Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2024 15:12
Behavioral task
behavioral1
Sample
e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
General
-
Target
e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe
-
Size
3.7MB
-
MD5
e43ed5e8cbf3fc1c2be1cfd902a42610
-
SHA1
3c8127f9e677b7a290948b1710d185969959b493
-
SHA256
e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6f
-
SHA512
85196882da91d9904abd981761fe10ab13ad3cb0c15e452dad0fcee6e5b59b693139714dcc4dc8b7caf4583a5959742176c91b1447f5e15258f7f30702baff59
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98g:U6XLq/qPPslzKx/dJg1ErmNj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2996-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/312-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1244-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1012-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2488-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3764-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3404-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4348-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3684-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1004-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1188-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/652-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2520-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1208-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-494-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-498-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-535-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/832-623-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-651-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-1610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
bhbhhb.exevjddd.exebtnnnn.exejpvvv.exepjppj.exelrrrrlr.exenntnth.exenhbnnn.exepvpjd.exexrxxrrr.exedjvjj.exelfrrlll.exenhhbbb.exe1djvj.exedpdvp.exethnnnb.exedvjpj.exehnhhtt.exefxrrrxf.exehnnhbh.exevvddp.exexfllfxl.exebhttnh.exepvddd.exelrxxfll.exepjpjj.exevjjjv.exefxfxxxf.exerlllfxx.exennbbbh.exedvvpd.exexrffxfx.exennbttn.exenhnnhb.exepjvjp.exetnttbh.exehbbbbb.exevvdvv.exevpvpj.exelrfrfxl.exexxxfrxl.exelffrfxf.exentntbn.exennttnb.exehbnnnb.exejjvvj.exejpvdp.exevjppp.exe9djdv.exevdpvd.exeflrrlff.exexxffxxf.exe9flllrr.exelxflllr.exejvvvp.exelrrlxlf.exellrrlll.exellrxxll.exelrrxxxx.exerxllrxf.exehnnnbh.exehthttb.exejdppj.exedppdp.exepid Process 1636 bhbhhb.exe 4892 vjddd.exe 2880 btnnnn.exe 312 jpvvv.exe 2996 pjppj.exe 2700 lrrrrlr.exe 3968 nntnth.exe 2696 nhbnnn.exe 2936 pvpjd.exe 4032 xrxxrrr.exe 1244 djvjj.exe 3460 lfrrlll.exe 4208 nhhbbb.exe 1012 1djvj.exe 2488 dpdvp.exe 4952 thnnnb.exe 3764 dvjpj.exe 4304 hnhhtt.exe 2216 fxrrrxf.exe 4512 hnnhbh.exe 1708 vvddp.exe 1616 xfllfxl.exe 1116 bhttnh.exe 2176 pvddd.exe 3404 lrxxfll.exe 1748 pjpjj.exe 3504 vjjjv.exe 4348 fxfxxxf.exe 4272 rlllfxx.exe 2684 nnbbbh.exe 4260 dvvpd.exe 1260 xrffxfx.exe 3368 nnbttn.exe 3684 nhnnhb.exe 5116 pjvjp.exe 4540 tnttbh.exe 4068 hbbbbb.exe 4296 vvdvv.exe 744 vpvpj.exe 3612 lrfrfxl.exe 4368 xxxfrxl.exe 2364 lffrfxf.exe 2800 ntntbn.exe 4004 nnttnb.exe 3812 hbnnnb.exe 3596 jjvvj.exe 4756 jpvdp.exe 1416 vjppp.exe 4148 9djdv.exe 4932 vdpvd.exe 884 flrrlff.exe 748 xxffxxf.exe 1004 9flllrr.exe 4512 lxflllr.exe 2408 jvvvp.exe 1188 lrrlxlf.exe 4328 llrrlll.exe 548 llrxxll.exe 652 lrrxxxx.exe 2220 rxllrxf.exe 4548 hnnnbh.exe 3336 hthttb.exe 5040 jdppj.exe 4836 dppdp.exe -
