Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe
-
Size
456KB
-
MD5
193a7e03c19dd6dcb492974859af3433
-
SHA1
15cc35234ac35cd92d2014fb7a80b68f1d0900e1
-
SHA256
248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81
-
SHA512
70714a5c6904506bf30f41fbe993e174da770a5e956379af7f3ef53b7f27e0d16363b2087956b1d25b72d215c11397429ee81b2bb5deb25628a24a7de7709e37
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/1624-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-91-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2692-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-130-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2744-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-269-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/328-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-513-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2604-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-831-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/684-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-1046-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-1116-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1556-1279-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/952-1348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-1368-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1612 7pjpj.exe 2128 204488.exe 1436 ddvpd.exe 2184 3hbhbh.exe 2832 288400.exe 2828 6868620.exe 2304 66406.exe 2896 1lffflr.exe 2848 7nntht.exe 2692 284800.exe 2988 btthnb.exe 2764 00402.exe 1244 4206840.exe 2744 k62080.exe 2912 7nhhht.exe 1936 i422602.exe 856 04262.exe 1720 9lflxxf.exe 1848 604066.exe 344 1lrrfrx.exe 876 rrflxxl.exe 1792 8240268.exe 772 m0068.exe 1964 w08024.exe 2408 08002.exe 1668 xfrfrrl.exe 1504 042240.exe 1804 g8022.exe 1780 jdpdv.exe 2604 60888.exe 328 480284.exe 2372 3btbnt.exe 1624 448066.exe 1612 s4624.exe 1676 bhbhth.exe 2596 ffrfxxl.exe 2244 pjjvd.exe 1436 hhbbnb.exe 2804 5frrrxf.exe 2816 nnhbnn.exe 2820 dvjvp.exe 332 6080286.exe 2864 hbbtbb.exe 3012 dvjjv.exe 2812 ffflxxl.exe 2748 5btnbn.exe 2692 xlflxfr.exe 2536 4422684.exe 1604 8408642.exe 1464 264088.exe 708 480240.exe 2860 1vvjp.exe 2080 rllrflf.exe 2908 7xflrxl.exe 108 tnbbhb.exe 1556 2842660.exe 2196 ddjvd.exe 2624 xfflrlf.exe 2392 048462.exe 1912 0862464.exe 1408 pdppj.exe 2260 2628404.exe 1792 804666.exe 848 086228.exe -
resource yara_rule behavioral1/memory/1624-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-1046-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-1059-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-1175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-1188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-1279-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2348-1311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-1348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-1361-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k44428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q60088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2640242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6006066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0044606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 442288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1624 wrote to memory of 1612 1624 248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe 30 PID 1624 wrote to memory of 1612 1624 248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe 