Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2024 10:34
Behavioral task
behavioral1
Sample
5b4c36d9085bc4991b4d95cebdd31340N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
5b4c36d9085bc4991b4d95cebdd31340N.exe
-
Size
93KB
-
MD5
5b4c36d9085bc4991b4d95cebdd31340
-
SHA1
f864d662ee9a95aa620687cc852fd200d9522531
-
SHA256
168dfcbf78c4d945c31b5f890b3551a7a725ed61e32a366080d50414cb3ab81b
-
SHA512
6dcb2332c20bc792a09ee8987fde52eb5a222855579586ea7833af1d68b841af1c07d286da8e93b0c08c031fc2b087db814b3d9eb9a4e44852c7cb69d4f41ddc
-
SSDEEP
1536:kvQBeOGtrYS3srx93UBWfwC6Ggnouy8p5yAXNlIQkPvA3qrEvO7C87FLoT:khOmTsF93UYfwC6GIoutpYcvrqrE6dkT
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5076-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/628-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1396-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2076-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/828-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3720-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2016-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1704-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2220-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1680-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1240-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2832-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/780-511-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-534-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3328-550-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-554-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-613-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-626-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/776-681-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2064-725-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-1518-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-1578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1032-1705-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2800 htbnnh.exe 116 1pppd.exe 5096 vjvpp.exe 4776 nttnnh.exe 628 nbbnbn.exe 4436 jvvjp.exe 1816 llffxxr.exe 3276 lllxrrx.exe 2532 hbtnbt.exe 1396 ppdpj.exe 1296 fxfrxlr.exe 2036 7xxxllx.exe 1368 bnthht.exe 4564 jpjdd.exe 404 fxlfrlx.exe 2932 7xfrflf.exe 2076 nbbnhb.exe 2568 dpvpd.exe 1532 frllxlx.exe 4992 httntn.exe 828 djdvd.exe 4316 xrlxxxr.exe 2944 hnntnh.exe 3732 pjjvp.exe 1008 pddpv.exe 3176 7rxlxrl.exe 3032 xrlrflf.exe 2304 htnhnn.exe 2548 1hbbhb.exe 3936 jdjdv.exe 3720 fxfxrrf.exe 948 tbnhbn.exe 4448 nbtntt.exe 4952 vjdpj.exe 1436 jdjdv.exe 3760 5rrfrll.exe 2448 9frxfrr.exe 4976 tthbtt.exe 2788 tbbthb.exe 2260 jvdjd.exe 452 dpjvj.exe 3488 fxffxrl.exe 4352 3xlfrlx.exe 4312 7ttnhh.exe 2904 7djvv.exe 3044 vdpdp.exe 3896 xlrllxf.exe 2016 7ffxlfx.exe 1704 9nhbtn.exe 2936 ddjdv.exe 2940 7vdvp.exe 2220 rfxrlfx.exe 3616 nbhbtn.exe 1896 tnbnnh.exe 4648 dppjv.exe 1072 vddvp.exe 392 frrrlll.exe 3680 hthtth.exe 1912 vdpvj.exe 4132 dppdp.exe 2036 frlflfx.exe 1652 tbtnnh.exe 4328 3nnhtt.exe 4780 vpjvp.exe -
