Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b35d0ff7d0311bf8a48fca17bfd2eeb08d5cfbaccac1b7a2f07a85cdba10175a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b35d0ff7d0311bf8a48fca17bfd2eeb08d5cfbaccac1b7a2f07a85cdba10175a.exe
-
Size
455KB
-
MD5
842f1b59474a8fd6c9b8df75d0e2d022
-
SHA1
d25ec17ab3e95ba1455d27633b0d02dc09619883
-
SHA256
b35d0ff7d0311bf8a48fca17bfd2eeb08d5cfbaccac1b7a2f07a85cdba10175a
-
SHA512
fb04140e6f9bf4985260f85f2f962c5fe8286debf8184b8d3d403c3b946b4980076bebcd6f55b1332351dc54c287ffb93a7dbeb24c748e7186e878fa61b37fed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4396-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2532 jdjpd.exe 4852 nbnbhb.exe 2864 1xlffff.exe 1636 hbnntn.exe 1968 llxfxfl.exe 4184 bhnhhh.exe 3672 vvpjd.exe 1640 bbnttt.exe 3964 ddvpv.exe 3392 5llfxrr.exe 4044 bhhbtt.exe 3600 1pvvj.exe 2408 tntbbb.exe 1952 vjjvj.exe 3320 rfllrrx.exe 4828 dppdv.exe 1960 9xlrrlf.exe 2776 bnbthh.exe 2380 9dpjv.exe 4516 lrrfxfr.exe 4920 vddvp.exe 4656 vvjvp.exe 3496 hbbbnn.exe 1248 vdpvv.exe 2504 bhbnbt.exe 1724 jdvpj.exe 1312 lxxlxrf.exe 3268 bnhntt.exe 2020 1jvdd.exe 2980 rlflrff.exe 5012 btnbnh.exe 3172 jdvdp.exe 3700 thttnn.exe 4116 nhhtnb.exe 4944 jjvvp.exe 1444 7lflfxx.exe 364 hbhbtt.exe 3116 vvpjv.exe 4752 xxxrlll.exe 3328 rlxfrxr.exe 612 nbbbtn.exe 1820 jdvjd.exe 1940 7lxrrff.exe 1168 5rlxlfr.exe 724 pddjj.exe 4524 lflfrrl.exe 4544 9frllfl.exe 4148 tnhhhh.exe 4392 jdvpd.exe 3184 xxxlfxl.exe 3856 xflfxrl.exe 2532 3bttnn.exe 3752 jdpjd.exe 4988 rxlrlfl.exe 4360 xflfxrl.exe 1788 thhnbh.exe 4844 jdpjv.exe 1968 9rlrlrf.exe 3852 bnnnhh.exe 2636 jvjvj.exe 4768 xfllxrf.exe 3100 vvvdv.exe 1224 xflrrfl.exe 4788 hhhbnh.exe -
resource yara_rule behavioral2/memory/4396-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-544-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrrrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4396 wrote to memory of 2532 4396 b35d0ff7d0311bf8a48fca17bfd2eeb08d5cfbaccac1b7a2f07a85cdba10175a.exe 83 PID 4396 wrote to memory of 2532 4396 b35d0ff7d0311bf8a48fca17bfd2eeb08d5cfbaccac1b7a2f07a85cdba10175a.exe 83 PID 4396 wrote to memory of 2532 4396 b35d0ff7d0311bf8a48fca17bfd2eeb08d5cfbaccac1b7a2f07a85cdba10175a.exe 83 PID 2532 wrote to memory of 4852 2532 jdjpd.exe 84 PID 2532 wrote to memory of 4852 2532 jdjpd.exe 84 PID 2532 wrote to memory of 4852 2532 jdjpd.exe 84 PID 4852 wrote to memory of 2864 4852 nbnbhb.exe 85 PID 4852 wrote to memory of 2864 4852 nbnbhb.exe 85 PID 4852 wrote to memory of 2864 4852 nbnbhb.exe 85 PID 