Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-09-2024 12:45
Behavioral task
behavioral1
Sample
4ef67c4f99e61d8455a77fc970f54bee71d3a0ee54f75b5734d74b7b21439cefN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4ef67c4f99e61d8455a77fc970f54bee71d3a0ee54f75b5734d74b7b21439cefN.exe
-
Size
381KB
-
MD5
50fc5cba7c40032cafa489070c5d6450
-
SHA1
6bbc84b18aede23b5e17e78d651749638b74af89
-
SHA256
4ef67c4f99e61d8455a77fc970f54bee71d3a0ee54f75b5734d74b7b21439cef
-
SHA512
868afe13c736a3a0cdc6f241f759cf1dfcd252faed7d454b999a3480409a3e2019cb7798144c31e9d5b16ce67d1e2eafd63cc8e864a930632aef8e076a01b7d4
-
SSDEEP
6144:9cm4FmowdHoSABIs9OKofHfHTXQLzgvnzHPowYbvrjD/L7QPbg/Dr0T3rnXLHf7h:/4wFHoSA4KofHfHTXQLzgvnzHPowYbvY
Malware Config
Signatures
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral1/memory/1744-7-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1172-16-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2480-37-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2920-35-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2576-26-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2480-47-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2644-71-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2772-81-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2644-80-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2644-78-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2740-69-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2740-58-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2888-57-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2520-107-0x0000000000250000-0x00000000002B0000-memory.dmp family_blackmoon behavioral1/memory/2672-102-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2520-113-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/692-123-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2932-135-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2932-128-0x0000000001C80000-0x0000000001CE0000-memory.dmp family_blackmoon behavioral1/memory/692-121-0x0000000000460000-0x00000000004C0000-memory.dmp family_blackmoon behavioral1/memory/1960-157-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2976-156-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/3000-145-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2552-179-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2552-186-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/380-189-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2552-187-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1644-178-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/448-222-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2408-350-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2808-358-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2928-367-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2716-375-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1708-544-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1652-502-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2408-341-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2432-339-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2576-326-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1592-316-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2172-306-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2036-295-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2496-284-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1584-274-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/716-265-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/944-254-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/944-253-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/944-245-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1672-243-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/448-231-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1728-221-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1728-219-0x0000000001CA0000-0x0000000001D00000-memory.dmp family_blackmoon behavioral1/memory/1728-211-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2100-210-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/380-200-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/1644-172-0x00000000001B0000-0x0000000000210000-memory.dmp family_blackmoon behavioral1/memory/1960-167-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/692-120-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2672-100-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2672-92-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2772-91-0x0000000000400000-0x0000000000460000-memory.dmp family_blackmoon behavioral1/memory/2772-85-0x0000000000220000-0x0000000000280000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1172 fxllrlr.exe 2576 nthhth.exe 2920 jvpvj.exe 2480 llxflxf.exe 2888 bbtnth.exe 2740 rlxflxl.exe 2644 xlfflxf.exe 2772 hthntt.exe 2672 5lflxfr.exe 2520 bhhthn.exe 692 5vddd.exe 2932 jvpvp.exe 3000 lfrxllf.exe 2976 9vvvv.exe 1960 tnbnbb.exe 1644 3xffrrx.exe 2552 1hhnbn.exe 380 9pdvd.exe 2100 vpjvd.exe 1728 1xlxllx.exe 448 hthhnh.exe 1672 vdjpj.exe 944 nhbntt.exe 716 nbhbtt.exe 1584 pjvvd.exe 2496 lfxrflf.exe 2036 hbnnht.exe 2172 3hbbbh.exe 1592 ffxfrfr.exe 2576 fffrlxr.exe 2432 9jdvp.exe 2408 ppjvj.exe 2808 ffxlxrf.exe 2928 3nhbnn.exe 2716 xrrxflx.exe 2768 hbtnbt.exe 2684 jjvjd.exe 2372 xrrflrf.exe 3024 hhbnhn.exe 2292 nbtnnn.exe 2864 ddpdj.exe 2980 rrlrrff.exe 3032 hnnbbb.exe 2028 3btbnt.exe 2000 dppvv.exe 1932 xxrxrfr.exe 2940 fxxrfrf.exe 560 hhbtbh.exe 1812 dvvjp.exe 1652 3jvpp.exe 1180 flrllrf.exe 1492 nhtnhb.exe 1980 nhhnhb.exe 996 ddpjv.exe 1708 rlxfllx.exe 2352 5xrflrr.exe 2268 hnnbnb.exe 2012 pjjpv.exe 1656 dvpvv.exe 1612 lrrlrfr.exe 1592 fllrffr.exe 2756 thhhtn.exe 340 9jjdj.exe 1604 dvjvp.exe -
Molebox Virtualization software 32 IoCs
Detects file using Molebox Virtualization software.