resource yara_rule behavioral2/memory/5076-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023440-5.dat upx behavioral2/memory/5076-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/116-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2800-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023445-10.dat upx behavioral2/files/0x0007000000023449-13.dat upx behavioral2/files/0x000700000002344a-21.dat upx behavioral2/memory/5096-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344b-27.dat upx behavioral2/memory/4776-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344c-33.dat upx behavioral2/memory/628-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344d-39.dat upx behavioral2/memory/4436-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002344f-45.dat upx behavioral2/memory/1816-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3276-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023450-50.dat upx behavioral2/files/0x0007000000023451-56.dat upx behavioral2/memory/2532-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023452-63.dat upx behavioral2/memory/1396-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023453-68.dat upx behavioral2/memory/1296-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023454-74.dat upx behavioral2/files/0x0007000000023455-79.dat upx behavioral2/memory/1368-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4564-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023456-86.dat upx behavioral2/files/0x0007000000023457-91.dat upx behavioral2/memory/2932-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023458-97.dat upx behavioral2/memory/2076-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023459-101.dat upx behavioral2/files/0x000700000002345a-106.dat upx behavioral2/files/0x000700000002345b-111.dat upx behavioral2/memory/4992-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002345c-118.dat upx behavioral2/files/0x000700000002345d-122.dat upx behavioral2/memory/828-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002345e-128.dat upx behavioral2/memory/4316-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002345f-134.dat upx behavioral2/memory/2944-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023460-141.dat upx behavioral2/files/0x0007000000023461-145.dat upx behavioral2/memory/1008-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023462-151.dat upx behavioral2/memory/3032-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023463-155.dat upx behavioral2/files/0x0007000000023464-162.dat upx behavioral2/files/0x0008000000023446-167.dat upx behavioral2/memory/3936-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023465-172.dat upx behavioral2/files/0x0007000000023466-179.dat upx behavioral2/memory/3720-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1436-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3760-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2260-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3488-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2904-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3044-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2016-234-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 2800 5076 5b4c36d9085bc4991b4d95cebdd31340N.exe 85 PID 5076 wrote to memory of 2800 5076 5b4c36d9085bc4991b4d95cebdd31340N.exe 85 PID 5076 wrote to memory of 2800 5076 5b4c36d9085bc4991b4d95cebdd31340N.exe 85 PID 2800 wrote to memory of 116 2800 htbnnh.exe 86 PID 2800 wrote to memory of 116 2800 htbnnh.exe 86 PID 2800 wrote to memory of 116 2800 htbnnh.exe 86 PID 116 wrote to memory of 5096 116 1pppd.exe 87 PID 116 wrote to