Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 05:42
Behavioral task
behavioral1
Sample
344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe
-
Size
97KB
-
MD5
56600ed41f70a29baa3506d7f603240f
-
SHA1
2471b2d43a54198af4a8b81147db57cf7d2a5d71
-
SHA256
344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4
-
SHA512
69ca518c0620f4851d1040df8571a888fc853a07997fb43407c7ccfff813447a0d2e9b794e357e444acd55ef633beb4db8010db85a76cc99725388c3aee2fe82
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgRb:8cm4FmowdHoSgWrXUgN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1596-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3672-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1416-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2320-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/908-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3372-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1140-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/672-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1248-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2856-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2412-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1440-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3960-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1216-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1568-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1808-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1756-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-487-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-514-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1416-598-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3160-713-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-758-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-1076-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1296 nttttt.exe 3672 ppjdd.exe 1720 rrllfff.exe 4196 hnnnhn.exe 320 jdjpj.exe 4828 vjjpp.exe 2740 5fffxfx.exe 2284 dppjd.exe 2040 9lrrxfl.exe 3688 tbbbbb.exe 1976 jjddj.exe 968 3lfxllf.exe 4152 3tbbbn.exe 2472 ddvvp.exe 2392 rflrrff.exe 5028 bnbtth.exe 212 vpdvp.exe 4808 jddvj.exe 1748 xrlfxxx.exe 1416 lxrrfff.exe 1464 tbtnnb.exe 2320 9dddd.exe 3104 vjjdp.exe 312 5llfxxr.exe 908 ttntnt.exe 2548 ttnbtn.exe 4028 pvvpp.exe 2208 bbttnn.exe 4972 9pvvd.exe 3372 xrfrllx.exe 424 ttbhbh.exe 2964 pdvvj.exe 1168 vdpjv.exe 2224 rxxxllf.exe 4988 btnhbb.exe 4952 7btnnn.exe 1140 pvpjd.exe 4452 rlxrllr.exe 5000 nnhhhh.exe 672 vdjdd.exe 1248 vpjjd.exe 4592 frfrllf.exe 1584 9nbnbh.exe 4416 pjddd.exe 4884 xfffxxx.exe 2856 ttthbb.exe 2792 vjdvv.exe 5076 ttbtnn.exe 4544 hhhhbb.exe 2172 7vjdv.exe 8 frrxfrx.exe 1604 hnttht.exe 3524 pvvvp.exe 1820 xfrlfrr.exe 856 1nhhbt.exe 4372 jjdjd.exe 4928 xrrlfxx.exe 4868 ttnhhb.exe 2712 jdjdv.exe 5104 fflfllx.exe 2412 llrrllf.exe 1720 9tthbb.exe 1440 1jpvv.exe 3208 flflrrx.exe -