30 PID 1624 wrote to memory of 1612 1624 248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe 30 PID 1624 wrote to memory of 1612 1624 248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe 30 PID 1612 wrote to memory of 2128 1612 7pjpj.exe 31 PID 1612 wrote to memory of 2128 1612 7pjpj.exe 31 PID 1612 wrote to memory of 2128 1612 7pjpj.exe 31 PID 1612 wrote to memory of 2128 1612 7pjpj.exe 31 PID 2128 wrote to memory of 1436 2128 204488.exe 32 PID 2128 wrote to memory of 1436 2128 204488.exe 32 PID 2128 wrote to memory of 1436 2128 204488.exe 32 PID 2128 wrote to memory of 1436 2128 204488.exe 32 PID 1436 wrote to memory of 2184 1436 ddvpd.exe 33 PID 1436 wrote to memory of 2184 1436 ddvpd.exe 33 PID 1436 wrote to memory of 2184 1436 ddvpd.exe 33 PID 1436 wrote to memory of 2184 1436 ddvpd.exe 33 PID 2184 wrote to memory of 2832 2184 3hbhbh.exe 34 PID 2184 wrote to memory of 2832 2184 3hbhbh.exe 34 PID 2184 wrote to memory of 2832 2184 3hbhbh.exe 34 PID 2184 wrote to memory of 2832 2184 3hbhbh.exe 34 PID 2832 wrote to memory of 2828 2832 288400.exe 35 PID 2832 wrote to memory of 2828 2832 288400.exe 35 PID 2832 wrote to memory of 2828 2832 288400.exe 35 PID 2832 wrote to memory of 2828 2832 288400.exe 35 PID 2828 wrote to memory of 2304 2828 6868620.exe 36 PID 2828 wrote to memory of 2304 2828 6868620.exe 36 PID 2828 wrote to memory of 2304 2828 6868620.exe 36 PID 2828 wrote to memory of 2304 2828 6868620.exe 36 PID 2304 wrote to memory of 2896 2304 66406.exe 37 PID 2304 wrote to memory of 2896 2304 66406.exe 37 PID 2304 wrote to memory of 2896 2304 66406.exe 37 PID 2304 wrote to memory of 2896 2304 66406.exe 37 PID 2896 wrote to memory of 2848 2896 1lffflr.exe 38 PID 2896 wrote to memory of 2848 2896 1lffflr.exe 38 PID 2896 wrote to memory of 2848 2896 1lffflr.exe 38 PID 2896 wrote to memory of 2848 2896 1lffflr.exe 38 PID 2848 wrote to memory of 2692 2848 7nntht.exe 39 PID 2848 wrote to memory of 2692 2848 7nntht.exe 39 PID 2848 wrote to memory of 2692 2848 7nntht.exe 39 PID 2848 wrote to memory of 2692 2848 7nntht.exe 39 PID 2692 wrote to memory of 2988 2692 284800.exe 40 PID 2692 wrote to memory of 2988 2692 284800.exe 40 PID 2692 wrote to memory of 2988 2692 284800.exe 40 PID 2692 wrote to memory of 2988 2692 284800.exe 40 PID 2988 wrote to memory of 2764 2988 btthnb.exe 41 PID 2988 wrote to memory of 2764 2988 btthnb.exe 41 PID 2988 wrote to memory of 2764 2988 btthnb.exe 41 PID 2988 wrote to memory of 2764 2988 btthnb.exe 41 PID 2764 wrote to memory of 1244 2764 00402.exe 42 PID 2764 wrote to memory of 1244 2764 00402.exe 42 PID 2764 wrote to memory of 1244 2764 00402.exe 42 PID 2764 wrote to memory of 1244 2764 00402.exe 42 PID 1244 wrote to memory of 2744 1244 4206840.exe 43 PID 1244 wrote to memory of 2744 1244 4206840.exe 43 PID 1244 wrote to memory of 2744 1244 4206840.exe 43 PID 1244 wrote to memory of 2744 1244 4206840.exe 43 PID 2744 wrote to memory of 2912 2744 k62080.exe 44 PID 2744 wrote to memory of 2912 2744 k62080.exe 44 PID 2744 wrote to memory of 2912 2744 k62080.exe 44 PID 2744 wrote to memory of 2912 2744 k62080.exe 44 PID 2912 wrote to memory of 1936 2912 7nhhht.exe 45 PID 2912 wrote to memory of 1936 2912 7nhhht.exe 45 PID 2912 wrote to memory of 1936 2912 7nhhht.exe 45 PID 2912 wrote to memory of 1936 2912 7nhhht.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe"C:\Users\Admin\AppData\Local\Temp\248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\7pjpj.exec:\7pjpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\204488.exec:\204488.