Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 00:35
Behavioral task
behavioral1
Sample
cc7dc392df21b97e915bdc58ab763aa51c758976982d863e696db707b06ae8eeN.exe
Resource
win7-20241023-en
windows7-x64
9 signatures
120 seconds
General
-
Target
cc7dc392df21b97e915bdc58ab763aa51c758976982d863e696db707b06ae8eeN.exe
-
Size
3.7MB
-
MD5
83932b9bab1f61b0ba946aacc0533620
-
SHA1
3da5bd965483321a40fa982da6714651c32302a2
-
SHA256
cc7dc392df21b97e915bdc58ab763aa51c758976982d863e696db707b06ae8ee
-
SHA512
1bce7629676a5be7a242bd937708680a49ca9e804a04d3bd2da79939c07dc06c57d197983c0a3885654eead4085f58be80435ae49926953447611c3138a5a630
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98w:U6XLq/qPPslzKx/dJg1ErmNR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2780-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2460-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3028-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2456-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2300-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1900-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1776-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1596-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1844-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1028-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1996-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/800-137-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1724-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1296-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1720-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/448-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/944-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1840-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/944-226-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1628-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/308-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1188-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1512-305-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2296-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1096-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1596-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1816-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1604-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1628-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2132-549-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/3004-639-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1564-670-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1564-677-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/2888-684-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1888-728-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1976-742-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1236-817-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1900-890-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/984-961-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/984-968-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/1180-986-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1284-1051-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/272-1168-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2056 8862266.exe 1900 482028.exe 2300 68066.exe 2456 7hhnhb.exe 3028 86822.exe 2460 xxrlfxr.exe 2780 9hnntn.exe 2756 flrrxxr.exe 2588 20406.exe 1596 08664.exe 1844 80262.exe 1028 08066.exe 1996 42444.exe 800 4424626.exe 1660 4844068.exe 1968 jdpvd.exe 1724 ffrlxfl.exe 2920 flrfxll.exe 1296 hthhtt.exe 2196 646248.exe 1720 0800624.exe 448 rllflxf.exe 1840 6664822.exe 944 0800062.exe 2208 k06400.exe 1628 2004480.exe 308 60406.exe 2140 llrffxf.exe 1620 xlflxfl.exe 1188 e00868.exe 2124 48240.exe 1708 7jddp.exe 1512 882862.exe 3000 8200622.exe 2280 lflxrxf.exe 2296 1bhbhb.exe 2772 046228.exe 2800 lrxlfxx.exe 2748 0406222.exe 2900 ttnntt.exe 2384 1xlflfx.exe 2840 4802222.exe 1096 w68400.exe 2756 0864000.exe 2712 pdppd.exe 2184 rlxxlrx.exe 1596 i220802.exe 1768 7vpdd.exe 1028 020282.exe 1964 202800.exe 1980 9dvdj.exe 1816 hbnhnt.exe 616 0806602.exe 1604 0844606.exe 1676 m4684.exe 2956 60244.exe 2360 1jvvj.exe 1392 w04400.exe 2044 pvddj.exe 1300 ddppv.exe 816 48066.exe 2932 m8000.exe 1840 9lxxlff.exe 944 dpdvd.exe -