resource yara_rule behavioral2/memory/1596-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bf9-3.dat upx behavioral2/memory/1596-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cc0-8.dat upx behavioral2/memory/1296-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-11.dat upx behavioral2/memory/3672-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-19.dat upx behavioral2/memory/4196-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-23.dat upx behavioral2/files/0x0007000000023cc8-28.dat upx behavioral2/memory/4828-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/320-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/320-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-34.dat upx behavioral2/files/0x0007000000023cca-38.dat upx behavioral2/memory/2740-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-43.dat upx behavioral2/memory/2284-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-48.dat upx behavioral2/memory/2040-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3688-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-54.dat upx behavioral2/memory/1976-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-60.dat upx behavioral2/files/0x0007000000023ccf-64.dat upx behavioral2/memory/968-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4152-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd0-69.dat upx behavioral2/files/0x0007000000023cd1-73.dat upx behavioral2/memory/2392-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd2-79.dat upx behavioral2/files/0x0007000000023cd3-82.dat upx behavioral2/files/0x0007000000023cd4-86.dat upx behavioral2/memory/212-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd5-91.dat upx behavioral2/memory/4808-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd6-96.dat upx behavioral2/files/0x0007000000023cd7-100.dat upx behavioral2/memory/1416-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd8-105.dat upx behavioral2/files/0x0007000000023cd9-109.dat upx behavioral2/memory/2320-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cda-114.dat upx behavioral2/memory/3104-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdb-119.dat upx behavioral2/memory/908-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/908-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cc1-125.dat upx behavioral2/files/0x0007000000023cdc-129.dat upx behavioral2/files/0x0007000000023cdd-133.dat upx behavioral2/files/0x0007000000023cde-137.dat upx behavioral2/memory/2208-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cdf-142.dat upx behavioral2/files/0x0007000000023ce0-147.dat upx behavioral2/memory/3372-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce2-151.dat upx behavioral2/memory/1168-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4988-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1140-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4452-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/672-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1248-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4592-181-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 1296 1596 344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe 83 PID 1596 wrote to memory of 1296 1596 344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe 83 PID 1596 wrote to memory of 1296 1596 344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe 83 PID 1296 wrote to memory of 3672 1296 nttttt.exe 84 PID 1296 wrote to memory of 3672 1296 nttttt.exe 84 PID 1296 wrote to memory of 3672 1296 nttttt.exe 84 PID 3672 wrote to memory of 1720 3672 ppjdd.exe 85 PID 3672 wrote to memory of 1720 3672 ppjdd.exe 85 PID 3672 wrote to memory of 1720 3672 ppjdd.exe 85 PID 1720 