Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 23:47
Behavioral task
behavioral1
Sample
a572002f055b6353b4dd9b7c0254e984a92ba73779b0bd7f3b998984c3608fa0N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
a572002f055b6353b4dd9b7c0254e984a92ba73779b0bd7f3b998984c3608fa0N.exe
-
Size
3.7MB
-
MD5
c0242e57adb242ebd34b2cd1860e34e0
-
SHA1
3ce6786047bfcbcf514fb01aa9b22a24020a6cde
-
SHA256
a572002f055b6353b4dd9b7c0254e984a92ba73779b0bd7f3b998984c3608fa0
-
SHA512
15fe53ebe5082b377502b109239b7530427c8a57f0d3a3743d756bf51caeee858b05e52c11e807c88751d0505a803bbfa5217b3549405fd0b2a29b7fecf8b3b5
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98m:U6XLq/qPPslzKx/dJg1ErmNt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
Processes:
resource yara_rule behavioral2/memory/1848-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/560-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1428-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1372-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1016-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/260-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4220-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2624-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/64-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/708-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1692-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1124-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1672-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3200-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2128-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/564-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1016-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3356-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-550-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/648-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2668-681-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-709-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-716-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-1014-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1508-1088-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-1308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
xxxxxxf.exeddvpv.exexfrllll.exevdpdv.exepdpjd.exefxxxrxl.exetnhnnh.exejdjjj.exetnbbtn.exennbtnn.exellxxrrr.exerrlllxf.exelfrrxff.exeffrrrxf.exerlrrxxf.exebnnnht.exejjvvv.exennhhnt.exentbnhh.exe9ntnnn.exepvjjd.exedjjpj.exepppdv.exellfxrlf.exebtntnt.exeppjjp.exefxrxrxr.exehhthhb.exepvddj.exeflffxfr.exefrrllfl.exepppvp.exetbntnt.exedjpjd.exebhbbbb.exenthhnn.exevvppv.exejjvvp.exevvvvp.exevpdjj.exedvdjj.exepdjdd.exevdvvv.exejdddd.exevdvpp.exejjvvp.exeppjdv.exevpvpp.exe9jppp.exeppppp.exejjjdd.exevvppp.exevvvvv.exeddppj.exeddppp.exevdjjj.exejjpdv.exepjvpv.exeddpjd.exepjppj.exejdvvp.exebhnnnn.exebtbtnn.exetnnbtn.exepid Process 2992 xxxxxxf.exe 3360 ddvpv.exe 560 xfrllll.exe 4928 vdpdv.exe 4036 pdpjd.exe 1984 fxxxrxl.exe 3584 tnhnnh.exe 1972 jdjjj.exe 1428 tnbbtn.exe 1316 nnbtnn.exe 1996 llxxrrr.exe 2656 rrlllxf.exe 1788 lfrrxff.exe 1372 ffrrrxf.exe 1016 rlrrxxf.exe 2788 