memory of 5096 116 1pppd.exe 87 PID 116 wrote to memory of 5096 116 1pppd.exe 87 PID 5096 wrote to memory of 4776 5096 vjvpp.exe 88 PID 5096 wrote to memory of 4776 5096 vjvpp.exe 88 PID 5096 wrote to memory of 4776 5096 vjvpp.exe 88 PID 4776 wrote to memory of 628 4776 nttnnh.exe 89 PID 4776 wrote to memory of 628 4776 nttnnh.exe 89 PID 4776 wrote to memory of 628 4776 nttnnh.exe 89 PID 628 wrote to memory of 4436 628 nbbnbn.exe 90 PID 628 wrote to memory of 4436 628 nbbnbn.exe 90 PID 628 wrote to memory of 4436 628 nbbnbn.exe 90 PID 4436 wrote to memory of 1816 4436 jvvjp.exe 91 PID 4436 wrote to memory of 1816 4436 jvvjp.exe 91 PID 4436 wrote to memory of 1816 4436 jvvjp.exe 91 PID 1816 wrote to memory of 3276 1816 llffxxr.exe 92 PID 1816 wrote to memory of 3276 1816 llffxxr.exe 92 PID 1816 wrote to memory of 3276 1816 llffxxr.exe 92 PID 3276 wrote to memory of 2532 3276 lllxrrx.exe 93 PID 3276 wrote to memory of 2532 3276 lllxrrx.exe 93 PID 3276 wrote to memory of 2532 3276 lllxrrx.exe 93 PID 2532 wrote to memory of 1396 2532 hbtnbt.exe 94 PID 2532 wrote to memory of 1396 2532 hbtnbt.exe 94 PID 2532 wrote to memory of 1396 2532 hbtnbt.exe 94 PID 1396 wrote to memory of 1296 1396 ppdpj.exe 95 PID 1396 wrote to memory of 1296 1396 ppdpj.exe 95 PID 1396 wrote to memory of 1296 1396 ppdpj.exe 95 PID 1296 wrote to memory of 2036 1296 fxfrxlr.exe 96 PID 1296 wrote to memory of 2036 1296 fxfrxlr.exe 96 PID 1296 wrote to memory of 2036 1296 fxfrxlr.exe 96 PID 2036 wrote to memory of 1368 2036 7xxxllx.exe 97 PID 2036 wrote to memory of 1368 2036 7xxxllx.exe 97 PID 2036 wrote to memory of 1368 2036 7xxxllx.exe 97 PID 1368 wrote to memory of 4564 1368 bnthht.exe 99 PID 1368 wrote to memory of 4564 1368 bnthht.exe 99 PID 1368 wrote to memory of 4564 1368 bnthht.exe 99 PID 4564 wrote to memory of 404 4564 jpjdd.exe 100 PID 4564 wrote to memory of 404 4564 jpjdd.exe 100 PID 4564 wrote to memory of 404 4564 jpjdd.exe 100 PID 404 wrote to memory of 2932 404 fxlfrlx.exe 101 PID 404 wrote to memory of 2932 404 fxlfrlx.exe 101 PID 404 wrote to memory of 2932 404 fxlfrlx.exe 101 PID 2932 wrote to memory of 2076 2932 7xfrflf.exe 102 PID 2932 wrote to memory of 2076 2932 7xfrflf.exe 102 PID 2932 wrote to memory of 2076 2932 7xfrflf.exe 102 PID 2076 wrote to memory of 2568 2076 nbbnhb.exe 104 PID 2076 wrote to memory of 2568 2076 nbbnhb.exe 104 PID 2076 wrote to memory of 2568 2076 nbbnhb.exe 104 PID 2568 wrote to memory of 1532 2568 dpvpd.exe 105 PID 2568 wrote to memory of 1532 2568 dpvpd.exe 105 PID 2568 wrote to memory of 1532 2568 dpvpd.exe 105 PID 1532 wrote to memory of 4992 1532 frllxlx.exe 106 PID 1532 wrote to memory of 4992 1532 frllxlx.exe 106 PID 1532 wrote to memory of 4992 1532 frllxlx.exe 106 PID 4992 wrote to memory of 828 4992 httntn.exe 107 PID 4992 wrote to memory of 828 4992 httntn.exe 107 PID 4992 wrote to memory of 828 4992 httntn.exe 107 PID 828 wrote to memory of 4316 828 