wrote to memory of 4196 1720 rrllfff.exe 86 PID 1720 wrote to memory of 4196 1720 rrllfff.exe 86 PID 1720 wrote to memory of 4196 1720 rrllfff.exe 86 PID 4196 wrote to memory of 320 4196 hnnnhn.exe 87 PID 4196 wrote to memory of 320 4196 hnnnhn.exe 87 PID 4196 wrote to memory of 320 4196 hnnnhn.exe 87 PID 320 wrote to memory of 4828 320 jdjpj.exe 88 PID 320 wrote to memory of 4828 320 jdjpj.exe 88 PID 320 wrote to memory of 4828 320 jdjpj.exe 88 PID 4828 wrote to memory of 2740 4828 vjjpp.exe 89 PID 4828 wrote to memory of 2740 4828 vjjpp.exe 89 PID 4828 wrote to memory of 2740 4828 vjjpp.exe 89 PID 2740 wrote to memory of 2284 2740 5fffxfx.exe 90 PID 2740 wrote to memory of 2284 2740 5fffxfx.exe 90 PID 2740 wrote to memory of 2284 2740 5fffxfx.exe 90 PID 2284 wrote to memory of 2040 2284 dppjd.exe 91 PID 2284 wrote to memory of 2040 2284 dppjd.exe 91 PID 2284 wrote to memory of 2040 2284 dppjd.exe 91 PID 2040 wrote to memory of 3688 2040 9lrrxfl.exe 92 PID 2040 wrote to memory of 3688 2040 9lrrxfl.exe 92 PID 2040 wrote to memory of 3688 2040 9lrrxfl.exe 92 PID 3688 wrote to memory of 1976 3688 tbbbbb.exe 93 PID 3688 wrote to memory of 1976 3688 tbbbbb.exe 93 PID 3688 wrote to memory of 1976 3688 tbbbbb.exe 93 PID 1976 wrote to memory of 968 1976 jjddj.exe 94 PID 1976 wrote to memory of 968 1976 jjddj.exe 94 PID 1976 wrote to memory of 968 1976 jjddj.exe 94 PID 968 wrote to memory of 4152 968 3lfxllf.exe 95 PID 968 wrote to memory of 4152 968 3lfxllf.exe 95 PID 968 wrote to memory of 4152 968 3lfxllf.exe 95 PID 4152 wrote to memory of 2472 4152 3tbbbn.exe 96 PID 4152 wrote to memory of 2472 4152 3tbbbn.exe 96 PID 4152 wrote to memory of 2472 4152 3tbbbn.exe 96 PID 2472 wrote to memory of 2392 2472 ddvvp.exe 97 PID 2472 wrote to memory of 2392 2472 ddvvp.exe 97 PID 2472 wrote to memory of 2392 2472 ddvvp.exe 97 PID 2392 wrote to memory of 5028 2392 rflrrff.exe 98 PID 2392 wrote to memory of 5028 2392 rflrrff.exe 98 PID 2392 wrote to memory of 5028 2392 rflrrff.exe 98 PID 5028 wrote to memory of 212 5028 bnbtth.exe 99 PID 5028 wrote to memory of 212 5028 bnbtth.exe 99 PID 5028 wrote to memory of 212 5028 bnbtth.exe 99 PID 212 wrote to memory of 4808 212 vpdvp.exe 100 PID 212 wrote to memory of 4808 212 vpdvp.exe 100 PID 212 wrote to memory of 4808 212 vpdvp.exe 100 PID 4808 wrote to memory of 1748 4808 jddvj.exe 101 PID 4808 wrote to memory of 1748 4808 jddvj.exe 101 PID 4808 wrote to memory of 1748 4808 jddvj.exe 101 PID 1748 wrote to memory of 1416 1748 xrlfxxx.exe 102 PID 1748 wrote to memory of 1416 1748 xrlfxxx.exe 102 PID 1748 wrote to memory of 1416 1748 xrlfxxx.exe 102 PID 1416 wrote to memory of 1464 1416 lxrrfff.exe 103 PID 1416 wrote to memory of 1464 1416 lxrrfff.exe 103 PID 1416 wrote to memory of 1464 1416 lxrrfff.exe 103 PID 1464 wrote to memory of 2320 1464 tbtnnb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe"C:\Users\Admin\AppData\Local\Temp\344a23878d6d39e6dfb79aa27ae724b110c9eaf19546d24ce42efc2c6542bdc4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\nttttt.exec:\nttttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\ppjdd.exec:\ppjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\rrllfff.exec:\rrllfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\hnnnhn.exec:\hnnnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\jdjpj.exec:\jdjpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\vjjpp.exec:\vjjpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\5fffxfx.exec:\5fffxfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\dppjd.exec:\dppjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\9lrrxfl.exec:\9lrrxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\tbbbbb.exec:\tbbbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\jjddj.exec:\jjddj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\3lfxllf.exec:\3lfxllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\3tbbbn.exec:\3tbbbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\ddvvp.exec:\ddvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\rflrrff.exec:\rflrrff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\bnbtth.exec:\bnbtth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\vpdvp.exec:\vpdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\jddvj.exec:\jddvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\xrlfxxx.exec:\xrlfxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\lxrrfff.exec:\lxrrfff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\tbtnnb.exec:\tbtnnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\9dddd.exec:\9dddd.exe23⤵
- Executes dropped EXE
PID:2320 -
\??\c:\vjjdp.exec:\vjjdp.exe24⤵
- Executes dropped EXE
PID:3104 -
\??\c:\5llfxxr.exec:\5llfxxr.exe25⤵
- Executes dropped EXE
PID:312 -
\??\c:\ttntnt.exec:\ttntnt.exe26⤵
- Executes dropped EXE
PID:908 -
\??\c:\ttnbtn.exec:\ttnbtn.exe27⤵
- Executes dropped EXE
PID:2548 -
\??\c:\pvvpp.exec:\pvvpp.exe28⤵
- Executes dropped EXE
PID:4028 -
\??\c:\bbttnn.exec:\bbttnn.exe29⤵
- Executes dropped EXE
PID:2208 -
\??\c:\9pvvd.exec:\9pvvd.exe30⤵
- Executes dropped EXE
PID:4972 -
\??\c:\xrfrllx.exec:\xrfrllx.exe31⤵
- Executes dropped EXE
PID:3372 -
\??\c:\ttbhbh.exec:\ttbhbh.exe32⤵
- Executes dropped EXE
PID:424 -
\??\c:\pdvvj.exec:\pdvvj.exe33⤵
- Executes dropped EXE
PID:2964 -
\??\c:\vdpjv.exec:\vdpjv.exe34⤵
- Executes dropped EXE
PID:1168 -
\??\c:\rxxxllf.exec:\rxxxllf.exe35⤵
- Executes dropped EXE
PID:2224 -
\??\c:\btnhbb.exec:\btnhbb.exe36⤵
- Executes dropped EXE
PID:4988 -
\??\c:\7btnnn.exec:\7btnnn.exe37⤵
- Executes dropped EXE
PID:4952 -
\??\c:\pvpjd.exec:\pvpjd.exe38⤵
- Executes dropped EXE
PID:1140 -
\??\c:\rlxrllr.exec:\rlxrllr.exe39⤵
- Executes dropped EXE
PID:4452 -
\??\c:\nnhhhh.exec:\nnhhhh.exe40⤵
- Executes dropped EXE
PID:5000 -
\??\c:\vdjdd.exec:\vdjdd.exe41⤵
- Executes dropped EXE
PID:672 -
\??\c:\vpjjd.exec:\vpjjd.exe42⤵
- Executes dropped EXE
PID:1248 -
\??\c:\frfrllf.exec:\frfrllf.exe43⤵
- Executes dropped EXE
PID:4592 -
\??\c:\9nbnbh.exec:\9nbnbh.exe44⤵
- Executes dropped EXE
PID:1584 -
\??\c:\pjddd.exec:\pjddd.exe45⤵
- Executes dropped EXE
PID:4416 -
\??\c:\xfffxxx.exec:\xfffxxx.exe46⤵
- Executes dropped EXE
PID:4884 -
\??\c:\ttthbb.exec:\ttthbb.exe47⤵
- Executes dropped EXE
PID:2856 -
\??\c:\vjdvv.exec:\vjdvv.exe48⤵
- Executes dropped EXE
PID:2792 -
\??\c:\ttbtnn.exec:\ttbtnn.exe49⤵
- Executes dropped EXE
PID:5076 -
\??\c:\hhhhbb.exec:\hhhhbb.exe50⤵
- Executes dropped EXE
PID:4544 -
\??\c:\7vjdv.exec:\7vjdv.exe51⤵
- Executes dropped EXE
PID:2172 -
\??\c:\frrxfrx.exec:\frrxfrx.exe52⤵
- Executes dropped EXE
PID:8 -
\??\c:\hnttht.exec:\hnttht.exe53⤵
- Executes dropped EXE
PID:1604 -
\??\c:\pvvvp.exec:\pvvvp.exe54⤵