resource yara_rule behavioral1/files/0x0007000000012117-9.dat molebox behavioral1/files/0x0008000000016c58-28.dat molebox behavioral1/files/0x0008000000016cd3-45.dat molebox behavioral1/files/0x0008000000016ca2-38.dat molebox behavioral1/files/0x0009000000016c4e-19.dat molebox behavioral1/files/0x0007000000016d1b-79.dat molebox behavioral1/files/0x0007000000016d13-70.dat molebox behavioral1/files/0x0007000000016d0b-59.dat molebox behavioral1/files/0x00060000000173fb-104.dat molebox behavioral1/files/0x0006000000017409-125.dat molebox behavioral1/files/0x000600000001747b-133.dat molebox behavioral1/files/0x0009000000016a47-147.dat molebox behavioral1/files/0x000600000001748f-155.dat molebox behavioral1/files/0x000600000001752f-180.dat molebox behavioral1/files/0x001500000001866d-188.dat molebox behavioral1/files/0x0005000000018690-212.dat molebox behavioral1/files/0x000500000001879b-220.dat molebox behavioral1/files/0x00050000000191f3-255.dat molebox behavioral1/files/0x00050000000191f7-266.dat molebox behavioral1/files/0x0005000000019229-276.dat molebox behavioral1/files/0x000500000001926b-304.dat molebox behavioral1/files/0x0005000000019273-330.dat molebox behavioral1/files/0x0005000000019277-342.dat molebox behavioral1/files/0x0005000000019271-318.dat molebox behavioral1/files/0x000500000001924c-297.dat molebox behavioral1/files/0x0005000000019234-286.dat molebox behavioral1/files/0x00060000000190d6-244.dat molebox behavioral1/files/0x00060000000190cd-234.dat molebox behavioral1/files/0x0009000000018678-201.dat molebox behavioral1/files/0x00060000000174ac-169.dat molebox behavioral1/files/0x0006000000017403-114.dat molebox behavioral1/files/0x0008000000016d2e-93.dat molebox -
resource yara_rule behavioral1/memory/1744-0-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x0007000000012117-9.dat upx behavioral1/memory/1744-7-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/1172-16-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x0008000000016c58-28.dat upx behavioral1/memory/2888-46-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x0008000000016cd3-45.dat upx behavioral1/files/0x0008000000016ca2-38.dat upx behavioral1/memory/2480-37-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2920-35-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2576-26-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x0009000000016c4e-19.dat upx behavioral1/memory/2576-18-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2576-25-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2480-47-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2740-62-0x00000000002B0000-0x0000000000310000-memory.dmp upx behavioral1/memory/2644-71-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2772-81-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2644-80-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x0007000000016d1b-79.dat upx behavioral1/memory/2644-78-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2644-74-0x0000000000220000-0x0000000000280000-memory.dmp upx behavioral1/files/0x0007000000016d13-70.dat upx behavioral1/memory/2740-69-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x0007000000016d0b-59.dat upx