Processes:
resource yara_rule behavioral2/memory/3828-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c97-3.dat upx behavioral2/memory/3828-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-9.dat upx behavioral2/memory/1636-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c98-13.dat upx behavioral2/memory/2880-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4892-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-23.dat upx behavioral2/memory/312-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-28.dat upx behavioral2/memory/2996-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/312-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-35.dat upx behavioral2/memory/2700-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9f-41.dat upx behavioral2/memory/3968-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-48.dat upx behavioral2/memory/2696-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-53.dat upx behavioral2/memory/2936-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4032-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-61.dat upx behavioral2/files/0x000d000000023b52-66.dat upx behavioral2/files/0x000d000000023b54-70.dat upx behavioral2/memory/1244-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3460-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-78.dat upx behavioral2/memory/4208-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-84.dat upx behavioral2/memory/1012-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023b4e-89.dat upx behavioral2/files/0x000c000000023b51-94.dat upx behavioral2/memory/2488-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-100.dat upx behavioral2/memory/3764-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4952-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-107.dat upx behavioral2/memory/3764-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4304-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca9-116.dat upx behavioral2/files/0x0008000000023cab-119.dat upx behavioral2/files/0x0009000000023cad-124.dat upx behavioral2/memory/4512-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-130.dat upx behavioral2/files/0x0007000000023caf-135.dat upx behavioral2/memory/1116-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-141.dat upx behavioral2/files/0x0007000000023cb1-146.dat upx behavioral2/memory/2176-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-152.dat upx behavioral2/memory/3404-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1748-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-158.dat upx