bnnnht.exe 4460 jjvvv.exe 1500 nnhhnt.exe 260 ntbnhh.exe 1608 9ntnnn.exe 212 pvjjd.exe 452 djjpj.exe 3460 pppdv.exe 4820 llfxrlf.exe 4220 btntnt.exe 3252 ppjjp.exe 5068 fxrxrxr.exe 4572 hhthhb.exe 2624 pvddj.exe 4368 flffxfr.exe 64 frrllfl.exe 1484 pppvp.exe 4052 tbntnt.exe 4296 djpjd.exe 4928 bhbbbb.exe 1468 nthhnn.exe 1120 vvppv.exe 4996 jjvvp.exe 4424 vvvvp.exe 2680 vpdjj.exe 4988 dvdjj.exe 2000 pdjdd.exe 3548 vdvvv.exe 1772 jdddd.exe 2656 vdvpp.exe 708 jjvvp.exe 1948 ppjdv.exe 2672 vpvpp.exe 488 9jppp.exe 1692 ppppp.exe 3128 jjjdd.exe 904 vvppp.exe 1124 vvvvv.exe 1280 ddppj.exe 2620 ddppp.exe 1672 vdjjj.exe 2460 jjpdv.exe 4768 pjvpv.exe 552 ddpjd.exe 3456 pjppj.exe 5076 jdvvp.exe 3160 bhnnnn.exe 3168 btbtnn.exe 1012 tnnbtn.exe -
Processes:
resource yara_rule behavioral2/memory/1848-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca7-3.dat upx behavioral2/memory/1848-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-11.dat upx behavioral2/memory/2992-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3360-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-14.dat upx behavioral2/memory/560-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-22.dat upx behavioral2/memory/4928-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4036-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca8-29.dat upx behavioral2/files/0x000d000000023b7c-34.dat upx behavioral2/memory/1984-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4036-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-42.dat upx behavioral2/memory/3584-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-49.dat upx behavioral2/files/0x0007000000023cb1-53.dat upx behavioral2/memory/1428-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1972-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1316-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-60.dat upx behavioral2/files/0x0007000000023cb3-65.dat upx behavioral2/memory/1316-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-71.dat upx behavioral2/memory/2656-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-79.dat upx behavioral2/memory/1788-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1996-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-85.dat upx behavioral2/memory/1372-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-90.dat upx behavioral2/memory/1016-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-95.dat upx behavioral2/files/0x0007000000023cb9-102.dat upx behavioral2/memory/4460-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0002000000022ae8-108.dat upx behavioral2/memory/1500-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0002000000022af2-114.dat upx behavioral2/memory/260-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023b75-119.dat upx behavioral2/files/0x000c000000023b79-124.dat upx behavioral2/files/0x0007000000023cba-129.dat upx behavioral2/memory/212-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-135.dat upx behavioral2/memory/452-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-141.dat upx behavioral2/memory/3460-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-147.dat upx