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\ddvpd.exec:\ddvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\3hbhbh.exec:\3hbhbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\288400.exec:\288400.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\6868620.exec:\6868620.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\66406.exec:\66406.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\1lffflr.exec:\1lffflr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\7nntht.exec:\7nntht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\284800.exec:\284800.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\btthnb.exec:\btthnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\00402.exec:\00402.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\4206840.exec:\4206840.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\k62080.exec:\k62080.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\7nhhht.exec:\7nhhht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\i422602.exec:\i422602.exe17⤵
- Executes dropped EXE
PID:1936 -
\??\c:\04262.exec:\04262.exe18⤵
- Executes dropped EXE
PID:856 -
\??\c:\9lflxxf.exec:\9lflxxf.exe19⤵
- Executes dropped EXE
PID:1720 -
\??\c:\604066.exec:\604066.exe20⤵
- Executes dropped EXE
PID:1848 -
\??\c:\1lrrfrx.exec:\1lrrfrx.exe21⤵
- Executes dropped EXE
PID:344 -
\??\c:\rrflxxl.exec:\rrflxxl.exe22⤵
- Executes dropped EXE
PID:876 -
\??\c:\8240268.exec:\8240268.exe23⤵
- Executes dropped EXE
PID:1792 -
\??\c:\m0068.exec:\m0068.exe24⤵
- Executes dropped EXE
PID:772 -
\??\c:\w08024.exec:\w08024.exe25⤵
- Executes dropped EXE
PID:1964 -
\??\c:\08002.exec:\08002.exe26⤵
- Executes dropped EXE
PID:2408 -
\??\c:\xfrfrrl.exec:\xfrfrrl.exe27⤵
- Executes dropped EXE
PID:1668 -
\??\c:\042240.exec:\042240.exe28⤵
- Executes dropped EXE
PID:1504 -
\??\c:\g8022.exec:\g8022.exe29⤵
- Executes dropped EXE
PID:1804 -
\??\c:\jdpdv.exec:\jdpdv.exe30⤵
- Executes dropped EXE
PID:1780 -
\??\c:\60888.exec:\60888.exe31⤵
- Executes dropped EXE
PID:2604 -
\??\c:\480284.exec:\480284.exe32⤵
- Executes dropped EXE
PID:328 -
\??\c:\3btbnt.exec:\3btbnt.exe33⤵
- Executes dropped EXE
PID:2372 -
\??\c:\448066.exec:\448066.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
\??\c:\s4624.exec:\s4624.exe35⤵
- Executes dropped EXE
PID:1612 -
\??\c:\bhbhth.exec:\bhbhth.exe36⤵
- Executes dropped EXE
PID:1676 -
\??\c:\ffrfxxl.exec:\ffrfxxl.exe37⤵
- Executes dropped EXE
PID:2596 -
\??\c:\pjjvd.exec:\pjjvd.exe38⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hhbbnb.exec:\hhbbnb.exe39⤵
- Executes dropped EXE
PID:1436 -
\??\c:\5frrrxf.exec:\5frrrxf.exe40⤵
- Executes dropped EXE
PID:2804 -
\??\c:\nnhbnn.exec:\nnhbnn.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\dvjvp.exec:\dvjvp.exe42⤵
- Executes dropped EXE
PID:2820 -
\??\c:\6080286.exec:\6080286.exe43⤵
- Executes dropped EXE
PID:332 -
\??\c:\hbbtbb.exec:\hbbtbb.exe44⤵
- Executes dropped EXE
PID:2864 -
\??\c:\dvjjv.exec:\dvjjv.exe45⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ffflxxl.exec:\ffflxxl.exe46⤵
- Executes dropped EXE
PID:2812 -
\??\c:\5btnbn.exec:\5btnbn.exe47⤵
- Executes dropped EXE
PID:2748 -
\??\c:\xlflxfr.exec:\xlflxfr.exe48⤵
- Executes dropped EXE
PID:2692 -
\??\c:\4422684.exec:\4422684.exe49⤵
- Executes dropped EXE
PID:2536 -
\??\c:\8408642.exec:\8408642.exe50⤵
- Executes dropped EXE
PID:1604 -
\??\c:\264088.exec:\264088.exe51⤵
- Executes dropped EXE
PID:1464 -