behavioral2/files/0x0007000000023cb4-163.dat upx behavioral2/files/0x0007000000023cb5-167.dat upx behavioral2/memory/4348-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-174.dat upx behavioral2/memory/4272-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-180.dat upx behavioral2/files/0x0007000000023cb8-185.dat upx behavioral2/memory/4260-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3684-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3368-195-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pddpd.exehntttt.exefrlffrr.exehbnnnn.exennhbnh.exellxfxrf.exe5pdvp.exexlrxrfr.exe9ffffff.exelxfxxxx.exerlxfxxx.exennhntb.exebtbbbb.exedddpp.exexrffxfx.exehtbnht.exethbbbb.exejdvpd.exepppdv.exedvppp.exenhbbbb.exehhnbbh.exe1vdjv.exepvvdp.exentntnt.exejvddp.exehbhhhh.exenhbttt.exefrlrllf.exepvddd.exerlrllrx.exepvddv.exe9djjj.exenhbnnn.exerrffxff.exepvpjv.exebnbhbt.exenhnbnb.exetntbbb.exevjppj.exebbtnbn.exepdjpp.exe5ddvv.exefxfllff.exebnttnt.exepjpdj.exetbhbtn.exexxllfll.exelrlxxff.exebnhbnh.exexrfffll.exehttttt.exerlflxfx.exellfllrx.exenttnhb.exetnbbtb.exepvvpd.exejvvvj.exenbhtnb.exeppjdv.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exebhbhhb.exevjddd.exebtnnnn.exejpvvv.exepjppj.exelrrrrlr.exenntnth.exenhbnnn.exepvpjd.exexrxxrrr.exedjvjj.exelfrrlll.exenhhbbb.exe1djvj.exedpdvp.exethnnnb.exedvjpj.exehnhhtt.exefxrrrxf.exehnnhbh.exevvddp.exedescription pid Process procid_target PID 3828 wrote to memory of 1636 3828 e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe 84 PID 3828 wrote to memory of 1636 3828 e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe 84 PID 3828 wrote to memory of 1636 3828 e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe 84 PID 1636 wrote to memory of 4892 1636 bhbhhb.exe 86 PID 1636 wrote to memory of 4892 1636 bhbhhb.exe 86 PID 1636 wrote to memory of 4892 1636 bhbhhb.exe 86 PID 4892 wrote to memory of 2880 4892 vjddd.exe 88 PID 4892 wrote to memory of 2880 4892 vjddd.exe 88 PID 4892 wrote to memory of 2880 4892 vjddd.exe 88 PID 2880 wrote to memory of 312 2880 btnnnn.exe 90 PID 2880 wrote to memory of 312 2880 btnnnn.exe 90 PID 2880 wrote to memory of 312 2880 btnnnn.exe 90 PID 312 wrote to memory of 2996 312 jpvvv.exe 91 PID 312 wrote to memory of 2996 312 jpvvv.exe 91 PID 312 wrote to memory of 2996 312 jpvvv.exe 91 PID 2996 wrote to memory of 2700 2996 pjppj.exe 92 PID 2996 wrote to memory of 2700 2996 pjppj.exe 92 PID 2996 wrote to memory of 2700 2996 pjppj.exe 92 PID 2700 wrote to memory of 3968 2700 lrrrrlr.exe 93 PID 2700 wrote to memory of 3968 2700 lrrrrlr.exe 93 PID 2700 wrote to memory of 3968 2700 lrrrrlr.exe 93 PID 3968 wrote to memory of 2696 3968 nntnth.exe 94 PID 3968 wrote to memory of 2696 3968 nntnth.exe 94 PID 3968 wrote to memory of 2696 3968 nntnth.exe 94 PID 2696 wrote to memory of 2936 2696 nhbnnn.exe 95 PID 2696 wrote to memory of 2936 2696 nhbnnn.exe 95 PID 2696 wrote to memory of 2936 2696 nhbnnn.exe 95 PID 2936 wrote to memory of 4032 2936 pvpjd.exe 96 PID 2936 wrote to memory of 4032 2936 pvpjd.exe 96 PID 2936 wrote