behavioral2/memory/4820-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-153.dat upx behavioral2/memory/4220-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-159.dat upx behavioral2/memory/3252-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-165.dat upx behavioral2/memory/5068-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-171.dat upx behavioral2/memory/4572-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-177.dat upx behavioral2/memory/2624-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-183.dat upx behavioral2/memory/64-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc8-190.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ppppp.exejvdvp.exepvddv.exejjjpp.exehthbtb.exebnthbb.exepjjdd.exetthhbh.exe5dvvp.exedpdjp.exelxxxrxr.exenhhbtt.exe3pvpd.exejdvvp.exe1xrrrrr.exepddvp.exeddpjd.exepppdj.exeffrrfff.exehhbbhn.exejvvpj.exe9jvvj.exelrfrrxx.exebtnhbh.exenhnnhh.exejdpjp.exelffffff.exehhthhb.exedjpjd.exeppddj.exepdddv.exennthbh.exevvppj.exeflflrxr.exeffxxxrx.exexlrllrl.exedvdpp.exejvjvp.exevpvvv.exehtnbth.exehbbtnt.exerxlxrrr.exennbtbb.exexrfxrlr.exepddpd.exedjjdd.exethbthh.exe5fxflff.exe5xrlllf.exerrrrxfx.exehtbhhb.exejjjdv.exerxrlfrl.exetnbnnn.exerlfxrlf.exefxxrlxx.exehntnbb.exevpdvp.exe3hnnhn.exenhbtnn.exebhnhtt.exe7frlrxf.exerxrlflf.exepvddj.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frlrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a572002f055b6353b4dd9b7c0254e984a92ba73779b0bd7f3b998984c3608fa0N.exexxxxxxf.exeddvpv.exexfrllll.exevdpdv.exepdpjd.exefxxxrxl.exetnhnnh.exejdjjj.exetnbbtn.exennbtnn.exellxxrrr.exerrlllxf.exelfrrxff.exeffrrrxf.exerlrrxxf.exebnnnht.exejjvvv.exennhhnt.exentbnhh.exe9ntnnn.exepvjjd.exedescription pid Process procid_target PID 1848 wrote to memory of 2992 1848 a572002f055b6353b4dd9b7c0254e984a92ba73779b0bd7f3b998984c3608fa0N.exe 85 PID 1848 wrote to memory of 2992 1848 a572002f055b6353b4dd9b7c0254e984a92ba73779b0bd7f3b998984c3608fa0N.exe 85 PID 1848 wrote to memory of 2992 1848 a572002f055b6353b4dd9b7c0254e984a92ba73779b0bd7f3b998984c3608fa0N.exe 85 PID 2992 wrote to memory of 3360 2992 xxxxxxf.exe 87 PID 2992 wrote to memory of 3360 2992 xxxxxxf.exe 87 PID 2992 wrote to memory of 3360 2992 xxxxxxf.exe 87 PID 3360 wrote to memory of 560 3360 ddvpv.exe 88 PID 3360 wrote to memory of 560 3360 ddvpv.exe 88 PID 3360 wrote to memory of 560 3360 ddvpv.exe 88 PID 560 wrote to memory of 4928 560 xfrllll.exe 89 PID 560 wrote to memory of 4928 560 xfrllll.exe 89 PID 560 wrote to memory of 4928 560 xfrllll.exe 89 PID 4928 wrote to memory of 4036 4928 vdpdv.exe 90 PID 4928 wrote to memory of 4036 4928 vdpdv.exe 90 PID 4928 wrote to memory of 4036 4928 vdpdv.exe 90 PID 4036 wrote to memory of 1984 4036 pdpjd.exe 91 PID 4036 wrote to memory of 1984 4036 pdpjd.exe 91 PID 4036 wrote to memory of 1984 4036 pdpjd.exe 91 PID 1984 wrote to memory of 3584 1984 fxxxrxl.exe 92 PID 1984 wrote to memory of 3584 1984 fxxxrxl.exe 92 PID 1984 wrote to memory of 3584 1984 fxxxrxl.exe 92 PID 3584 wrote to memory of 1972 3584 tnhnnh.exe 93 PID 3584 wrote to memory of 1972 3584 tnhnnh.exe 93 PID 3584 wrote to memory of 1972 3584 tnhnnh.exe 93 PID 1972 wrote to memory of 1428 1972 jdjjj.exe 94 