resource yara_rule behavioral1/files/0x0008000000016d3a-75.dat upx behavioral1/files/0x0007000000016cf5-65.dat upx behavioral1/memory/2780-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2460-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016cd7-57.dat upx behavioral1/files/0x0007000000016c88-48.dat upx behavioral1/memory/3028-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2456-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c66-39.dat upx behavioral1/memory/2300-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000165c7-30.dat upx behavioral1/memory/1900-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016b47-20.dat upx behavioral1/memory/2056-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c00000001202c-10.dat upx behavioral1/memory/1776-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1776-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017049-83.dat upx behavioral1/memory/2588-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1596-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017497-94.dat upx behavioral1/memory/2588-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001749c-102.dat upx behavioral1/memory/1844-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001755b-112.dat upx behavioral1/memory/1844-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018686-121.dat upx behavioral1/memory/1028-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186e7-130.dat upx behavioral1/memory/1996-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186ed-140.dat upx behavioral1/files/0x00050000000186f1-147.dat upx behavioral1/files/0x00050000000186f4-156.dat upx behavioral1/memory/1724-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018704-166.dat upx behavioral1/memory/1724-164-0x0000000001F10000-0x0000000001F37000-memory.dmp upx behavioral1/memory/2920-170-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000018739-175.dat upx behavioral1/files/0x0005000000018744-184.dat upx behavioral1/memory/1296-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000187a8-193.dat upx behavioral1/files/0x0006000000018b4e-201.dat upx behavioral1/memory/1720-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1296-212-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/448-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018c16-210.dat upx behavioral1/files/0x0005000000019246-222.dat upx behavioral1/memory/944-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1840-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019250-231.dat upx behavioral1/files/0x0005000000019269-240.dat upx behavioral1/files/0x0005000000019278-249.dat upx behavioral1/memory/1628-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019284-259.dat upx behavioral1/memory/308-257-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1620-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019297-268.dat upx behavioral1/memory/1188-277-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001933f-276.dat upx behavioral1/files/0x0005000000019360-285.dat upx behavioral1/files/0x00050000000193a6-295.dat upx behavioral1/memory/2280-316-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2296-323-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2296-327-0x0000000000220000-0x0000000000247000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6804062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6826888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0402444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8684002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 