2864 wrote to memory of 1636 2864 1xlffff.exe 86 PID 2864 wrote to memory of 1636 2864 1xlffff.exe 86 PID 2864 wrote to memory of 1636 2864 1xlffff.exe 86 PID 1636 wrote to memory of 1968 1636 hbnntn.exe 87 PID 1636 wrote to memory of 1968 1636 hbnntn.exe 87 PID 1636 wrote to memory of 1968 1636 hbnntn.exe 87 PID 1968 wrote to memory of 4184 1968 llxfxfl.exe 88 PID 1968 wrote to memory of 4184 1968 llxfxfl.exe 88 PID 1968 wrote to memory of 4184 1968 llxfxfl.exe 88 PID 4184 wrote to memory of 3672 4184 bhnhhh.exe 89 PID 4184 wrote to memory of 3672 4184 bhnhhh.exe 89 PID 4184 wrote to memory of 3672 4184 bhnhhh.exe 89 PID 3672 wrote to memory of 1640 3672 vvpjd.exe 90 PID 3672 wrote to memory of 1640 3672 vvpjd.exe 90 PID 3672 wrote to memory of 1640 3672 vvpjd.exe 90 PID 1640 wrote to memory of 3964 1640 bbnttt.exe 91 PID 1640 wrote to memory of 3964 1640 bbnttt.exe 91 PID 1640 wrote to memory of 3964 1640 bbnttt.exe 91 PID 3964 wrote to memory of 3392 3964 ddvpv.exe 92 PID 3964 wrote to memory of 3392 3964 ddvpv.exe 92 PID 3964 wrote to memory of 3392 3964 ddvpv.exe 92 PID 3392 wrote to memory of 4044 3392 5llfxrr.exe 93 PID 3392 wrote to memory of 4044 3392 5llfxrr.exe 93 PID 3392 wrote to memory of 4044 3392 5llfxrr.exe 93 PID 4044 wrote to memory of 3600 4044 bhhbtt.exe 94 PID 4044 wrote to memory of 3600 4044 bhhbtt.exe 94 PID 4044 wrote to memory of 3600 4044 bhhbtt.exe 94 PID 3600 wrote to memory of 2408 3600 1pvvj.exe 95 PID 3600 wrote to memory of 2408 3600 1pvvj.exe 95 PID 3600 wrote to memory of 2408 3600 1pvvj.exe 95 PID 2408 wrote to memory of 1952 2408 tntbbb.exe 96 PID 2408 wrote to memory of 1952 2408 tntbbb.exe 96 PID 2408 wrote to memory of 1952 2408 tntbbb.exe 96 PID 1952 wrote to memory of 3320 1952 vjjvj.exe 97 PID 1952 wrote to memory of 3320 1952 vjjvj.exe 97 PID 1952 wrote to memory of 3320 1952 vjjvj.exe 97 PID 3320 wrote to memory of 4828 3320 rfllrrx.exe 98 PID 3320 wrote to memory of 4828 3320 rfllrrx.exe 98 PID 3320 wrote to memory of 4828 3320 rfllrrx.exe 98 PID 4828 wrote to memory of 1960 4828 dppdv.exe 99 PID 4828 wrote to memory of 1960 4828 dppdv.exe 99 PID 4828 wrote to memory of 1960 4828 dppdv.exe 99 PID 1960 wrote to memory of 2776 1960 9xlrrlf.exe 100 PID 1960 wrote to memory of 2776 1960 9xlrrlf.exe 100 PID 1960 wrote to memory of 2776 1960 9xlrrlf.exe 100 PID 2776 wrote to memory of 2380 2776 bnbthh.exe 101 PID 2776 wrote to memory of 2380 2776 bnbthh.exe 101 PID 2776 wrote to memory of 2380 2776 bnbthh.exe 101 PID 2380 wrote to memory of 4516 