PID 1972 wrote to memory of 1428 1972 jdjjj.exe 94 PID 1972 wrote to memory of 1428 1972 jdjjj.exe 94 PID 1428 wrote to memory of 1316 1428 tnbbtn.exe 95 PID 1428 wrote to memory of 1316 1428 tnbbtn.exe 95 PID 1428 wrote to memory of 1316 1428 tnbbtn.exe 95 PID 1316 wrote to memory of 1996 1316 nnbtnn.exe 98 PID 1316 wrote to memory of 1996 1316 nnbtnn.exe 98 PID 1316 wrote to memory of 1996 1316 nnbtnn.exe 98 PID 1996 wrote to memory of 2656 1996 llxxrrr.exe 99 PID 1996 wrote to memory of 2656 1996 llxxrrr.exe 99 PID 1996 wrote to memory of 2656 1996 llxxrrr.exe 99 PID 2656 wrote to memory of 1788 2656 rrlllxf.exe 100 PID 2656 wrote to memory of 1788 2656 rrlllxf.exe 100 PID 2656 wrote to memory of 1788 2656 rrlllxf.exe 100 PID 1788 wrote to memory of 1372 1788 lfrrxff.exe 101 PID 1788 wrote to memory of 1372 1788 lfrrxff.exe 101 PID 1788 wrote to memory of 1372 1788 lfrrxff.exe 101 PID 1372 wrote to memory of 1016 1372 ffrrrxf.exe 102 PID 1372 wrote to memory of 1016 1372 ffrrrxf.exe 102 PID 1372 wrote to memory of 1016 1372 ffrrrxf.exe 102 PID 1016 wrote to memory of 2788 1016 rlrrxxf.exe 104 PID 1016 wrote to memory of 2788 1016 rlrrxxf.exe 104 PID 1016 wrote to memory of 2788 1016 rlrrxxf.exe 104 PID 2788 wrote to memory of 4460 2788 bnnnht.exe 106 PID 2788 wrote to memory of 4460 2788 bnnnht.exe 106 PID 2788 wrote to memory of 4460 2788 bnnnht.exe 106 PID 4460 wrote to memory of 1500 4460 jjvvv.exe 107 PID 4460 wrote to memory of 1500 4460 jjvvv.exe 107 PID 4460 wrote to memory of 1500 4460 jjvvv.exe 107 PID 1500 wrote to memory of 260 1500 nnhhnt.exe 108 PID 1500 wrote to memory of 260 1500 nnhhnt.exe 108 PID 1500 wrote to memory of 260 1500 nnhhnt.exe 108 PID 260 wrote to memory of 1608 260 ntbnhh.exe 109 PID 260 wrote to memory of 1608 260 ntbnhh.exe 109 PID 260 wrote to memory of 1608 260 ntbnhh.exe 109 PID 1608 wrote to memory of 212 1608 9ntnnn.exe 110 PID 1608 wrote to memory of 212 1608 9ntnnn.exe 110 PID 1608 wrote to memory of 212 1608 9ntnnn.exe 110 PID 212 wrote to memory of 452 212 pvjjd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\a572002f055b6353b4dd9b7c0254e984a92ba73779b0bd7f3b998984c3608fa0N.exe"C:\Users\Admin\AppData\Local\Temp\a572002f055b6353b4dd9b7c0254e984a92ba73779b0bd7f3b998984c3608fa0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\xxxxxxf.exec:\xxxxxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\ddvpv.exec:\ddvpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\xfrllll.exec:\xfrllll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\vdpdv.exec:\vdpdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\pdpjd.exec:\pdpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\fxxxrxl.exec:\fxxxrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\tnhnnh.exec:\tnhnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\jdjjj.exec:\jdjjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\tnbbtn.exec:\tnbbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\nnbtnn.exec:\nnbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\llxxrrr.exec:\llxxrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\rrlllxf.exec:\rrlllxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\lfrrxff.exec:\lfrrxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\ffrrrxf.exec:\ffrrrxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\bnnnht.exec:\bnnnht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\jjvvv.exec:\jjvvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\nnhhnt.exec:\nnhhnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\ntbnhh.exec:\ntbnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:260 -