804062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c262228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0606888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4844068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8868066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k42000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2662806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 026406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2684062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1776 wrote to memory of 2056 1776 cc7dc392df21b97e915bdc58ab763aa51c758976982d863e696db707b06ae8eeN.exe 30 PID 1776 wrote to memory of 2056 1776 cc7dc392df21b97e915bdc58ab763aa51c758976982d863e696db707b06ae8eeN.exe 30 PID 1776 wrote to memory of 2056 1776 cc7dc392df21b97e915bdc58ab763aa51c758976982d863e696db707b06ae8eeN.exe 30 PID 1776 wrote to memory of 2056 1776 cc7dc392df21b97e915bdc58ab763aa51c758976982d863e696db707b06ae8eeN.exe 30 PID 2056 wrote to memory of 1900 2056 8862266.exe 31 PID 2056 wrote to memory of 1900 2056 8862266.exe 31 PID 2056 wrote to memory of 1900 2056 8862266.exe 31 PID 2056 wrote to memory of 1900 2056 8862266.exe 31 PID 1900 wrote to memory of 2300 1900 482028.exe 32 PID 1900 wrote to memory of 2300 1900 482028.exe 32 PID 1900 wrote to memory of 2300 1900 482028.exe 32 PID 1900 wrote to memory of 2300 1900 482028.exe 32 PID 2300 wrote to memory of 2456 2300 68066.exe 33 PID 2300 wrote to memory of 2456 2300 68066.exe 33 PID 2300 wrote to memory of 2456 2300 68066.exe 33 PID 2300 wrote to memory of 2456 2300 68066.exe 33 PID 2456 wrote to memory of 3028 2456 7hhnhb.exe 34 PID 2456 wrote to memory of 3028 2456 7hhnhb.exe 34 PID 2456 wrote to memory of 3028 2456 7hhnhb.exe 34 PID 2456 wrote to memory of 3028 2456 7hhnhb.exe 34 PID 3028 wrote to memory of 2460 3028 86822.exe 35 PID 3028 wrote to memory of 2460 3028 86822.exe 35 PID 3028 wrote to memory of 2460 3028 86822.exe 35 PID 3028 wrote to memory of 2460 3028 86822.exe 35 PID 2460 wrote to memory of 2780 2460 xxrlfxr.exe 36 PID 2460 wrote to memory of 2780 2460 xxrlfxr.exe 36 PID 2460 wrote to memory of 2780 2460 xxrlfxr.exe 36 PID 2460 wrote to memory of 2780 2460 xxrlfxr.exe 36 PID 2780 wrote to memory of 2756 2780 9hnntn.exe 37 PID 2780 wrote to memory of 2756 2780 9hnntn.exe 37 PID 2780 wrote to memory of 2756 2780 9hnntn.exe 37 PID 2780 wrote to memory of 2756 2780 9hnntn.exe 37 PID 2756 wrote to memory of 2588 2756 flrrxxr.exe 38 PID 2756 wrote to memory of 2588 2756 flrrxxr.exe 38 PID 2756 wrote to memory of 2588 2756 flrrxxr.exe 38 PID 2756 wrote to memory of 2588 2756 flrrxxr.exe 38 PID 2588 wrote to memory of 1596 2588 20406.exe 39 PID 2588 wrote to memory of 1596 2588 20406.exe 39 PID 2588 wrote to memory of 1596 2588 20406.exe 39 PID 2588 wrote to memory of 1596 2588 20406.exe 39 PID 1596 wrote to memory of 1844 1596 08664.exe 40 PID 1596 wrote to memory of 1844 1596 08664.exe 40 PID 1596 wrote to memory of 1844 1596 08664.exe 40 PID 1596 wrote to memory of 1844 1596 08664.exe 40 PID 1844 wrote to memory of 1028 1844 80262.exe 41 PID 1844 wrote to memory of 1028 1844 80262.exe 41 PID 1844 wrote to memory of 1028 1844 80262.exe 41 PID 1844 wrote to memory of 1028 1844 80262.exe 41 PID 1028 wrote to memory of 1996 1028 08066.exe 42 PID 1028 wrote to memory of 1996 1028 08066.exe 42 PID 1028 wrote to memory of 1996 1028 08066.exe 42 PID 1028 wrote to memory of 1996 1028 08066.exe 42 PID 1996 wrote to memory of 800 1996 42444.exe 43 PID 1996 wrote to memory of 800 1996 42444.exe 43 PID 1996 wrote to memory of 800 1996 42444.exe 43 PID 1996 wrote to memory of 800 1996 42444.exe 43 PID 800 wrote to memory of 1660 800 4424626.exe 44 PID 800 wrote to memory of 1660 800 4424626.exe 44 PID 800 wrote to memory of 1660 800 4424626.exe 44 PID 800 wrote to memory of 1660 800 4424626.exe 44 PID 1660 wrote to memory of 1968 1660 4844068.exe 45 PID 1660 wrote to memory of 1968 1660 4844068.exe 45 PID 1660 wrote to memory of 1968 1660 4844068.exe 45 PID 1660 wrote to memory of 1968 1660 4844068.