djdvd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b4c36d9085bc4991b4d95cebdd31340N.exe"C:\Users\Admin\AppData\Local\Temp\5b4c36d9085bc4991b4d95cebdd31340N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\htbnnh.exec:\htbnnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\1pppd.exec:\1pppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\vjvpp.exec:\vjvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\nttnnh.exec:\nttnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\nbbnbn.exec:\nbbnbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\jvvjp.exec:\jvvjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\llffxxr.exec:\llffxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\lllxrrx.exec:\lllxrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\hbtnbt.exec:\hbtnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\ppdpj.exec:\ppdpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\fxfrxlr.exec:\fxfrxlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\7xxxllx.exec:\7xxxllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\bnthht.exec:\bnthht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\jpjdd.exec:\jpjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\7xfrflf.exec:\7xfrflf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\nbbnhb.exec:\nbbnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\dpvpd.exec:\dpvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\frllxlx.exec:\frllxlx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\httntn.exec:\httntn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\djdvd.exec:\djdvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\xrlxxxr.exec:\xrlxxxr.exe23⤵
- Executes dropped EXE
PID:4316 -
\??\c:\hnntnh.exec:\hnntnh.exe24⤵
- Executes dropped EXE
PID:2944 -
\??\c:\pjjvp.exec:\pjjvp.exe25⤵
- Executes dropped EXE
PID:3732 -
\??\c:\pddpv.exec:\pddpv.exe26⤵
- Executes dropped EXE
PID:1008 -
\??\c:\7rxlxrl.exec:\7rxlxrl.exe27⤵
- Executes dropped EXE
PID:3176 -
\??\c:\xrlrflf.exec:\xrlrflf.exe28⤵
- Executes dropped EXE
PID:3032 -
\??\c:\htnhnn.exec:\htnhnn.exe29⤵
- Executes dropped EXE
PID:2304 -
\??\c:\1hbbhb.exec:\1hbbhb.exe30⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jdjdv.exec:\jdjdv.exe31⤵
- Executes dropped EXE
PID:3936 -
\??\c:\fxfxrrf.exec:\fxfxrrf.exe32⤵
- Executes dropped EXE
PID:3720 -
\??\c:\tbnhbn.exec:\tbnhbn.exe33⤵
- Executes dropped EXE
PID:948 -
\??\c:\nbtntt.exec:\nbtntt.exe34⤵
- Executes dropped EXE
PID:4448 -
\??\c:\vjdpj.exec:\vjdpj.exe35⤵
- Executes dropped EXE
PID:4952 -
\??\c:\jdjdv.exec:\jdjdv.exe36⤵
- Executes dropped EXE
PID:1436 -
\??\c:\5rrfrll.exec:\5rrfrll.exe37⤵
- Executes dropped EXE
PID:3760 -
\??\c:\9frxfrr.exec:\9frxfrr.exe38⤵
- Executes dropped EXE
PID:2448 -
\??\c:\tthbtt.exec:\tthbtt.exe39⤵
- Executes dropped EXE
PID:4976 -
\??\c:\tbbthb.exec:\tbbthb.exe40⤵
- Executes dropped EXE
PID:2788 -
\??\c:\jvdjd.exec:\jvdjd.exe41⤵
- Executes dropped EXE
PID:2260 -
\??\c:\dpjvj.exec:\dpjvj.exe42⤵
- Executes dropped EXE
PID:452 -
\??\c:\fxffxrl.exec:\fxffxrl.exe43⤵
- Executes dropped EXE
PID:3488 -
\??\c:\3xlfrlx.exec:\3xlfrlx.exe44⤵
- Executes dropped EXE
PID:4352 -
\??\c:\7ttnhh.exec:\7ttnhh.exe45⤵
- Executes dropped EXE
PID:4312 -
\??\c:\7djvv.exec:\7djvv.exe46⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vdpdp.exec:\vdpdp.exe47⤵
- Executes dropped EXE
PID:3044 -
\??\c:\xlrllxf.exec:\xlrllxf.exe48⤵
- Executes dropped EXE
PID:3896 -
\??\c:\7ffxlfx.exec:\7ffxlfx.exe49⤵
- Executes dropped EXE
PID:2016 -
\??\c:\9nhbtn.exec:\9nhbtn.exe50⤵
- Executes dropped EXE
PID:1704 -
\??\c:\ddjdv.exec:\ddjdv.exe51⤵
- Executes dropped EXE
PID:2936 -
\??\c:\7vdvp.exec:\7vdvp.exe52⤵
- Executes dropped EXE
PID:2940 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe53⤵
- Executes dropped EXE
PID:2220 -