to memory of 4032 2936 pvpjd.exe 96 PID 4032 wrote to memory of 1244 4032 xrxxrrr.exe 97 PID 4032 wrote to memory of 1244 4032 xrxxrrr.exe 97 PID 4032 wrote to memory of 1244 4032 xrxxrrr.exe 97 PID 1244 wrote to memory of 3460 1244 djvjj.exe 98 PID 1244 wrote to memory of 3460 1244 djvjj.exe 98 PID 1244 wrote to memory of 3460 1244 djvjj.exe 98 PID 3460 wrote to memory of 4208 3460 lfrrlll.exe 99 PID 3460 wrote to memory of 4208 3460 lfrrlll.exe 99 PID 3460 wrote to memory of 4208 3460 lfrrlll.exe 99 PID 4208 wrote to memory of 1012 4208 nhhbbb.exe 100 PID 4208 wrote to memory of 1012 4208 nhhbbb.exe 100 PID 4208 wrote to memory of 1012 4208 nhhbbb.exe 100 PID 1012 wrote to memory of 2488 1012 1djvj.exe 101 PID 1012 wrote to memory of 2488 1012 1djvj.exe 101 PID 1012 wrote to memory of 2488 1012 1djvj.exe 101 PID 2488 wrote to memory of 4952 2488 dpdvp.exe 102 PID 2488 wrote to memory of 4952 2488 dpdvp.exe 102 PID 2488 wrote to memory of 4952 2488 dpdvp.exe 102 PID 4952 wrote to memory of 3764 4952 thnnnb.exe 103 PID 4952 wrote to memory of 3764 4952 thnnnb.exe 103 PID 4952 wrote to memory of 3764 4952 thnnnb.exe 103 PID 3764 wrote to memory of 4304 3764 dvjpj.exe 104 PID 3764 wrote to memory of 4304 3764 dvjpj.exe 104 PID 3764 wrote to memory of 4304 3764 dvjpj.exe 104 PID 4304 wrote to memory of 2216 4304 hnhhtt.exe 105 PID 4304 wrote to memory of 2216 4304 hnhhtt.exe 105 PID 4304 wrote to memory of 2216 4304 hnhhtt.exe 105 PID 2216 wrote to memory of 4512 2216 fxrrrxf.exe 106 PID 2216 wrote to memory of 4512 2216 fxrrrxf.exe 106 PID 2216 wrote to memory of 4512 2216 fxrrrxf.exe 106 PID 4512 wrote to memory of 1708 4512 hnnhbh.exe 107 PID 4512 wrote to memory of 1708 4512 hnnhbh.exe 107 PID 4512 wrote to memory of 1708 4512 hnnhbh.exe 107 PID 1708 wrote to memory of 1616 1708 vvddp.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe"C:\Users\Admin\AppData\Local\Temp\e5625c489c1e0bf709ed0520213100249eae350169b291faf8d1554b0f0e2a6fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\bhbhhb.exec:\bhbhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\vjddd.exec:\vjddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\btnnnn.exec:\btnnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\jpvvv.exec:\jpvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\pjppj.exec:\pjppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\lrrrrlr.exec:\lrrrrlr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\nntnth.exec:\nntnth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\nhbnnn.exec:\nhbnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\pvpjd.exec:\pvpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\djvjj.exec:\djvjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\lfrrlll.exec:\lfrrlll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\nhhbbb.exec:\nhhbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\1djvj.exec:\1djvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\dpdvp.exec:\dpdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\thnnnb.exec:\thnnnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\dvjpj.exec:\dvjpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\hnhhtt.exec:\hnhhtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\fxrrrxf.exec:\fxrrrxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\hnnhbh.exec:\hnnhbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\vvddp.exec:\vvddp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\xfllfxl.exec:\xfllfxl.exe23⤵