\??\c:\9ntnnn.exec:\9ntnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\pvjjd.exec:\pvjjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\djjpj.exec:\djjpj.exe23⤵
- Executes dropped EXE
PID:452 -
\??\c:\pppdv.exec:\pppdv.exe24⤵
- Executes dropped EXE
PID:3460 -
\??\c:\llfxrlf.exec:\llfxrlf.exe25⤵
- Executes dropped EXE
PID:4820 -
\??\c:\btntnt.exec:\btntnt.exe26⤵
- Executes dropped EXE
PID:4220 -
\??\c:\ppjjp.exec:\ppjjp.exe27⤵
- Executes dropped EXE
PID:3252 -
\??\c:\fxrxrxr.exec:\fxrxrxr.exe28⤵
- Executes dropped EXE
PID:5068 -
\??\c:\hhthhb.exec:\hhthhb.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4572 -
\??\c:\pvddj.exec:\pvddj.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624 -
\??\c:\flffxfr.exec:\flffxfr.exe31⤵
- Executes dropped EXE
PID:4368 -
\??\c:\frrllfl.exec:\frrllfl.exe32⤵
- Executes dropped EXE
PID:64 -
\??\c:\pppvp.exec:\pppvp.exe33⤵
- Executes dropped EXE
PID:1484 -
\??\c:\tbntnt.exec:\tbntnt.exe34⤵
- Executes dropped EXE
PID:4052 -
\??\c:\djpjd.exec:\djpjd.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4296 -
\??\c:\bhbbbb.exec:\bhbbbb.exe36⤵
- Executes dropped EXE
PID:4928 -
\??\c:\nthhnn.exec:\nthhnn.exe37⤵
- Executes dropped EXE
PID:1468 -
\??\c:\vvppv.exec:\vvppv.exe38⤵
- Executes dropped EXE
PID:1120 -
\??\c:\jjvvp.exec:\jjvvp.exe39⤵
- Executes dropped EXE
PID:4996 -
\??\c:\vvvvp.exec:\vvvvp.exe40⤵
- Executes dropped EXE
PID:4424 -
\??\c:\vpdjj.exec:\vpdjj.exe41⤵
- Executes dropped EXE
PID:2680 -
\??\c:\dvdjj.exec:\dvdjj.exe42⤵
- Executes dropped EXE
PID:4988 -
\??\c:\pdjdd.exec:\pdjdd.exe43⤵
- Executes dropped EXE
PID:2000 -
\??\c:\vdvvv.exec:\vdvvv.exe44⤵
- Executes dropped EXE
PID:3548 -
\??\c:\jdddd.exec:\jdddd.exe45⤵
- Executes dropped EXE
PID:1772 -
\??\c:\vdvpp.exec:\vdvpp.exe46⤵
- Executes dropped EXE
PID:2656 -
\??\c:\jjvvp.exec:\jjvvp.exe47⤵
- Executes dropped EXE
PID:708 -
\??\c:\ppjdv.exec:\ppjdv.exe48⤵
- Executes dropped EXE
PID:1948 -
\??\c:\vpvpp.exec:\vpvpp.exe49⤵
- Executes dropped EXE
PID:2672 -
\??\c:\9jppp.exec:\9jppp.exe50⤵
- Executes dropped EXE
PID:488 -
\??\c:\ppppp.exec:\ppppp.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
\??\c:\jjjdd.exec:\jjjdd.exe52⤵
- Executes dropped EXE
PID:3128 -
\??\c:\vvppp.exec:\vvppp.exe53⤵
- Executes dropped EXE
PID:904 -
\??\c:\vvvvv.exec:\vvvvv.exe54⤵
- Executes dropped EXE
PID:1124 -
\??\c:\ddppj.exec:\ddppj.exe55⤵
- Executes dropped EXE
PID:1280 -
\??\c:\ddppp.exec:\ddppp.exe56⤵
- Executes dropped EXE
PID:2620 -
\??\c:\vdjjj.exec:\vdjjj.exe57⤵
- Executes dropped EXE
PID:1672 -
\??\c:\jjpdv.exec:\jjpdv.exe58⤵
- Executes dropped EXE
PID:2460 -
\??\c:\pjvpv.exec:\pjvpv.exe59⤵
- Executes dropped EXE
PID:4768 -
\??\c:\ddpjd.exec:\ddpjd.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:552 -