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc7dc392df21b97e915bdc58ab763aa51c758976982d863e696db707b06ae8eeN.exe"C:\Users\Admin\AppData\Local\Temp\cc7dc392df21b97e915bdc58ab763aa51c758976982d863e696db707b06ae8eeN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\8862266.exec:\8862266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\482028.exec:\482028.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\68066.exec:\68066.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\7hhnhb.exec:\7hhnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\86822.exec:\86822.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\xxrlfxr.exec:\xxrlfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\9hnntn.exec:\9hnntn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\flrrxxr.exec:\flrrxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\20406.exec:\20406.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\08664.exec:\08664.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\80262.exec:\80262.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\08066.exec:\08066.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\42444.exec:\42444.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\4424626.exec:\4424626.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\4844068.exec:\4844068.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\jdpvd.exec:\jdpvd.exe17⤵
- Executes dropped EXE
PID:1968 -
\??\c:\ffrlxfl.exec:\ffrlxfl.exe18⤵
- Executes dropped EXE
PID:1724 -
\??\c:\flrfxll.exec:\flrfxll.exe19⤵
- Executes dropped EXE
PID:2920 -
\??\c:\hthhtt.exec:\hthhtt.exe20⤵
- Executes dropped EXE
PID:1296 -
\??\c:\646248.exec:\646248.exe21⤵
- Executes dropped EXE
PID:2196 -
\??\c:\0800624.exec:\0800624.exe22⤵
- Executes dropped EXE
PID:1720 -
\??\c:\rllflxf.exec:\rllflxf.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\6664822.exec:\6664822.exe24⤵
- Executes dropped EXE
PID:1840 -
\??\c:\0800062.exec:\0800062.exe25⤵
- Executes dropped EXE
PID:944 -
\??\c:\k06400.exec:\k06400.exe26⤵
- Executes dropped EXE
PID:2208 -
\??\c:\2004480.exec:\2004480.exe27⤵
- Executes dropped EXE
PID:1628 -
\??\c:\60406.exec:\60406.exe28⤵
- Executes dropped EXE
PID:308 -
\??\c:\llrffxf.exec:\llrffxf.exe29⤵
- Executes dropped EXE
PID:2140 -
\??\c:\xlflxfl.exec:\xlflxfl.exe30⤵
- Executes dropped EXE
PID:1620 -
\??\c:\e00868.exec:\e00868.exe31⤵
- Executes dropped EXE
PID:1188 -
\??\c:\48240.exec:\48240.exe32⤵
- Executes dropped EXE
PID:2124 -
\??\c:\7jddp.exec:\7jddp.exe33⤵
- Executes dropped EXE
PID:1708 -
\??\c:\882862.exec:\882862.exe34⤵
- Executes dropped EXE
PID:1512 -
\??\c:\8200622.exec:\8200622.exe35⤵
- Executes dropped EXE
PID:3000 -
\??\c:\lflxrxf.exec:\lflxrxf.exe36⤵
- Executes dropped EXE
PID:2280 -
\??\c:\1bhbhb.exec:\1bhbhb.exe37⤵
- Executes dropped EXE
PID:2296 -
\??\c:\046228.exec:\046228.exe38⤵
- Executes dropped EXE
PID:2772 -
\??\c:\lrxlfxx.exec:\lrxlfxx.exe39⤵
- Executes dropped EXE
PID:2800 -
\??\c:\0406222.exec:\0406222.exe40⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ttnntt.exec:\ttnntt.exe41⤵
- Executes dropped EXE
PID:2900 -
\??\c:\1xlflfx.exec:\1xlflfx.exe42⤵
- Executes dropped EXE
PID:2384 -
\??\c:\4802222.exec:\4802222.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\w68400.exec:\w68400.exe44⤵
- Executes dropped EXE
PID:1096 -
\??\c:\0864000.exec:\0864000.exe45⤵
- Executes dropped EXE
PID:2756 -
\??\c:\pdppd.exec:\pdppd.exe46⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rlxxlrx.exec:\rlxxlrx.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