- Executes dropped EXE
PID:1616 -
\??\c:\bhttnh.exec:\bhttnh.exe24⤵
- Executes dropped EXE
PID:1116 -
\??\c:\pvddd.exec:\pvddd.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
\??\c:\lrxxfll.exec:\lrxxfll.exe26⤵
- Executes dropped EXE
PID:3404 -
\??\c:\pjpjj.exec:\pjpjj.exe27⤵
- Executes dropped EXE
PID:1748 -
\??\c:\vjjjv.exec:\vjjjv.exe28⤵
- Executes dropped EXE
PID:3504 -
\??\c:\fxfxxxf.exec:\fxfxxxf.exe29⤵
- Executes dropped EXE
PID:4348 -
\??\c:\rlllfxx.exec:\rlllfxx.exe30⤵
- Executes dropped EXE
PID:4272 -
\??\c:\nnbbbh.exec:\nnbbbh.exe31⤵
- Executes dropped EXE
PID:2684 -
\??\c:\dvvpd.exec:\dvvpd.exe32⤵
- Executes dropped EXE
PID:4260 -
\??\c:\xrffxfx.exec:\xrffxfx.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260 -
\??\c:\nnbttn.exec:\nnbttn.exe34⤵
- Executes dropped EXE
PID:3368 -
\??\c:\nhnnhb.exec:\nhnnhb.exe35⤵
- Executes dropped EXE
PID:3684 -
\??\c:\pjvjp.exec:\pjvjp.exe36⤵
- Executes dropped EXE
PID:5116 -
\??\c:\tnttbh.exec:\tnttbh.exe37⤵
- Executes dropped EXE
PID:4540 -
\??\c:\hbbbbb.exec:\hbbbbb.exe38⤵
- Executes dropped EXE
PID:4068 -
\??\c:\vvdvv.exec:\vvdvv.exe39⤵
- Executes dropped EXE
PID:4296 -
\??\c:\vpvpj.exec:\vpvpj.exe40⤵
- Executes dropped EXE
PID:744 -
\??\c:\lrfrfxl.exec:\lrfrfxl.exe41⤵
- Executes dropped EXE
PID:3612 -
\??\c:\xxxfrxl.exec:\xxxfrxl.exe42⤵
- Executes dropped EXE
PID:4368 -
\??\c:\lffrfxf.exec:\lffrfxf.exe43⤵
- Executes dropped EXE
PID:2364 -
\??\c:\ntntbn.exec:\ntntbn.exe44⤵
- Executes dropped EXE
PID:2800 -
\??\c:\nnttnb.exec:\nnttnb.exe45⤵
- Executes dropped EXE
PID:4004 -
\??\c:\hbnnnb.exec:\hbnnnb.exe46⤵
- Executes dropped EXE
PID:3812 -
\??\c:\jjvvj.exec:\jjvvj.exe47⤵
- Executes dropped EXE
PID:3596 -
\??\c:\jpvdp.exec:\jpvdp.exe48⤵
- Executes dropped EXE
PID:4756 -
\??\c:\vjppp.exec:\vjppp.exe49⤵
- Executes dropped EXE
PID:1416 -
\??\c:\9djdv.exec:\9djdv.exe50⤵
- Executes dropped EXE
PID:4148 -
\??\c:\vdpvd.exec:\vdpvd.exe51⤵
- Executes dropped EXE
PID:4932 -
\??\c:\flrrlff.exec:\flrrlff.exe52⤵
- Executes dropped EXE
PID:884 -
\??\c:\xxffxxf.exec:\xxffxxf.exe53⤵
- Executes dropped EXE
PID:748 -
\??\c:\9flllrr.exec:\9flllrr.exe54⤵
- Executes dropped EXE
PID:1004 -
\??\c:\lxflllr.exec:\lxflllr.exe55⤵
- Executes dropped EXE
PID:4512 -
\??\c:\jvvvp.exec:\jvvvp.exe56⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lrrlxlf.exec:\lrrlxlf.exe57⤵
- Executes dropped EXE
PID:1188 -
\??\c:\llrrlll.exec:\llrrlll.exe58⤵
- Executes dropped EXE
PID:4328 -
\??\c:\llrxxll.exec:\llrxxll.exe59⤵
- Executes dropped EXE
PID:548 -
\??\c:\lrrxxxx.exec:\lrrxxxx.exe60⤵
- Executes dropped EXE
PID:652 -