2380 9dpjv.exe 102 PID 2380 wrote to memory of 4516 2380 9dpjv.exe 102 PID 2380 wrote to memory of 4516 2380 9dpjv.exe 102 PID 4516 wrote to memory of 4920 4516 lrrfxfr.exe 103 PID 4516 wrote to memory of 4920 4516 lrrfxfr.exe 103 PID 4516 wrote to memory of 4920 4516 lrrfxfr.exe 103 PID 4920 wrote to memory of 4656 4920 vddvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b35d0ff7d0311bf8a48fca17bfd2eeb08d5cfbaccac1b7a2f07a85cdba10175a.exe"C:\Users\Admin\AppData\Local\Temp\b35d0ff7d0311bf8a48fca17bfd2eeb08d5cfbaccac1b7a2f07a85cdba10175a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\jdjpd.exec:\jdjpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\nbnbhb.exec:\nbnbhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\1xlffff.exec:\1xlffff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\hbnntn.exec:\hbnntn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\llxfxfl.exec:\llxfxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\bhnhhh.exec:\bhnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\vvpjd.exec:\vvpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\bbnttt.exec:\bbnttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\ddvpv.exec:\ddvpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\5llfxrr.exec:\5llfxrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\bhhbtt.exec:\bhhbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\1pvvj.exec:\1pvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\tntbbb.exec:\tntbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\vjjvj.exec:\vjjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\rfllrrx.exec:\rfllrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\dppdv.exec:\dppdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\9xlrrlf.exec:\9xlrrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\bnbthh.exec:\bnbthh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\9dpjv.exec:\9dpjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\lrrfxfr.exec:\lrrfxfr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\vddvp.exec:\vddvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\vvjvp.exec:\vvjvp.exe23⤵
- Executes dropped EXE
PID:4656 -
\??\c:\hbbbnn.exec:\hbbbnn.exe24⤵
- Executes dropped EXE
PID:3496 -
\??\c:\vdpvv.exec:\vdpvv.exe25⤵
- Executes dropped EXE
PID:1248 -
\??\c:\bhbnbt.exec:\bhbnbt.exe26⤵
- Executes dropped EXE
PID:2504 -
\??\c:\jdvpj.exec:\jdvpj.exe27⤵
- Executes dropped EXE
PID:1724 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe28⤵
- Executes dropped EXE
PID:1312 -