\??\c:\i220802.exec:\i220802.exe48⤵
- Executes dropped EXE
PID:1596 -
\??\c:\7vpdd.exec:\7vpdd.exe49⤵
- Executes dropped EXE
PID:1768 -
\??\c:\020282.exec:\020282.exe50⤵
- Executes dropped EXE
PID:1028 -
\??\c:\202800.exec:\202800.exe51⤵
- Executes dropped EXE
PID:1964 -
\??\c:\9dvdj.exec:\9dvdj.exe52⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hbnhnt.exec:\hbnhnt.exe53⤵
- Executes dropped EXE
PID:1816 -
\??\c:\0806602.exec:\0806602.exe54⤵
- Executes dropped EXE
PID:616 -
\??\c:\0844606.exec:\0844606.exe55⤵
- Executes dropped EXE
PID:1604 -
\??\c:\m4684.exec:\m4684.exe56⤵
- Executes dropped EXE
PID:1676 -
\??\c:\60244.exec:\60244.exe57⤵
- Executes dropped EXE
PID:2956 -
\??\c:\1jvvj.exec:\1jvvj.exe58⤵
- Executes dropped EXE
PID:2360 -
\??\c:\w04400.exec:\w04400.exe59⤵
- Executes dropped EXE
PID:1392 -
\??\c:\pvddj.exec:\pvddj.exe60⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ddppv.exec:\ddppv.exe61⤵
- Executes dropped EXE
PID:1300 -
\??\c:\48066.exec:\48066.exe62⤵
- Executes dropped EXE
PID:816 -
\??\c:\m8000.exec:\m8000.exe63⤵
- Executes dropped EXE
PID:2932 -
\??\c:\9lxxlff.exec:\9lxxlff.exe64⤵
- Executes dropped EXE
PID:1840 -
\??\c:\dpdvd.exec:\dpdvd.exe65⤵
- Executes dropped EXE
PID:944 -
\??\c:\2684006.exec:\2684006.exe66⤵PID:1940
-
\??\c:\7pjvd.exec:\7pjvd.exe67⤵PID:2208
-
\??\c:\s0668.exec:\s0668.exe68⤵PID:1628
-
\??\c:\dpjjj.exec:\dpjjj.exe69⤵PID:488
-
\??\c:\jdpvv.exec:\jdpvv.exe70⤵PID:1396
-
\??\c:\dpvdj.exec:\dpvdj.exe71⤵
- System Location Discovery: System Language Discovery
PID:2132 -
\??\c:\i040224.exec:\i040224.exe72⤵PID:3056
-
\??\c:\06622.exec:\06622.exe73⤵PID:860
-
\??\c:\bnbbhh.exec:\bnbbhh.exe74⤵PID:1692
-
\??\c:\60420.exec:\60420.exe75⤵PID:1636
-
\??\c:\4424668.exec:\4424668.exe76⤵PID:1776
-
\??\c:\0884624.exec:\0884624.exe77⤵PID:2504
-
\??\c:\9pjjd.exec:\9pjjd.exe78⤵PID:2064
-
\??\c:\dvppv.exec:\dvppv.exe79⤵PID:2272
-
\??\c:\8228844.exec:\8228844.exe80⤵PID:1900
-
\??\c:\w02400.exec:\w02400.exe81⤵PID:2104
-
\??\c:\dvjpv.exec:\dvjpv.exe82⤵
- System Location Discovery: System Language Discovery
PID:2872 -
\??\c:\bbbhtb.exec:\bbbhtb.exe83⤵PID:2716
-
\??\c:\nnbhhh.exec:\nnbhhh.exe84⤵PID:2220
-
\??\c:\thttht.exec:\thttht.exe85⤵PID:3004
-
\??\c:\08620.exec:\08620.exe86⤵PID:2924
-
\??\c:\ttnbnn.exec:\ttnbnn.exe87⤵PID:2892
-
\??\c:\6428400.exec:\6428400.exe88⤵PID:2596
-
\??\c:\pjvpv.exec:\pjvpv.exe89⤵PID:2668
-
\??\c:\3bhbth.exec:\3bhbth.exe90⤵PID:2248
-
\??\c:\0806602.exec:\0806602.exe91⤵PID:1564
-
\??\c:\8640044.exec:\8640044.exe92⤵PID:784
-
\??\c:\5lrllff.exec:\5lrllff.exe93⤵PID:2888
-
\??\c:\48002.exec:\48002.exe94⤵PID:1896
-
\??\c:\frfflrf.exec:\frfflrf.exe95⤵PID:1736
-
\??\c:\jvjjp.exec:\jvjjp.exe96⤵PID:868
-
\??\c:\048062.exec:\048062.exe97⤵PID:1200
-
\??\c:\frffrff.exec:\frffrff.exe98⤵PID:856
-
\??\c:\3dpvp.exec:\3dpvp.exe99⤵PID:1888
-
\??\c:\082448.exec:\082448.exe100⤵PID:2680
-
\??\c:\2604068.exec:\2604068.exe101⤵PID:1976
-
\??\c:\20844.exec:\20844.exe102⤵PID:2952
-
\??\c:\bnbttn.exec:\bnbttn.exe103⤵PID:1560
-
\??\c:\bhnhtt.exec:\bhnhtt.exe104⤵PID:1020
-
\??\c:\btnhnt.exec:\btnhnt.exe105⤵PID:2212
-
\??\c:\k82240.exec:\k82240.exe106⤵PID:2944
-
\??\c:\660460.exec:\660460.exe107⤵PID:692
-
\??\c:\tbtbhh.exec:\tbtbhh.exe108⤵PID:920
-
\??\c:\82062.exec:\82062.exe109⤵PID:1652
-
\??\c:\660288.exec:\660288.exe110⤵PID:748
-
\??\c:\3djpv.exec:\3djpv.exe111⤵PID:1616
-
\??\c:\pdjvd.exec:\pdjvd.exe112⤵PID:596
-
\??\c:\62646.exec:\62646.exe113⤵PID:1236
-
\??\c:\8864466.exec:\8864466.exe114⤵PID:2936
-
\??\c:\pdjpv.exec:\pdjpv.exe115⤵PID:564
-
\??\c:\3rrxllx.exec:\3rrxllx.exe116⤵PID:2412
-
\??\c:\jddpj.exec:\jddpj.exe117⤵PID:2364
-
\??\c:\1nnhnn.exec:\1nnhnn.exe118⤵PID:1532
-
\??\c:\c262228.exec:\c262228.exe119⤵
- System Location Discovery: System Language Discovery
PID:2268 -
\??\c:\48624.exec:\48624.exe120⤵PID:2512
-
\??\c:\04284.exec:\04284.exe121⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-