- Executes dropped EXE
PID:3524 -
\??\c:\xfrlfrr.exec:\xfrlfrr.exe55⤵
- Executes dropped EXE
PID:1820 -
\??\c:\1nhhbt.exec:\1nhhbt.exe56⤵
- Executes dropped EXE
PID:856 -
\??\c:\jjdjd.exec:\jjdjd.exe57⤵
- Executes dropped EXE
PID:4372 -
\??\c:\xrrlfxx.exec:\xrrlfxx.exe58⤵
- Executes dropped EXE
PID:4928 -
\??\c:\ttnhhb.exec:\ttnhhb.exe59⤵
- Executes dropped EXE
PID:4868 -
\??\c:\jdjdv.exec:\jdjdv.exe60⤵
- Executes dropped EXE
PID:2712 -
\??\c:\fflfllx.exec:\fflfllx.exe61⤵
- Executes dropped EXE
PID:5104 -
\??\c:\llrrllf.exec:\llrrllf.exe62⤵
- Executes dropped EXE
PID:2412 -
\??\c:\9tthbb.exec:\9tthbb.exe63⤵
- Executes dropped EXE
PID:1720 -
\??\c:\1jpvv.exec:\1jpvv.exe64⤵
- Executes dropped EXE
PID:1440 -
\??\c:\flflrrx.exec:\flflrrx.exe65⤵
- Executes dropped EXE
PID:3208 -
\??\c:\tntbhn.exec:\tntbhn.exe66⤵PID:2920
-
\??\c:\tnhbbb.exec:\tnhbbb.exe67⤵PID:1532
-
\??\c:\3jdpj.exec:\3jdpj.exe68⤵PID:4820
-
\??\c:\5lrllxx.exec:\5lrllxx.exe69⤵PID:3204
-
\??\c:\ttnnhh.exec:\ttnnhh.exe70⤵PID:2284
-
\??\c:\pvdvv.exec:\pvdvv.exe71⤵PID:1784
-
\??\c:\xflllxr.exec:\xflllxr.exe72⤵PID:2292
-
\??\c:\xflrllf.exec:\xflrllf.exe73⤵PID:3960
-
\??\c:\3ttnnn.exec:\3ttnnn.exe74⤵PID:3560
-
\??\c:\hnnhbn.exec:\hnnhbn.exe75⤵PID:4048
-
\??\c:\vvvpj.exec:\vvvpj.exe76⤵PID:768
-
\??\c:\lffxllf.exec:\lffxllf.exe77⤵PID:1216
-
\??\c:\rrxrxxl.exec:\rrxrxxl.exe78⤵PID:2656
-
\??\c:\7hbtnb.exec:\7hbtnb.exe79⤵PID:3712
-
\??\c:\hnhhbt.exec:\hnhhbt.exe80⤵PID:1456
-
\??\c:\ppvpp.exec:\ppvpp.exe81⤵PID:3708
-
\??\c:\7fxrrfx.exec:\7fxrrfx.exe82⤵PID:4900
-
\??\c:\5httnn.exec:\5httnn.exe83⤵PID:3628
-
\??\c:\5vddj.exec:\5vddj.exe84⤵PID:4508
-
\??\c:\vpvpj.exec:\vpvpj.exe85⤵PID:4496
-
\??\c:\ffflfll.exec:\ffflfll.exe86⤵PID:4436
-
\??\c:\tntnhn.exec:\tntnhn.exe87⤵PID:4948
-
\??\c:\hbhhbt.exec:\hbhhbt.exe88⤵PID:4956
-
\??\c:\vjdpv.exec:\vjdpv.exe89⤵PID:3696
-
\??\c:\llfrlff.exec:\llfrlff.exe90⤵PID:4548
-
\??\c:\hbhbtt.exec:\hbhbtt.exe91⤵PID:5032
-
\??\c:\bhhhhh.exec:\bhhhhh.exe92⤵PID:1452
-
\??\c:\vpjjj.exec:\vpjjj.exe93⤵PID:1324
-
\??\c:\3jpjj.exec:\3jpjj.exe94⤵PID:5108
-
\??\c:\7rfxxxx.exec:\7rfxxxx.exe95⤵PID:804
-
\??\c:\rxffrll.exec:\rxffrll.exe96⤵PID:2124
-
\??\c:\nthtnt.exec:\nthtnt.exe97⤵PID:60
-
\??\c:\1vvvv.exec:\1vvvv.exe98⤵PID:2208
-
\??\c:\lrrrflf.exec:\lrrrflf.exe99⤵PID:3404
-
\??\c:\3thbtb.exec:\3thbtb.exe100⤵PID:3636
-
\??\c:\9pdvv.exec:\9pdvv.exe101⤵PID:4228
-
\??\c:\jdppp.exec:\jdppp.exe102⤵PID:3788
-
\??\c:\3lrfrfl.exec:\3lrfrfl.exe103⤵PID:2928
-
\??\c:\1fxffxx.exec:\1fxffxx.exe104⤵PID:4804
-
\??\c:\tbbbbh.exec:\tbbbbh.exe105⤵PID:4396
-
\??\c:\pdppd.exec:\pdppd.exe106⤵PID:4616
-
\??\c:\jjjjj.exec:\jjjjj.exe107⤵PID:4988
-
\??\c:\lfrxxxx.exec:\lfrxxxx.exe108⤵PID:1404
-
\??\c:\tnbhhn.exec:\tnbhhn.exe109⤵PID:1568
-
\??\c:\1bhhhn.exec:\1bhhhn.exe110⤵PID:3692
-
\??\c:\pdddv.exec:\pdddv.exe111⤵PID:1052
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe112⤵PID:2704
-
\??\c:\5rxrxfl.exec:\5rxrxfl.exe113⤵PID:752
-
\??\c:\9nhhbh.exec:\9nhhbh.exe114⤵PID:4752
-
\??\c:\tbhhbb.exec:\tbhhbb.exe115⤵PID:3432
-
\??\c:\3dvjv.exec:\3dvjv.exe116⤵PID:4432
-
\??\c:\pjpvv.exec:\pjpvv.exe117⤵PID:1588
-
\??\c:\1lxfxfx.exec:\1lxfxfx.exe118⤵PID:1808
-
\??\c:\ntbbbh.exec:\ntbbbh.exe119⤵PID:1792
-
\??\c:\nbbbnn.exec:\nbbbnn.exe120⤵PID:4684
-
\??\c:\jvdjp.exec:\jvdjp.exe121⤵PID:1048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-