID 3024 wrote to memory of 3116 3024 btnhtn.exe 90 PID 3024 wrote to memory of 3116 3024 btnhtn.exe 90 PID 3024 wrote to memory of 3116 3024 btnhtn.exe 90 PID 3116 wrote to memory of 1196 3116 fxrfxrl.exe 91 PID 3116 wrote to memory of 1196 3116 fxrfxrl.exe 91 PID 3116 wrote to memory of 1196 3116 fxrfxrl.exe 91 PID 1196 wrote to memory of 2104 1196 nbtnhh.exe 92 PID 1196 wrote to memory of 2104 1196 nbtnhh.exe 92 PID 1196 wrote to memory of 2104 1196 nbtnhh.exe 92 PID 2104 wrote to memory of 548 2104 lrlfxfx.exe 93 PID 2104 wrote to memory of 548 2104 lrlfxfx.exe 93 PID 2104 wrote to memory of 548 2104 lrlfxfx.exe 93 PID 548 wrote to memory of 3864 548 pdjvj.exe 94 PID 548 wrote to memory of 3864 548 pdjvj.exe 94 PID 548 wrote to memory of 3864 548 pdjvj.exe 94 PID 3864 wrote to memory of 4660 3864 tbtnhh.exe 95 PID 3864 wrote to memory of 4660 3864 tbtnhh.exe 95 PID 3864 wrote to memory of 4660 3864 tbtnhh.exe 95 PID 4660 wrote to memory of 4564 4660 vpjdv.exe 96 PID 4660 wrote to memory of 4564 4660 vpjdv.exe 96 PID 4660 wrote to memory of 4564 4660 vpjdv.exe 96 PID 4564 wrote to memory of 4904 4564 1vjvj.exe 97 PID 4564 wrote to memory of 4904 4564 1vjvj.exe 97 PID 4564 wrote to memory of 4904 4564 1vjvj.exe 97 PID 4904 wrote to memory of 1060 4904 rfxlfxr.exe 98 PID 4904 wrote to memory of 1060 4904 rfxlfxr.exe 98 PID 4904 wrote to memory of 1060 4904 rfxlfxr.exe 98 PID 1060 wrote to memory of 4492 1060 ntthtn.exe 99 PID 1060 wrote to memory of 4492 1060 ntthtn.exe 99 PID 1060 wrote to memory of 4492 1060 ntthtn.exe 99 PID 4492 wrote to memory of 4584 4492 rxfxfxr.exe 100 PID 4492 wrote to memory of 4584 4492 rxfxfxr.exe 100 PID 4492 wrote to memory of 4584 4492 rxfxfxr.exe 100 PID 4584 wrote to memory of 3600 4584 hhbhbn.exe 101 PID 4584 wrote to memory of 3600 4584 hhbhbn.exe 101 PID 4584 wrote to memory of 3600 4584 hhbhbn.exe 101 PID 3600 wrote to memory of 5000 3600 vpjdp.exe 102 PID 3600 wrote to memory of 5000 3600 vpjdp.exe 102 PID 3600 wrote to memory of 5000 3600 vpjdp.exe 102 PID 5000 wrote to memory of 4760 5000 9rxrlfx.exe 103 PID 5000 wrote to memory of 4760 5000 9rxrlfx.exe 103 PID 5000 wrote to memory of 4760 5000 9rxrlfx.exe 103 PID 4760 wrote to memory of 1272 4760 tnhtnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe"C:\Users\Admin\AppData\Local\Temp\bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\pjjvp.exec:\pjjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\rfrxfrx.exec:\rfrxfrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\jdjdv.exec:\jdjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\lrxrrlf.exec:\lrxrrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\ttthtn.exec:\ttthtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\btnhtn.exec:\btnhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\fxrfxrl.exec:\fxrfxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\nbtnhh.exec:\nbtnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\lrlfxfx.exec:\lrlfxfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\pdjvj.exec:\pdjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\tbtnhh.exec:\tbtnhh.