behavioral1/memory/2740-58-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2888-57-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2520-103-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x00060000000173fb-104.dat upx behavioral1/memory/2520-107-0x0000000000250000-0x00000000002B0000-memory.dmp upx behavioral1/memory/2672-102-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2520-113-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2932-124-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x0006000000017409-125.dat upx behavioral1/memory/692-123-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2932-135-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/3000-134-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x000600000001747b-133.dat upx behavioral1/memory/2932-128-0x0000000001C80000-0x0000000001CE0000-memory.dmp upx behavioral1/files/0x0009000000016a47-147.dat upx behavioral1/memory/1960-157-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2976-156-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x000600000001748f-155.dat upx behavioral1/memory/2976-146-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/3000-145-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/1644-168-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x000600000001752f-180.dat upx behavioral1/memory/2552-179-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2552-186-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/380-189-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x001500000001866d-188.dat upx behavioral1/memory/2552-187-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/1644-178-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x0005000000018690-212.dat upx behavioral1/files/0x000500000001879b-220.dat upx behavioral1/memory/448-226-0x00000000002A0000-0x0000000000300000-memory.dmp upx behavioral1/memory/448-222-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/1672-233-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x00050000000191f3-255.dat upx behavioral1/files/0x00050000000191f7-266.dat upx behavioral1/files/0x0005000000019229-276.dat upx behavioral1/memory/2496-279-0x0000000000280000-0x00000000002E0000-memory.dmp upx behavioral1/memory/2172-296-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x000500000001926b-304.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3httbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 1172 1744 4ef67c4f99e61d8455a77fc970f54bee71d3a0ee54f75b5734d74b7b21439cefN.exe 30 PID 1744 wrote to memory of 1172 1744 4ef67c4f99e61d8455a77fc970f54bee71d3a0ee54f75b5734d74b7b21439cefN.exe 30 PID 1744 wrote to memory of 1172 1744 4ef67c4f99e61d8455a77fc970f54bee71d3a0ee54f75b5734d74b7b21439cefN.exe 30 PID 1744 wrote to memory of 1172 1744 4ef67c4f99e61d8455a77fc970f54bee71d3a0ee54f75b5734d74b7b21439cefN.exe 30 PID 1172 wrote to memory of 2576 1172 fxllrlr.exe 59 PID 1172 wrote to memory of 2576 1172 fxllrlr.exe 59 PID 1172 wrote to memory of 2576 1172 fxllrlr.exe 59 PID 1172 wrote to memory of 2576 1172 fxllrlr.exe 59 PID 2576 wrote to memory of 2920 2576 nthhth.exe 32 PID 2576 wrote to memory of 2920 2576 nthhth.exe 32 PID 2576 wrote to memory of 2920 2576 nthhth.exe 32 PID 2576 wrote to memory of 2920 2576 nthhth.exe 32 PID 2920 wrote to memory of 2480 2920 jvpvj.exe 33 PID 2920 wrote to memory of 2480 2920 jvpvj.exe 33 PID 2920 wrote to memory