\??\c:\bnhntt.exec:\bnhntt.exe29⤵
- Executes dropped EXE
PID:3268 -
\??\c:\1jvdd.exec:\1jvdd.exe30⤵
- Executes dropped EXE
PID:2020 -
\??\c:\rlflrff.exec:\rlflrff.exe31⤵
- Executes dropped EXE
PID:2980 -
\??\c:\btnbnh.exec:\btnbnh.exe32⤵
- Executes dropped EXE
PID:5012 -
\??\c:\jdvdp.exec:\jdvdp.exe33⤵
- Executes dropped EXE
PID:3172 -
\??\c:\thttnn.exec:\thttnn.exe34⤵
- Executes dropped EXE
PID:3700 -
\??\c:\nhhtnb.exec:\nhhtnb.exe35⤵
- Executes dropped EXE
PID:4116 -
\??\c:\jjvvp.exec:\jjvvp.exe36⤵
- Executes dropped EXE
PID:4944 -
\??\c:\7lflfxx.exec:\7lflfxx.exe37⤵
- Executes dropped EXE
PID:1444 -
\??\c:\hbhbtt.exec:\hbhbtt.exe38⤵
- Executes dropped EXE
PID:364 -
\??\c:\vvpjv.exec:\vvpjv.exe39⤵
- Executes dropped EXE
PID:3116 -
\??\c:\xxxrlll.exec:\xxxrlll.exe40⤵
- Executes dropped EXE
PID:4752 -
\??\c:\rlxfrxr.exec:\rlxfrxr.exe41⤵
- Executes dropped EXE
PID:3328 -
\??\c:\nbbbtn.exec:\nbbbtn.exe42⤵
- Executes dropped EXE
PID:612 -
\??\c:\jdvjd.exec:\jdvjd.exe43⤵
- Executes dropped EXE
PID:1820 -
\??\c:\7lxrrff.exec:\7lxrrff.exe44⤵
- Executes dropped EXE
PID:1940 -
\??\c:\5rlxlfr.exec:\5rlxlfr.exe45⤵
- Executes dropped EXE
PID:1168 -
\??\c:\pddjj.exec:\pddjj.exe46⤵
- Executes dropped EXE
PID:724 -
\??\c:\lflfrrl.exec:\lflfrrl.exe47⤵
- Executes dropped EXE
PID:4524 -
\??\c:\9frllfl.exec:\9frllfl.exe48⤵
- Executes dropped EXE
PID:4544 -
\??\c:\tnhhhh.exec:\tnhhhh.exe49⤵
- Executes dropped EXE
PID:4148 -
\??\c:\jdvpd.exec:\jdvpd.exe50⤵
- Executes dropped EXE
PID:4392 -
\??\c:\xxxlfxl.exec:\xxxlfxl.exe51⤵
- Executes dropped EXE
PID:3184 -
\??\c:\xflfxrl.exec:\xflfxrl.exe52⤵
- Executes dropped EXE
PID:3856 -
\??\c:\3bttnn.exec:\3bttnn.exe53⤵
- Executes dropped EXE
PID:2532 -
\??\c:\jdpjd.exec:\jdpjd.exe54⤵
- Executes dropped EXE
PID:3752 -
\??\c:\rxlrlfl.exec:\rxlrlfl.exe55⤵
- Executes dropped EXE
PID:4988 -
\??\c:\xflfxrl.exec:\xflfxrl.exe56⤵
- Executes dropped EXE
PID:4360 -
\??\c:\thhnbh.exec:\thhnbh.exe57⤵
- Executes dropped EXE
PID:1788 -
\??\c:\jdpjv.exec:\jdpjv.exe58⤵
- Executes dropped EXE
PID:4844 -
\??\c:\9rlrlrf.exec:\9rlrlrf.exe59⤵
- Executes dropped EXE
PID:1968 -
\??\c:\bnnnhh.exec:\bnnnhh.exe60⤵
- Executes dropped EXE
PID:3852 -
\??\c:\jvjvj.exec:\jvjvj.exe61⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xfllxrf.exec:\xfllxrf.exe62⤵
- Executes dropped EXE
PID:4768 -
\??\c:\vvvdv.exec:\vvvdv.exe63⤵
- Executes dropped EXE
PID:3100 -
\??\c:\xflrrfl.exec:\xflrrfl.exe64⤵
- Executes dropped EXE
PID:1224 -
\??\c:\hhhbnh.exec:\hhhbnh.exe65⤵
- Executes dropped EXE
PID:4788 -