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\vpjdv.exec:\vpjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\1vjvj.exec:\1vjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\rfxlfxr.exec:\rfxlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\ntthtn.exec:\ntthtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\rxfxfxr.exec:\rxfxfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\hhbhbn.exec:\hhbhbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\vpjdp.exec:\vpjdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\9rxrlfx.exec:\9rxrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\tnhtnh.exec:\tnhtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\dvjdp.exec:\dvjdp.exe23⤵
- Executes dropped EXE
PID:1272 -
\??\c:\rrlffrf.exec:\rrlffrf.exe24⤵
- Executes dropped EXE
PID:3828 -
\??\c:\xrrffxl.exec:\xrrffxl.exe25⤵
- Executes dropped EXE
PID:2264 -
\??\c:\nttnbn.exec:\nttnbn.exe26⤵
- Executes dropped EXE
PID:1504 -
\??\c:\jvdpd.exec:\jvdpd.exe27⤵
- Executes dropped EXE
PID:1648 -
\??\c:\7rfrfxl.exec:\7rfrfxl.exe28⤵
- Executes dropped EXE
PID:2528 -
\??\c:\nbntnt.exec:\nbntnt.exe29⤵
- Executes dropped EXE
PID:3640 -
\??\c:\jppjd.exec:\jppjd.exe30⤵
- Executes dropped EXE
PID:1340 -
\??\c:\9dvjv.exec:\9dvjv.exe31⤵
- Executes dropped EXE
PID:2068 -
\??\c:\frllxrl.exec:\frllxrl.exe32⤵
- Executes dropped EXE
PID:4992 -
\??\c:\flfrlfx.exec:\flfrlfx.exe33⤵
- Executes dropped EXE
PID:3596 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe34⤵
- Executes dropped EXE
PID:3012 -
\??\c:\bnnhbb.exec:\bnnhbb.exe35⤵
- Executes dropped EXE
PID:2480 -
\??\c:\pjpjj.exec:\pjpjj.exe36⤵
- Executes dropped EXE
PID:4748 -
\??\c:\nhbnbt.exec:\nhbnbt.exe37⤵
- Executes dropped EXE
PID:1744 -
\??\c:\jdvjd.exec:\jdvjd.exe38⤵
- Executes dropped EXE
PID:1860 -
\??\c:\llfxrxr.exec:\llfxrxr.exe39⤵
- Executes dropped EXE
PID:4592 -
\??\c:\rrlffxr.exec:\rrlffxr.exe40⤵
- Executes dropped EXE
PID:3644 -
\??\c:\nnbbnh.exec:\nnbbnh.exe41⤵
- Executes dropped EXE
PID:5056 -
\??\c:\lxxrffx.exec:\lxxrffx.exe42⤵
- Executes dropped EXE
PID:4388 -
\??\c:\bhnbnb.exec:\bhnbnb.exe43⤵
- Executes dropped EXE
PID:4356 -
\??\c:\djdvp.exec:\djdvp.exe44⤵
- Executes dropped EXE
PID:2220 -
\??\c:\xxlfrlf.exec:\xxlfrlf.exe45⤵
- Executes dropped EXE
PID:1872 -
\??\c:\7rxfrlx.exec:\7rxfrlx.exe46⤵
- Executes dropped EXE
PID:4940 -
\??\c:\ttnbnb.exec:\ttnbnb.exe47⤵
- Executes dropped EXE
PID:2372 -
\??\c:\ddvjd.exec:\ddvjd.exe48⤵
- Executes dropped EXE
PID:1068 -
\??\c:\fxxxfxl.exec:\fxxxfxl.exe49⤵
- Executes dropped EXE
PID:3660 -
\??\c:\btbbbt.exec:\btbbbt.exe50⤵
- Executes dropped EXE
PID:4276 -
\??\c:\bhnbtn.exec:\bhnbtn.exe51⤵
- Executes dropped EXE
PID:4196 -
\??\c:\pvjdp.exec:\pvjdp.exe52⤵
- Executes dropped EXE
PID:4532 -
\??\c:\rrfxlfr.exec:\rrfxlfr.exe53⤵
- Executes dropped EXE
PID:3128 -
\??\c:\xrrllfx.exec:\xrrllfx.exe54⤵
- Executes dropped EXE
PID:4824 -
\??\c:\tntnbt.exec:\tntnbt.exe55⤵
- Executes dropped EXE
PID:3404 -
\??\c:\7dpdp.exec:\7dpdp.exe56⤵
- Executes dropped EXE
PID:408 -
\??\c:\xlrrlfx.exec:\xlrrlfx.exe57⤵
- Executes dropped EXE
PID:2668 -
\??\c:\nbbtnh.exec:\nbbtnh.exe58⤵
- Executes dropped EXE