\??\c:\rxllrxf.exec:\rxllrxf.exe61⤵
- Executes dropped EXE
PID:2220 -
\??\c:\hnnnbh.exec:\hnnnbh.exe62⤵
- Executes dropped EXE
PID:4548 -
\??\c:\hthttb.exec:\hthttb.exe63⤵
- Executes dropped EXE
PID:3336 -
\??\c:\jdppj.exec:\jdppj.exe64⤵
- Executes dropped EXE
PID:5040 -
\??\c:\dppdp.exec:\dppdp.exe65⤵
- Executes dropped EXE
PID:4836 -
\??\c:\jpjvp.exec:\jpjvp.exe66⤵PID:3452
-
\??\c:\xxxxxll.exec:\xxxxxll.exe67⤵PID:3588
-
\??\c:\rxffxfl.exec:\rxffxfl.exe68⤵PID:4356
-
\??\c:\1lrrrxx.exec:\1lrrrxx.exe69⤵PID:4876
-
\??\c:\9nbbbh.exec:\9nbbbh.exe70⤵PID:4556
-
\??\c:\bhbbnn.exec:\bhbbnn.exe71⤵PID:5076
-
\??\c:\5pddj.exec:\5pddj.exe72⤵PID:4624
-
\??\c:\xfxflxf.exec:\xfxflxf.exe73⤵PID:3964
-
\??\c:\vvjjj.exec:\vvjjj.exe74⤵PID:2988
-
\??\c:\jjdjd.exec:\jjdjd.exe75⤵PID:2520
-
\??\c:\xrlrrrr.exec:\xrlrrrr.exe76⤵PID:1084
-
\??\c:\ppjjj.exec:\ppjjj.exe77⤵PID:3612
-
\??\c:\9xlllfl.exec:\9xlllfl.exe78⤵PID:1208
-
\??\c:\llxlllr.exec:\llxlllr.exe79⤵PID:3520
-
\??\c:\rfrrrrx.exec:\rfrrrrx.exe80⤵PID:2800
-
\??\c:\fxrxxfl.exec:\fxrxxfl.exe81⤵PID:4004
-
\??\c:\nbbbhh.exec:\nbbbhh.exe82⤵PID:3432
-
\??\c:\3hthbt.exec:\3hthbt.exe83⤵PID:5028
-
\??\c:\htbbbn.exec:\htbbbn.exe84⤵PID:1612
-
\??\c:\7bnhbb.exec:\7bnhbb.exe85⤵PID:2588
-
\??\c:\nttnhb.exec:\nttnhb.exe86⤵
- System Location Discovery: System Language Discovery
PID:2932 -
\??\c:\ntnthn.exec:\ntnthn.exe87⤵PID:2280
-
\??\c:\hnbntb.exec:\hnbntb.exe88⤵PID:4680
-
\??\c:\jjjjj.exec:\jjjjj.exe89⤵PID:932
-
\??\c:\dvddj.exec:\dvddj.exe90⤵PID:1984
-
\??\c:\vjvvj.exec:\vjvvj.exe91⤵PID:2324
-
\??\c:\dpdjd.exec:\dpdjd.exe92⤵PID:1068
-
\??\c:\rxxrlll.exec:\rxxrlll.exe93⤵PID:2408
-
\??\c:\xllffff.exec:\xllffff.exe94⤵PID:1964
-
\??\c:\xrffllr.exec:\xrffllr.exe95⤵PID:2328
-
\??\c:\xxrrxfl.exec:\xxrrxfl.exe96⤵PID:3404
-
\??\c:\3ffrrlf.exec:\3ffrrlf.exe97⤵PID:1592
-
\??\c:\lrlllrl.exec:\lrlllrl.exe98⤵PID:1448
-
\??\c:\rxxllrx.exec:\rxxllrx.exe99⤵PID:2304
-
\??\c:\lrrflrx.exec:\lrrflrx.exe100⤵PID:1640
-
\??\c:\htnnnh.exec:\htnnnh.exe101⤵PID:716
-
\??\c:\bnbtnt.exec:\bnbtnt.exe102⤵PID:4496
-
\??\c:\tbbttt.exec:\tbbttt.exe103⤵PID:2908
-
\??\c:\hhttbb.exec:\hhttbb.exe104⤵PID:3588
-
\??\c:\nhttbh.exec:\nhttbh.exe105⤵PID:372
-
\??\c:\hbbhbn.exec:\hbbhbn.exe106⤵PID:3624
-
\??\c:\thbhbb.exec:\thbhbb.exe107⤵PID:4260
-
\??\c:\nnhbnh.exec:\nnhbnh.exe108⤵
- System Location Discovery: System Language Discovery
PID:1552 -
\??\c:\hhhbbn.exec:\hhhbbn.exe109⤵PID:220
-
\??\c:\tthhhb.exec:\tthhhb.exe110⤵PID:3964
-
\??\c:\xlfffll.exec:\xlfffll.exe111⤵PID:2884
-
\??\c:\lflrlrr.exec:\lflrlrr.exe112⤵PID:744
-
\??\c:\tnhhnn.exec:\tnhhnn.exe113⤵PID:3120
-
\??\c:\tntttb.exec:\tntttb.exe114⤵PID:4056
-
\??\c:\bnbnbh.exec:\bnbnbh.exe115⤵PID:4368
-
\??\c:\bbtttb.exec:\bbtttb.exe116⤵PID:1880
-
\??\c:\nbhtnb.exec:\nbhtnb.exe117⤵
- System Location Discovery: System Language Discovery
PID:3460 -
\??\c:\3tnnnn.exec:\3tnnnn.exe118⤵PID:3400
-
\??\c:\hnhttt.exec:\hnhttt.exe119⤵PID:3836
-
\??\c:\ttbbhh.exec:\ttbbhh.exe120⤵PID:3432
-
\??\c:\bhhnnn.exec:\bhhnnn.exe121⤵PID:4360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-