\??\c:\nbhbtn.exec:\nbhbtn.exe54⤵
- Executes dropped EXE
PID:3616 -
\??\c:\tnbnnh.exec:\tnbnnh.exe55⤵
- Executes dropped EXE
PID:1896 -
\??\c:\dppjv.exec:\dppjv.exe56⤵
- Executes dropped EXE
PID:4648 -
\??\c:\vddvp.exec:\vddvp.exe57⤵
- Executes dropped EXE
PID:1072 -
\??\c:\frrrlll.exec:\frrrlll.exe58⤵
- Executes dropped EXE
PID:392 -
\??\c:\hthtth.exec:\hthtth.exe59⤵
- Executes dropped EXE
PID:3680 -
\??\c:\vdpvj.exec:\vdpvj.exe60⤵
- Executes dropped EXE
PID:1912 -
\??\c:\dppdp.exec:\dppdp.exe61⤵
- Executes dropped EXE
PID:4132 -
\??\c:\frlflfx.exec:\frlflfx.exe62⤵
- Executes dropped EXE
PID:2036 -
\??\c:\tbtnnh.exec:\tbtnnh.exe63⤵
- Executes dropped EXE
PID:1652 -
\??\c:\3nnhtt.exec:\3nnhtt.exe64⤵
- Executes dropped EXE
PID:4328 -
\??\c:\vpjvp.exec:\vpjvp.exe65⤵
- Executes dropped EXE
PID:4780 -
\??\c:\jpdpd.exec:\jpdpd.exe66⤵PID:924
-
\??\c:\frlxlxr.exec:\frlxlxr.exe67⤵PID:4416
-
\??\c:\nbbnhb.exec:\nbbnhb.exe68⤵PID:2196
-
\??\c:\1bttnt.exec:\1bttnt.exe69⤵PID:776
-
\??\c:\jdvjd.exec:\jdvjd.exe70⤵PID:4836
-
\??\c:\jpppv.exec:\jpppv.exe71⤵PID:1680
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe72⤵PID:4092
-
\??\c:\hhhtnh.exec:\hhhtnh.exe73⤵PID:976
-
\??\c:\dpdpd.exec:\dpdpd.exe74⤵PID:2088
-
\??\c:\vpvpp.exec:\vpvpp.exe75⤵PID:4840
-
\??\c:\lrrfxrr.exec:\lrrfxrr.exe76⤵PID:1568
-
\??\c:\nnnbtn.exec:\nnnbtn.exe77⤵PID:1336
-
\??\c:\nbthbn.exec:\nbthbn.exe78⤵PID:3984
-
\??\c:\9pdjj.exec:\9pdjj.exe79⤵PID:4532
-
\??\c:\vppjj.exec:\vppjj.exe80⤵PID:1156
-
\??\c:\rrxrlff.exec:\rrxrlff.exe81⤵PID:3844
-
\??\c:\lxxrlxr.exec:\lxxrlxr.exe82⤵PID:2632
-
\??\c:\ddjvj.exec:\ddjvj.exe83⤵PID:5044
-
\??\c:\frllxrl.exec:\frllxrl.exe84⤵PID:3176
-
\??\c:\lrxrffx.exec:\lrxrffx.exe85⤵PID:3032
-
\??\c:\hnnhbt.exec:\hnnhbt.exe86⤵PID:2704
-
\??\c:\bhhbtn.exec:\bhhbtn.exe87⤵PID:2184
-
\??\c:\pdvpj.exec:\pdvpj.exe88⤵PID:2684
-
\??\c:\pvpvp.exec:\pvpvp.exe89⤵PID:3936
-
\??\c:\llxfxlr.exec:\llxfxlr.exe90⤵PID:3720
-
\??\c:\frrrflf.exec:\frrrflf.exe91⤵PID:2208
-
\??\c:\5nthtn.exec:\5nthtn.exe92⤵PID:1240
-
\??\c:\5ttnnt.exec:\5ttnnt.exe93⤵PID:1876
-
\??\c:\jvjvj.exec:\jvjvj.exe94⤵PID:4428
-
\??\c:\3xrlffx.exec:\3xrlffx.exe95⤵PID:1720
-
\??\c:\xflfxxx.exec:\xflfxxx.exe96⤵PID:4996
-
\??\c:\nnthnh.exec:\nnthnh.exe97⤵PID:4072
-
\??\c:\ttthtn.exec:\ttthtn.exe98⤵PID:2832
-
\??\c:\jpvpj.exec:\jpvpj.exe99⤵PID:5056
-
\??\c:\9dpdv.exec:\9dpdv.exe100⤵PID:1624
-
\??\c:\xrxlxxr.exec:\xrxlxxr.exe101⤵PID:5032
-
\??\c:\lflfxxl.exec:\lflfxxl.exe102⤵PID:4596
-
\??\c:\nhtnnh.exec:\nhtnnh.exe103⤵PID:5076
-
\??\c:\htbhhb.exec:\htbhhb.exe104⤵PID:2800
-
\??\c:\jddvp.exec:\jddvp.exe105⤵PID:4732
-
\??\c:\5vvpd.exec:\5vvpd.exe106⤵PID:4812
-
\??\c:\xrfrfxl.exec:\xrfrfxl.exe107⤵PID:1672
-
\??\c:\1xxlfxl.exec:\1xxlfxl.exe108⤵PID:4400
-
\??\c:\bttnht.exec:\bttnht.exe109⤵PID:3572
-
\??\c:\bnbnnh.exec:\bnbnnh.exe110⤵PID:3204
-
\??\c:\jvddp.exec:\jvddp.exe111⤵PID:2940
-
\??\c:\vvpdp.exec:\vvpdp.exe112⤵PID:2220
-
\??\c:\xllxlfx.exec:\xllxlfx.exe113⤵PID:2580
-
\??\c:\rfrfrlx.exec:\rfrfrlx.exe114⤵PID:2400
-
\??\c:\httnnh.exec:\httnnh.exe115⤵PID:5084
-
\??\c:\djddd.exec:\djddd.exe116⤵PID:3200
-
\??\c:\pdpdp.exec:\pdpdp.exe117⤵PID:3784
-
\??\c:\rrlfrlf.exec:\rrlfrlf.exe118⤵PID:1296
-
\??\c:\lffxlff.exec:\lffxlff.exe119⤵PID:1292
-
\??\c:\5nnhhh.exec:\5nnhhh.exe120⤵PID:1368
-
\??\c:\ddvjd.exec:\ddvjd.exe121⤵PID:364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-