PID:4588 -
\??\c:\7vpdd.exec:\7vpdd.exe59⤵
- Executes dropped EXE
PID:3944 -
\??\c:\rlxllff.exec:\rlxllff.exe60⤵
- Executes dropped EXE
PID:4396 -
\??\c:\xxxrffr.exec:\xxxrffr.exe61⤵
- Executes dropped EXE
PID:1492 -
\??\c:\tntnnh.exec:\tntnnh.exe62⤵
- Executes dropped EXE
PID:3460 -
\??\c:\vdjvv.exec:\vdjvv.exe63⤵
- Executes dropped EXE
PID:2236 -
\??\c:\rlrlxlf.exec:\rlrlxlf.exe64⤵
- Executes dropped EXE
PID:1580 -
\??\c:\nbhbnh.exec:\nbhbnh.exe65⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nhhthb.exec:\nhhthb.exe66⤵PID:3720
-
\??\c:\vvjvj.exec:\vvjvj.exe67⤵PID:628
-
\??\c:\pjjvj.exec:\pjjvj.exe68⤵PID:2888
-
\??\c:\xfffflf.exec:\xfffflf.exe69⤵PID:548
-
\??\c:\1bnbtn.exec:\1bnbtn.exe70⤵PID:3836
-
\??\c:\5nbtnn.exec:\5nbtnn.exe71⤵PID:1604
-
\??\c:\ppjpd.exec:\ppjpd.exe72⤵PID:552
-
\??\c:\frxrlll.exec:\frxrlll.exe73⤵PID:2452
-
\??\c:\thbbtt.exec:\thbbtt.exe74⤵PID:3676
-
\??\c:\ddvdp.exec:\ddvdp.exe75⤵PID:3140
-
\??\c:\3fxlffx.exec:\3fxlffx.exe76⤵PID:4736
-
\??\c:\5lfxlrr.exec:\5lfxlrr.exe77⤵PID:1916
-
\??\c:\bnnbth.exec:\bnnbth.exe78⤵PID:344
-
\??\c:\jppdp.exec:\jppdp.exe79⤵PID:2300
-
\??\c:\jvvjd.exec:\jvvjd.exe80⤵PID:3652
-
\??\c:\llxrflf.exec:\llxrflf.exe81⤵PID:5084
-
\??\c:\3nnbnh.exec:\3nnbnh.exe82⤵PID:3248
-
\??\c:\3jdvj.exec:\3jdvj.exe83⤵PID:3372
-
\??\c:\llllxxx.exec:\llllxxx.exe84⤵PID:4032
-
\??\c:\9fffxxr.exec:\9fffxxr.exe85⤵PID:2132
-
\??\c:\hbhhtt.exec:\hbhhtt.exe86⤵PID:2308
-
\??\c:\pdddv.exec:\pdddv.exe87⤵PID:3440
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe88⤵PID:2260
-
\??\c:\flxrfxr.exec:\flxrfxr.exe89⤵PID:2004
-
\??\c:\1thtnn.exec:\1thtnn.exe90⤵PID:920
-
\??\c:\vddpj.exec:\vddpj.exe91⤵PID:1952
-
\??\c:\9rlfrlf.exec:\9rlfrlf.exe92⤵PID:3452
-
\??\c:\1bnnhn.exec:\1bnnhn.exe93⤵PID:4656
-
\??\c:\vddvj.exec:\vddvj.exe94⤵PID:4852
-
\??\c:\rrxrrll.exec:\rrxrrll.exe95⤵PID:2012
-
\??\c:\rrflxxl.exec:\rrflxxl.exe96⤵PID:3596
-
\??\c:\7ntnbb.exec:\7ntnbb.exe97⤵PID:3012
-
\??\c:\ddvpv.exec:\ddvpv.exe98⤵PID:3032
-
\??\c:\fffxrll.exec:\fffxrll.exe99⤵PID:4748
-
\??\c:\ffrxlfx.exec:\ffrxlfx.exe100⤵PID:3708
-
\??\c:\ttbnhb.exec:\ttbnhb.exe101⤵PID:4508
-
\??\c:\vpjdv.exec:\vpjdv.exe102⤵PID:808
-
\??\c:\jpjvd.exec:\jpjvd.exe103⤵PID:2432
-
\??\c:\3xlfxxr.exec:\3xlfxxr.exe104⤵PID:5056
-
\??\c:\tttnnn.exec:\tttnnn.exe105⤵PID:3360
-
\??\c:\vjjvj.exec:\vjjvj.exe106⤵PID:2044
-
\??\c:\xlrfxrf.exec:\xlrfxrf.exe107⤵PID:3580
-
\??\c:\nhhbnt.exec:\nhhbnt.exe108⤵PID:3940
-
\??\c:\htbhbt.exec:\htbhbt.exe109⤵PID:1228
-
\??\c:\dddpj.exec:\dddpj.exe110⤵PID:4332
-
\??\c:\xlffrrl.exec:\xlffrrl.exe111⤵PID:1808
-
\??\c:\nnhbtn.exec:\nnhbtn.exe112⤵PID:1516
-
\??\c:\bnnbtt.exec:\bnnbtt.exe113⤵PID:2268
-
\??\c:\3vvpj.exec:\3vvpj.exe114⤵PID:2732
-
\??\c:\1rxrfxr.exec:\1rxrfxr.exe115⤵PID:1524
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe116⤵PID:2764
-
\??\c:\bhhtnb.exec:\bhhtnb.exe117⤵PID:2412
-
\??\c:\pdjdv.exec:\pdjdv.exe118⤵PID:4824
-
\??\c:\fxllfxr.exec:\fxllfxr.exe119⤵PID:5104
-
\??\c:\llflfrl.exec:\llflfrl.exe120⤵PID:4924
-
\??\c:\9nbthh.exec:\9nbthh.exe121⤵PID:208
-
\??\c:\1pvpp.exec:\1pvpp.exe122⤵PID:5044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-