\??\c:\9vpdv.exec:\9vpdv.exe66⤵PID:1768
-
\??\c:\fffxxrr.exec:\fffxxrr.exe67⤵PID:4016
-
\??\c:\9tnbnt.exec:\9tnbnt.exe68⤵PID:3920
-
\??\c:\9lxxrxr.exec:\9lxxrxr.exe69⤵PID:4380
-
\??\c:\3tthth.exec:\3tthth.exe70⤵PID:4712
-
\??\c:\fllxlrf.exec:\fllxlrf.exe71⤵PID:3944
-
\??\c:\tththb.exec:\tththb.exe72⤵PID:4580
-
\??\c:\5dvjd.exec:\5dvjd.exe73⤵PID:2548
-
\??\c:\7btnbt.exec:\7btnbt.exe74⤵PID:3120
-
\??\c:\ppjpd.exec:\ppjpd.exe75⤵PID:2612
-
\??\c:\llrlxxr.exec:\llrlxxr.exe76⤵PID:1960
-
\??\c:\pppvv.exec:\pppvv.exe77⤵PID:4156
-
\??\c:\nnbbhh.exec:\nnbbhh.exe78⤵PID:4620
-
\??\c:\vpjdp.exec:\vpjdp.exe79⤵PID:1368
-
\??\c:\bbtnhb.exec:\bbtnhb.exe80⤵PID:4516
-
\??\c:\1pjvj.exec:\1pjvj.exe81⤵PID:3412
-
\??\c:\pdpdp.exec:\pdpdp.exe82⤵PID:220
-
\??\c:\1frfrxl.exec:\1frfrxl.exe83⤵PID:1576
-
\??\c:\1nnhbt.exec:\1nnhbt.exe84⤵PID:4860
-
\??\c:\5pjvd.exec:\5pjvd.exe85⤵PID:3548
-
\??\c:\rxrlxrl.exec:\rxrlxrl.exe86⤵PID:1248
-
\??\c:\5bthtn.exec:\5bthtn.exe87⤵PID:5028
-
\??\c:\7nnhtn.exec:\7nnhtn.exe88⤵PID:672
-
\??\c:\vppdp.exec:\vppdp.exe89⤵PID:3540
-
\??\c:\xlxfrxl.exec:\xlxfrxl.exe90⤵PID:3776
-
\??\c:\frlxlrf.exec:\frlxlrf.exe91⤵PID:5016
-
\??\c:\ttnnnh.exec:\ttnnnh.exe92⤵PID:3060
-
\??\c:\pjddv.exec:\pjddv.exe93⤵PID:2192
-
\??\c:\xrlrrfr.exec:\xrlrrfr.exe94⤵PID:1160
-
\??\c:\lfxrxxx.exec:\lfxrxxx.exe95⤵PID:1404
-
\??\c:\hnntth.exec:\hnntth.exe96⤵PID:884
-
\??\c:\pjjvj.exec:\pjjvj.exe97⤵PID:1792
-
\??\c:\flrlxrr.exec:\flrlxrr.exe98⤵PID:3124
-
\??\c:\nbhbnn.exec:\nbhbnn.exe99⤵PID:2892
-
\??\c:\bnnbnb.exec:\bnnbnb.exe100⤵PID:4944
-
\??\c:\5vddp.exec:\5vddp.exe101⤵PID:1444
-
\??\c:\9fffffx.exec:\9fffffx.exe102⤵PID:364
-
\??\c:\bnbtth.exec:\bnbtth.exe103⤵PID:384
-
\??\c:\jjjdv.exec:\jjjdv.exe104⤵PID:3148
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe105⤵PID:432
-
\??\c:\9ntnhh.exec:\9ntnhh.exe106⤵PID:3284
-
\??\c:\bttnbb.exec:\bttnbb.exe107⤵PID:3176
-
\??\c:\5jdpd.exec:\5jdpd.exe108⤵PID:4732
-
\??\c:\lrlxlfx.exec:\lrlxlfx.exe109⤵PID:452
-
\??\c:\9tnhbb.exec:\9tnhbb.exe110⤵PID:1976
-
\??\c:\ppdvd.exec:\ppdvd.exe111⤵PID:1800
-
\??\c:\jpjdp.exec:\jpjdp.exe112⤵PID:2444
-
\??\c:\xxfrrlf.exec:\xxfrrlf.exe113⤵PID:3076
-
\??\c:\7nnhbt.exec:\7nnhbt.exe114⤵PID:4796
-
\??\c:\pdjdd.exec:\pdjdd.exe115⤵PID:1876
-
\??\c:\9pjdv.exec:\9pjdv.exe116⤵PID:1532
-
\??\c:\5fffffx.exec:\5fffffx.exe117⤵PID:1740
-
\??\c:\btttnh.exec:\btttnh.exe118⤵PID:2532
-
\??\c:\1dvvj.exec:\1dvvj.exe119⤵PID:4316
-
\??\c:\rrxfrxf.exec:\rrxfrxf.exe120⤵PID:4988
-
\??\c:\1ffrlff.exec:\1ffrlff.exe121⤵PID:628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-