Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe
Resource
win7-20241010-en
General
-
Target
926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe
-
Size
453KB
-
MD5
f0669a0ecc6efac4e3159d57b9ce7ee9
-
SHA1
6e9abbd2a5e52fb8dd8023332cc7f593c2bf6798
-
SHA256
926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5
-
SHA512
3b46cfe494247febf41d5d9edd315ab01e0081eb21a7d678e44378a10434eae33d53b35295d481cf9ccae7cd32fa497f9869be5dbc974339d88eb48e01bcdaf0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
Processes:
resource yara_rule behavioral2/memory/5064-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-969-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-1058-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
vpppp.exe9nttnn.exe5dvvd.exevjjjd.exedvdjd.exelrxrrxx.exe9dddd.exe3ttbtt.exexlfffff.exe9hhnbh.exettnnhh.exejppjp.exellrrrxx.exejjjjj.exehbbbbb.exenhtnnn.exeddvpv.exeddjdd.exejvvvp.exeffxrffl.exellxxxxf.exevddjj.exebbhbbb.exerllxrrl.exejdpjj.exexflfrlf.exedvjdj.exe9bthtt.exelrxrrxr.exe1jjdp.exefxllrrr.exenntntt.exexfxxrxr.exetttbbb.exevdjdd.exe9fffxfx.exebbtnth.exe7jppj.exejjpdv.exeffffxff.exetbnnht.exejdpjp.exedvpjj.exexlrllxx.exe7htttt.exevpjdj.exeffrrrrr.exexxlllll.exetntbbb.exettbttb.exe5flfxxx.exefrrxrxr.exe1hthbb.exe5jppj.exedpvvp.exelfxlxrl.exetbhbtn.exedjpjv.exerllfrrl.exe1ttttb.exettbbbh.exerflxlfx.exelfrlrll.exethhhhb.exepid process 2564 vpppp.exe 5044 9nttnn.exe 1488 5dvvd.exe 2728 vjjjd.exe 868 dvdjd.exe 408 lrxrrxx.exe 2716 9dddd.exe 228 3ttbtt.exe 3324 xlfffff.exe 64 9hhnbh.exe 3996 ttnnhh.exe 2108 jppjp.exe 1828 llrrrxx.exe 2492 jjjjj.exe 4280 hbbbbb.exe 4492 nhtnnn.exe 5008 ddvpv.exe 3240 ddjdd.exe 1700 jvvvp.exe 4728 ffxrffl.exe 628 llxxxxf.exe 1812 vddjj.exe 2700 bbhbbb.exe 1592 rllxrrl.exe 4736 jdpjj.exe 4856 xflfrlf.exe 3496 dvjdj.exe 392 9bthtt.exe 4880 lrxrrxr.exe 1616 1jjdp.exe 4660 fxllrrr.exe 1236 nntntt.exe 2468 xfxxrxr.exe 4380 tttbbb.exe 3752 vdjdd.exe 2188 9fffxfx.exe 3932 bbtnth.exe 2164 7jppj.exe 432 jjpdv.exe 320 ffffxff.exe 2336 tbnnht.exe 5000 jdpjp.exe 4636 dvpjj.exe 2680 xlrllxx.exe 4644 7htttt.exe 4904 vpjdj.exe 996 ffrrrrr.exe 3404 xxlllll.exe 2208 tntbbb.exe 1716 ttbttb.exe 1636 5flfxxx.exe 2832 frrxrxr.exe 1296 1hthbb.exe 2696 5jppj.exe 3596 dpvvp.exe 2296 lfxlxrl.exe 2964 tbhbtn.exe 3840 djpjv.exe 4768 rllfrrl.exe 1780 1ttttb.exe 1984 ttbbbh.exe 4068 rflxlfx.exe 868 lfrlrll.exe 4016 thhhhb.exe -
Processes:
resource yara_rule behavioral2/memory/5064-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-711-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
djpjj.exe7lfxlll.exenbhhbh.exenhtbbh.exedvpjj.exehbhhhn.exejppdv.exe9lllfff.exexxlllll.exelxllllf.exehbbthh.exe7hhbnn.exelllfrrl.exehththh.exelflxrll.exepvpjj.exepvdvv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hththh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exevpppp.exe9nttnn.exe5dvvd.exevjjjd.exedvdjd.exelrxrrxx.exe9dddd.exe3ttbtt.exexlfffff.exe9hhnbh.exettnnhh.exejppjp.exellrrrxx.exejjjjj.exehbbbbb.exenhtnnn.exeddvpv.exeddjdd.exejvvvp.exeffxrffl.exellxxxxf.exedescription pid process target process PID 5064 wrote to memory of 2564 5064 