\??\c:\480240.exec:\480240.exe52⤵
- Executes dropped EXE
PID:708 -
\??\c:\1vvjp.exec:\1vvjp.exe53⤵
- Executes dropped EXE
PID:2860 -
\??\c:\rllrflf.exec:\rllrflf.exe54⤵
- Executes dropped EXE
PID:2080 -
\??\c:\7xflrxl.exec:\7xflrxl.exe55⤵
- Executes dropped EXE
PID:2908 -
\??\c:\tnbbhb.exec:\tnbbhb.exe56⤵
- Executes dropped EXE
PID:108 -
\??\c:\2842660.exec:\2842660.exe57⤵
- Executes dropped EXE
PID:1556 -
\??\c:\ddjvd.exec:\ddjvd.exe58⤵
- Executes dropped EXE
PID:2196 -
\??\c:\xfflrlf.exec:\xfflrlf.exe59⤵
- Executes dropped EXE
PID:2624 -
\??\c:\048462.exec:\048462.exe60⤵
- Executes dropped EXE
PID:2392 -
\??\c:\0862464.exec:\0862464.exe61⤵
- Executes dropped EXE
PID:1912 -
\??\c:\pdppj.exec:\pdppj.exe62⤵
- Executes dropped EXE
PID:1408 -
\??\c:\2628404.exec:\2628404.exe63⤵
- Executes dropped EXE
PID:2260 -
\??\c:\804666.exec:\804666.exe64⤵
- Executes dropped EXE
PID:1792 -
\??\c:\086228.exec:\086228.exe65⤵
- Executes dropped EXE
PID:848 -
\??\c:\26460.exec:\26460.exe66⤵PID:1476
-
\??\c:\q86288.exec:\q86288.exe67⤵PID:2480
-
\??\c:\jvvdj.exec:\jvvdj.exe68⤵PID:836
-
\??\c:\jjdjd.exec:\jjdjd.exe69⤵PID:560
-
\??\c:\btttnt.exec:\btttnt.exe70⤵PID:1760
-
\??\c:\6040668.exec:\6040668.exe71⤵PID:1144
-
\??\c:\482422.exec:\482422.exe72⤵PID:2620
-
\??\c:\hbhnbh.exec:\hbhnbh.exe73⤵PID:2180
-
\??\c:\c424280.exec:\c424280.exe74⤵PID:2604
-
\??\c:\nhhhth.exec:\nhhhth.exe75⤵PID:304
-
\??\c:\fffrlxr.exec:\fffrlxr.exe76⤵PID:1696
-
\??\c:\264646.exec:\264646.exe77⤵PID:2340
-
\??\c:\8268002.exec:\8268002.exe78⤵PID:1624
-
\??\c:\7thnnt.exec:\7thnnt.exe79⤵PID:1612
-
\??\c:\q44040.exec:\q44040.exe80⤵PID:1680
-
\??\c:\5vpdv.exec:\5vpdv.exe81⤵PID:2248
-
\??\c:\xrfrxlf.exec:\xrfrxlf.exe82⤵PID:484
-
\??\c:\7pjdv.exec:\7pjdv.exe83⤵PID:2948
-
\??\c:\dvpdp.exec:\dvpdp.exe84⤵PID:2832
-
\??\c:\26640.exec:\26640.exe85⤵PID:2824
-
\??\c:\402424.exec:\402424.exe86⤵PID:2096
-
\??\c:\nhttbb.exec:\nhttbb.exe87⤵PID:2792
-
\??\c:\7vvpv.exec:\7vvpv.exe88⤵PID:2888
-
\??\c:\vvpvj.exec:\vvpvj.exe89⤵PID:2952
-
\??\c:\024882.exec:\024882.exe90⤵PID:1048
-
\??\c:\a6442.exec:\a6442.exe91⤵PID:2680
-
\??\c:\jdvdj.exec:\jdvdj.exe92⤵PID:2540
-
\??\c:\06422.exec:\06422.exe93⤵PID:664
-
\??\c:\26024.exec:\26024.exe94⤵PID:1732
-
\??\c:\9djpd.exec:\9djpd.exe95⤵PID:2996
-
\??\c:\pvvvp.exec:\pvvvp.exe96⤵PID:2776
-
\??\c:\pvpdd.exec:\pvpdd.exe97⤵PID:2664
-
\??\c:\djjvp.exec:\djjvp.exe98⤵PID:852
-
\??\c:\fxrflxf.exec:\fxrflxf.exe99⤵PID:3036
-
\??\c:\4424242.exec:\4424242.exe100⤵PID:2912
-
\??\c:\fxrxlrf.exec:\fxrxlrf.exe101⤵PID:2152
-
\??\c:\vdddv.exec:\vdddv.exe102⤵PID:1800
-
\??\c:\jjvvd.exec:\jjvvd.exe103⤵PID:1852
-
\??\c:\dvvvj.exec:\dvvvj.exe104⤵PID:2064
-
\??\c:\tntbbb.exec:\tntbbb.exe105⤵PID:828
-
\??\c:\20824.exec:\20824.exe106⤵PID:2084
-
\??\c:\60464.exec:\60464.exe107⤵PID:2516
-
\??\c:\tbhttb.exec:\tbhttb.exe108⤵PID:2660
-
\??\c:\6066624.exec:\6066624.exe109⤵PID:832
-
\??\c:\2088402.exec:\2088402.exe110⤵PID:320
-
\??\c:\60860.exec:\60860.exe111⤵PID:1964
-
\??\c:\tthnhn.exec:\tthnhn.exe112⤵PID:288
-
\??\c:\xxrxrxr.exec:\xxrxrxr.exe113⤵PID:3032
-
\??\c:\ppjvd.exec:\ppjvd.exe114⤵PID:836
-
\??\c:\jppjp.exec:\jppjp.exe115⤵PID:2452
-
\??\c:\6624668.exec:\6624668.exe116⤵PID:1336
-
\??\c:\vvpdp.exec:\vvpdp.exe117⤵PID:1592
-
\??\c:\ntbtnb.exec:\ntbtnb.exe118⤵PID:2496
-
\??\c:\hbbhhh.exec:\hbbhhh.exe119⤵PID:1740
-
\??\c:\jjddv.exec:\jjddv.exe120⤵PID:328
-
\??\c:\jvjpv.exec:\jvjpv.exe121⤵PID:2384
-
\??\c:\5ttbhn.exec:\5ttbhn.exe122⤵PID:1028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-