of 2480 2920 jvpvj.exe 33 PID 2920 wrote to memory of 2480 2920 jvpvj.exe 33 PID 2480 wrote to memory of 2888 2480 llxflxf.exe 34 PID 2480 wrote to memory of 2888 2480 llxflxf.exe 34 PID 2480 wrote to memory of 2888 2480 llxflxf.exe 34 PID 2480 wrote to memory of 2888 2480 llxflxf.exe 34 PID 2888 wrote to memory of 2740 2888 bbtnth.exe 35 PID 2888 wrote to memory of 2740 2888 bbtnth.exe 35 PID 2888 wrote to memory of 2740 2888 bbtnth.exe 35 PID 2888 wrote to memory of 2740 2888 bbtnth.exe 35 PID 2740 wrote to memory of 2644 2740 rlxflxl.exe 36 PID 2740 wrote to memory of 2644 2740 rlxflxl.exe 36 PID 2740 wrote to memory of 2644 2740 rlxflxl.exe 36 PID 2740 wrote to memory of 2644 2740 rlxflxl.exe 36 PID 2644 wrote to memory of 2772 2644 xlfflxf.exe 37 PID 2644 wrote to memory of 2772 2644 xlfflxf.exe 37 PID 2644 wrote to memory of 2772 2644 xlfflxf.exe 37 PID 2644 wrote to memory of 2772 2644 xlfflxf.exe 37 PID 2772 wrote to memory of 2672 2772 hthntt.exe 38 PID 2772 wrote to memory of 2672 2772 hthntt.exe 38 PID 2772 wrote to memory of 2672 2772 hthntt.exe 38 PID 2772 wrote to memory of 2672 2772 hthntt.exe 38 PID 2672 wrote to memory of 2520 2672 5lflxfr.exe 39 PID 2672 wrote to memory of 2520 2672 5lflxfr.exe 39 PID 2672 wrote to memory of 2520 2672 5lflxfr.exe 39 PID 2672 wrote to memory of 2520 2672 5lflxfr.exe 39 PID 2520 wrote to memory of 692 2520 bhhthn.exe 40 PID 2520 wrote to memory of 692 2520 bhhthn.exe 40 PID 2520 wrote to memory of 692 2520 bhhthn.exe 40 PID 2520 wrote to memory of 692 2520 bhhthn.exe 40 PID 692 wrote to memory of 2932 692 5vddd.exe 41 PID 692 wrote to memory of 2932 692 5vddd.exe 41 PID 692 wrote to memory of 2932 692 5vddd.exe 41 PID 692 wrote to memory of 2932 692 5vddd.exe 41 PID 2932 wrote to memory of 3000 2932 jvpvp.exe 42 PID 2932 wrote to memory of 3000 2932 jvpvp.exe 42 PID 2932 wrote to memory of 3000 2932 jvpvp.exe 42 PID 2932 wrote to memory of 3000 2932 jvpvp.exe 42 PID 3000 wrote to memory of 2976 3000 lfrxllf.exe 43 PID 3000 wrote to memory of 2976 3000 lfrxllf.exe 43 PID 3000 wrote to memory of 2976 3000 lfrxllf.exe 43 PID 3000 wrote to memory of 2976 3000 lfrxllf.exe 43 PID 2976 wrote to memory of 1960 2976 9vvvv.exe 44 PID 2976 wrote to memory of 1960 2976 9vvvv.exe 44 PID 2976 wrote to memory of 1960 2976 9vvvv.exe 44 PID 2976 wrote to memory of 1960 2976 9vvvv.exe 44 PID 1960 wrote to memory of 1644 1960 tnbnbb.exe 45 PID 1960 wrote to memory of 1644 1960 tnbnbb.exe 45 PID 1960 wrote to memory of 1644 1960 tnbnbb.exe 45 PID 1960 wrote to memory of 1644 1960 tnbnbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ef67c4f99e61d8455a77fc970f54bee71d3a0ee54f75b5734d74b7b21439cefN.exe"C:\Users\Admin\AppData\Local\Temp\4ef67c4f99e61d8455a77fc970f54bee71d3a0ee54f75b5734d74b7b21439cefN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\fxllrlr.exec:\fxllrlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\nthhth.exec:\nthhth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\jvpvj.exec:\jvpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\llxflxf.exec:\llxflxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\bbtnth.exec:\bbtnth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\rlxflxl.exec:\rlxflxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\xlfflxf.exec:\xlfflxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\hthntt.exec:\hthntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\5lflxfr.exec:\5lflxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\bhhthn.exec:\bhhthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\5vddd.exec:\5vddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\jvpvp.exec:\jvpvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\lfrxllf.exec:\lfrxllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\9vvvv.exec:\9vvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\tnbnbb.exec:\tnbnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\3xffrrx.exec:\3xffrrx.exe17⤵
- Executes dropped EXE
PID:1644 -
\??\c:\1hhnbn.exec:\1hhnbn.exe18⤵
- Executes dropped EXE
PID:2552 -
\??\c:\9pdvd.exec:\9pdvd.exe19⤵
- Executes dropped EXE
PID:380 -
\??\c:\vpjvd.exec:\vpjvd.exe20⤵
- Executes dropped EXE
PID:2100 -
\??\c:\1xlxllx.exec:\1xlxllx.exe21⤵
- Executes dropped EXE
PID:1728 -
\??\c:\hthhnh.exec:\hthhnh.exe22⤵
- Executes dropped EXE
PID:448 -
\??\c:\vdjpj.exec:\vdjpj.exe23⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nhbntt.exec:\nhbntt.exe24⤵
- Executes dropped EXE
PID:944 -
\??\c:\nbhbtt.exec:\nbhbtt.exe25⤵
- Executes dropped EXE
PID:716 -
\??\c:\pjvvd.exec:\pjvvd.exe26⤵
- Executes dropped EXE
PID:1584 -
\??\c:\lfxrflf.exec:\lfxrflf.exe27⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hbnnht.exec:\hbnnht.exe28⤵
- Executes dropped EXE
PID:2036 -
\??\c:\3hbbbh.exec:\3hbbbh.exe29⤵
- Executes dropped EXE
PID:2172 -
\??\c:\ffxfrfr.exec:\ffxfrfr.exe30⤵
- Executes dropped EXE
PID:1592 -
\??\c:\fffrlxr.exec:\fffrlxr.exe31⤵
- Executes dropped EXE
PID:2576 -
\??\c:\9jdvp.exec:\9jdvp.exe32⤵
- Executes dropped EXE
PID:2432 -
\??\c:\ppjvj.exec:\ppjvj.exe33⤵
- Executes dropped EXE
PID:2408 -
\??\c:\ffxlxrf.exec:\ffxlxrf.exe34⤵
- Executes dropped EXE
PID:2808 -
\??\c:\3nhbnn.exec:\3nhbnn.exe35⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xrrxflx.exec:\xrrxflx.exe36⤵
- Executes dropped EXE
PID:2716 -
\??\c:\hbtnbt.exec:\hbtnbt.exe37⤵
- Executes dropped EXE
PID:2768 -
\??\c:\jjvjd.exec:\jjvjd.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\xrrflrf.exec:\xrrflrf.exe39⤵
- Executes dropped EXE
PID:2372 -
\??\c:\hhbnhn.exec:\hhbnhn.exe40⤵
- Executes dropped EXE
PID:3024 -
\??\c:\nbtnnn.exec:\nbtnnn.exe41⤵
- Executes dropped EXE
PID:2292 -
\??\c:\ddpdj.exec:\ddpdj.exe42⤵
- Executes dropped EXE
PID:2864 -
\??\c:\rrlrrff.exec:\rrlrrff.exe43⤵
- Executes dropped EXE
PID:2980 -
\??\c:\hnnbbb.exec:\hnnbbb.exe44⤵
- Executes dropped EXE
PID:3032 -
\??\c:\3btbnt.exec:\3btbnt.exe45⤵
- Executes dropped EXE
PID:2028 -
\??\c:\dppvv.exec:\dppvv.exe46⤵
- Executes dropped EXE
PID:2000 -
\??\c:\xxrxrfr.exec:\xxrxrfr.exe47⤵
- Executes dropped EXE
PID:1932 -
\??\c:\fxxrfrf.exec:\fxxrfrf.exe48⤵
- Executes dropped EXE
PID:2940 -
\??\c:\hhbtbh.exec:\hhbtbh.exe49⤵
- Executes dropped EXE
PID:560 -
\??\c:\dvvjp.exec:\dvvjp.exe50⤵
- Executes dropped EXE
PID:1812 -
\??\c:\3jvpp.exec:\3jvpp.exe51⤵
- Executes dropped EXE
PID:1652 -
\??\c:\flrllrf.exec:\flrllrf.exe52⤵
- Executes dropped EXE
PID:1180 -
\??\c:\nhtnhb.exec:\nhtnhb.exe53⤵
- Executes dropped EXE
PID:1492 -
\??\c:\nhhnhb.exec:\nhhnhb.exe54⤵
- Executes dropped EXE
PID:1980 -
\??\c:\ddpjv.exec:\ddpjv.exe55⤵
- Executes dropped EXE