\??\c:\pjppj.exec:\pjppj.exe61⤵
- Executes dropped EXE
PID:3456 -
\??\c:\jdvvp.exec:\jdvvp.exe62⤵
- Executes dropped EXE
PID:5076 -
\??\c:\bhnnnn.exec:\bhnnnn.exe63⤵
- Executes dropped EXE
PID:3160 -
\??\c:\btbtnn.exec:\btbtnn.exe64⤵
- Executes dropped EXE
PID:3168 -
\??\c:\tnnbtn.exec:\tnnbtn.exe65⤵
- Executes dropped EXE
PID:1012 -
\??\c:\hhhbth.exec:\hhhbth.exe66⤵PID:1172
-
\??\c:\fxrlxlf.exec:\fxrlxlf.exe67⤵PID:3304
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe68⤵PID:3200
-
\??\c:\rflxrlx.exec:\rflxrlx.exe69⤵PID:3676
-
\??\c:\rxrlfxx.exec:\rxrlfxx.exe70⤵PID:3436
-
\??\c:\rrrlllf.exec:\rrrlllf.exe71⤵PID:2216
-
\??\c:\rfrfxrl.exec:\rfrfxrl.exe72⤵PID:4004
-
\??\c:\jdpjd.exec:\jdpjd.exe73⤵PID:3344
-
\??\c:\jppjv.exec:\jppjv.exe74⤵PID:2616
-
\??\c:\jdpdp.exec:\jdpdp.exe75⤵PID:4000
-
\??\c:\jvjdv.exec:\jvjdv.exe76⤵PID:4800
-
\??\c:\pjvjd.exec:\pjvjd.exe77⤵PID:4888
-
\??\c:\vvvpd.exec:\vvvpd.exe78⤵PID:2936
-
\??\c:\djjdj.exec:\djjdj.exe79⤵PID:2596
-
\??\c:\jvjpj.exec:\jvjpj.exe80⤵PID:232
-
\??\c:\5dvpj.exec:\5dvpj.exe81⤵PID:1936
-
\??\c:\dvjdj.exec:\dvjdj.exe82⤵PID:3188
-
\??\c:\hthbtb.exec:\hthbtb.exe83⤵
- System Location Discovery: System Language Discovery
PID:2128 -
\??\c:\ntbthh.exec:\ntbthh.exe84⤵PID:2892
-
\??\c:\tbbtnh.exec:\tbbtnh.exe85⤵PID:1316
-
\??\c:\thnhbt.exec:\thnhbt.exe86⤵PID:2000
-
\??\c:\bhhbtt.exec:\bhhbtt.exe87⤵PID:2964
-
\??\c:\xrfflff.exec:\xrfflff.exe88⤵PID:564
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe89⤵PID:1276
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe90⤵PID:652
-
\??\c:\flflrxr.exec:\flflrxr.exe91⤵
- System Location Discovery: System Language Discovery
PID:2268 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe92⤵PID:1016
-
\??\c:\fllfxxr.exec:\fllfxxr.exe93⤵PID:412
-
\??\c:\ffxxxrx.exec:\ffxxxrx.exe94⤵
- System Location Discovery: System Language Discovery
PID:1584 -
\??\c:\lrxlflf.exec:\lrxlflf.exe95⤵PID:2200
-
\??\c:\jdppp.exec:\jdppp.exe96⤵PID:4396
-
\??\c:\ppjdv.exec:\ppjdv.exe97⤵PID:1912
-
\??\c:\jpppj.exec:\jpppj.exe98⤵PID:3356
-
\??\c:\dvjjv.exec:\dvjjv.exe99⤵PID:3684
-
\??\c:\jjdpp.exec:\jjdpp.exe100⤵PID:2940
-
\??\c:\djppj.exec:\djppj.exe101⤵PID:1608
-
\??\c:\vpdvv.exec:\vpdvv.exe102⤵PID:3928
-
\??\c:\ddddv.exec:\ddddv.exe103⤵PID:3720
-
\??\c:\jpvvv.exec:\jpvvv.exe104⤵PID:228
-
\??\c:\pjpjd.exec:\pjpjd.exe105⤵PID:1716
-
\??\c:\bhhttt.exec:\bhhttt.exe106⤵PID:1044
-
\??\c:\jjvdj.exec:\jjvdj.exe107⤵PID:4064
-
\??\c:\htnbhh.exec:\htnbhh.exe108⤵PID:4340
-
\??\c:\vjdvv.exec:\vjdvv.exe109⤵PID:2344
-
\??\c:\vppdv.exec:\vppdv.exe110⤵PID:3252
-
\??\c:\bnthbb.exec:\bnthbb.exe111⤵
- System Location Discovery: System Language Discovery
PID:900 -
\??\c:\tbnttb.exec:\tbnttb.exe112⤵PID:3664
-
\??\c:\tbhhnn.exec:\tbhhnn.exe113⤵PID:1944
-
\??\c:\bhnnnt.exec:\bhnnnt.exe114⤵PID:3200
-
\??\c:\thbntn.exec:\thbntn.exe115⤵PID:2676
-
\??\c:\bbnntt.exec:\bbnntt.exe116⤵PID:2016
-
\??\c:\nbttbb.exec:\nbttbb.exe117⤵PID:2600
-
\??\c:\thttbh.exec:\thttbh.exe118⤵PID:4464
-
\??\c:\pvvpp.exec:\pvvpp.exe119⤵PID:2904
-
\??\c:\dppjv.exec:\dppjv.exe120⤵PID:2960
-
\??\c:\dvjdd.exec:\dvjdd.exe121⤵PID:2412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-