PID:996 -
\??\c:\rlxfllx.exec:\rlxfllx.exe56⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5xrflrr.exec:\5xrflrr.exe57⤵
- Executes dropped EXE
PID:2352 -
\??\c:\hnnbnb.exec:\hnnbnb.exe58⤵
- Executes dropped EXE
PID:2268 -
\??\c:\pjjpv.exec:\pjjpv.exe59⤵
- Executes dropped EXE
PID:2012 -
\??\c:\dvpvv.exec:\dvpvv.exe60⤵
- Executes dropped EXE
PID:1656 -
\??\c:\lrrlrfr.exec:\lrrlrfr.exe61⤵
- Executes dropped EXE
PID:1612 -
\??\c:\fllrffr.exec:\fllrffr.exe62⤵
- Executes dropped EXE
PID:1592 -
\??\c:\thhhtn.exec:\thhhtn.exe63⤵
- Executes dropped EXE
PID:2756 -
\??\c:\9jjdj.exec:\9jjdj.exe64⤵
- Executes dropped EXE
PID:340 -
\??\c:\dvjvp.exec:\dvjvp.exe65⤵
- Executes dropped EXE
PID:1604 -
\??\c:\lffrlrl.exec:\lffrlrl.exe66⤵PID:2900
-
\??\c:\9fllrxf.exec:\9fllrxf.exe67⤵PID:2708
-
\??\c:\7hbbhb.exec:\7hbbhb.exe68⤵PID:2700
-
\??\c:\vdvjj.exec:\vdvjj.exe69⤵PID:2748
-
\??\c:\vvvdj.exec:\vvvdj.exe70⤵PID:2068
-
\??\c:\5frxlrx.exec:\5frxlrx.exe71⤵PID:2604
-
\??\c:\rrlxxfl.exec:\rrlxxfl.exe72⤵PID:2924
-
\??\c:\hbtttn.exec:\hbtttn.exe73⤵PID:2660
-
\??\c:\tnnnbb.exec:\tnnnbb.exe74⤵PID:3036
-
\??\c:\pjdjj.exec:\pjdjj.exe75⤵PID:1996
-
\??\c:\pjvvj.exec:\pjvvj.exe76⤵PID:2932
-
\??\c:\9lrxxfl.exec:\9lrxxfl.exe77⤵PID:2156
-
\??\c:\hhbhnt.exec:\hhbhnt.exe78⤵PID:2852
-
\??\c:\thnbnn.exec:\thnbnn.exe79⤵PID:2364
-
\??\c:\djjvd.exec:\djjvd.exe80⤵PID:2972
-
\??\c:\9jvpv.exec:\9jvpv.exe81⤵PID:1816
-
\??\c:\1fxlxrx.exec:\1fxlxrx.exe82⤵PID:608
-
\??\c:\htbtbb.exec:\htbtbb.exe83⤵PID:1508
-
\??\c:\9hbhnt.exec:\9hbhnt.exe84⤵PID:1208
-
\??\c:\3ddvd.exec:\3ddvd.exe85⤵PID:560
-
\??\c:\7ppvd.exec:\7ppvd.exe86⤵PID:2040
-
\??\c:\rxrfrfx.exec:\rxrfrfx.exe87⤵PID:2260
-
\??\c:\tnhnnn.exec:\tnhnnn.exe88⤵PID:976
-
\??\c:\3hhthn.exec:\3hhthn.exe89⤵PID:1672
-
\??\c:\vjjvd.exec:\vjjvd.exe90⤵PID:1020
-
\??\c:\jjdjv.exec:\jjdjv.exe91⤵PID:1560
-
\??\c:\ffxrrxf.exec:\ffxrrxf.exe92⤵PID:580
-
\??\c:\7rxrflr.exec:\7rxrflr.exe93⤵
- System Location Discovery: System Language Discovery
PID:2248 -
\??\c:\bntbnt.exec:\bntbnt.exe94⤵PID:2032
-
\??\c:\nnbbhb.exec:\nnbbhb.exe95⤵PID:1220
-
\??\c:\pjpvv.exec:\pjpvv.exe96⤵PID:2264
-
\??\c:\9dddd.exec:\9dddd.exe97⤵PID:2036
-
\??\c:\fxrxrxf.exec:\fxrxrxf.exe98⤵PID:1108
-
\??\c:\xxxxfxf.exec:\xxxxfxf.exe99⤵PID:556
-
\??\c:\tnbbnn.exec:\tnbbnn.exe100⤵PID:348
-
\??\c:\9vdpd.exec:\9vdpd.exe101⤵PID:2804
-
\??\c:\jdvdp.exec:\jdvdp.exe102⤵PID:1776
-
\??\c:\9flrrxf.exec:\9flrrxf.exe103⤵PID:2812
-
\??\c:\hnhnbb.exec:\hnhnbb.exe104⤵PID:340
-
\??\c:\jpdvj.exec:\jpdvj.exe105⤵PID:892
-
\??\c:\7dpvd.exec:\7dpvd.exe106⤵PID:2632
-
\??\c:\rrxfxrf.exec:\rrxfxrf.exe107⤵PID:2928
-
\??\c:\tbbhnb.exec:\tbbhnb.exe108⤵PID:1432
-
\??\c:\nbthnt.exec:\nbthnt.exe109⤵PID:1328
-
\??\c:\vdvdd.exec:\vdvdd.exe110⤵PID:2908
-
\??\c:\5xxlflx.exec:\5xxlflx.exe111⤵PID:2612
-
\??\c:\vpjvv.exec:\vpjvv.exe112⤵PID:2628
-
\??\c:\lfflrrf.exec:\lfflrrf.exe113⤵PID:2672
-
\??\c:\tnbnhh.exec:\tnbnhh.exe114⤵PID:2568
-
\??\c:\fflxlfr.exec:\fflxlfr.exe115⤵PID:2728
-
\??\c:\bnhnht.exec:\bnhnht.exe116⤵PID:2688
-
\??\c:\hbhnbh.exec:\hbhnbh.exe117⤵PID:2884
-
\??\c:\pdpjp.exec:\pdpjp.exe118⤵PID:1076
-
\??\c:\frflrxl.exec:\frflrxl.exe119⤵PID:2952
-
\??\c:\nhbhhh.exec:\nhbhhh.exe120⤵PID:2156
-
\??\c:\pdddv.exec:\pdddv.exe121⤵PID:2876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-