926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe vpppp.exe PID 5064 wrote to memory of 2564 5064 926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe vpppp.exe PID 5064 wrote to memory of 2564 5064 926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe vpppp.exe PID 2564 wrote to memory of 5044 2564 vpppp.exe 9nttnn.exe PID 2564 wrote to memory of 5044 2564 vpppp.exe 9nttnn.exe PID 2564 wrote to memory of 5044 2564 vpppp.exe 9nttnn.exe PID 5044 wrote to memory of 1488 5044 9nttnn.exe 5dvvd.exe PID 5044 wrote to memory of 1488 5044 9nttnn.exe 5dvvd.exe PID 5044 wrote to memory of 1488 5044 9nttnn.exe 5dvvd.exe PID 1488 wrote to memory of 2728 1488 5dvvd.exe vjjjd.exe PID 1488 wrote to memory of 2728 1488 5dvvd.exe vjjjd.exe PID 1488 wrote to memory of 2728 1488 5dvvd.exe vjjjd.exe PID 2728 wrote to memory of 868 2728 vjjjd.exe dvdjd.exe PID 2728 wrote to memory of 868 2728 vjjjd.exe dvdjd.exe PID 2728 wrote to memory of 868 2728 vjjjd.exe dvdjd.exe PID 868 wrote to memory of 408 868 dvdjd.exe lrxrrxx.exe PID 868 wrote to memory of 408 868 dvdjd.exe lrxrrxx.exe PID 868 wrote to memory of 408 868 dvdjd.exe lrxrrxx.exe PID 408 wrote to memory of 2716 408 lrxrrxx.exe 9dddd.exe PID 408 wrote to memory of 2716 408 lrxrrxx.exe 9dddd.exe PID 408 wrote to memory of 2716 408 lrxrrxx.exe 9dddd.exe PID 2716 wrote to memory of 228 2716 9dddd.exe 3ttbtt.exe PID 2716 wrote to memory of 228 2716 9dddd.exe 3ttbtt.exe PID 2716 wrote to memory of 228 2716 9dddd.exe 3ttbtt.exe PID 228 wrote to memory of 3324 228 3ttbtt.exe xlfffff.exe PID 228 wrote to memory of 3324 228 3ttbtt.exe xlfffff.exe PID 228 wrote to memory of 3324 228 3ttbtt.exe xlfffff.exe PID 3324 wrote to memory of 64 3324 xlfffff.exe 9hhnbh.exe PID 3324 wrote to memory of 64 3324 xlfffff.exe 9hhnbh.exe PID 3324 wrote to memory of 64 3324 xlfffff.exe 9hhnbh.exe PID 64 wrote to memory of 3996 64 9hhnbh.exe ttnnhh.exe PID 64 wrote to memory of 3996 64 9hhnbh.exe ttnnhh.exe PID 64 wrote to memory of 3996 64 9hhnbh.exe ttnnhh.exe PID 3996 wrote to memory of 2108 3996 ttnnhh.exe jppjp.exe PID 3996 wrote to memory of 2108 3996 ttnnhh.exe jppjp.exe PID 3996 wrote to memory of 2108 3996 ttnnhh.exe jppjp.exe PID 2108 wrote to memory of 1828 2108 jppjp.exe llrrrxx.exe PID 2108 wrote to memory of 1828 2108 jppjp.exe llrrrxx.exe PID 2108 wrote to memory of 1828 2108 jppjp.exe llrrrxx.exe PID 1828 wrote to memory of 2492 1828 llrrrxx.exe jjjjj.exe PID 1828 wrote to memory of 2492 1828 llrrrxx.exe jjjjj.exe PID 1828 wrote to memory of 2492 1828 llrrrxx.exe jjjjj.exe PID 2492 wrote to memory of 4280 2492 jjjjj.exe hbbbbb.exe PID 2492 wrote to memory of 4280 2492 jjjjj.exe hbbbbb.exe PID 2492 wrote to memory of 4280 2492 jjjjj.exe hbbbbb.exe PID 4280 wrote to memory of 4492 4280 hbbbbb.exe nhtnnn.exe PID 4280 wrote to memory of 4492 4280 hbbbbb.exe nhtnnn.exe PID 4280 wrote to memory of 4492 4280 hbbbbb.exe nhtnnn.exe PID 4492 wrote to memory of 5008 4492 nhtnnn.exe ddvpv.exe PID 4492 wrote to memory of 5008 4492 nhtnnn.exe ddvpv.exe PID 4492 wrote to memory of 5008 4492 nhtnnn.exe ddvpv.exe PID 5008 wrote to memory of 3240 5008 ddvpv.exe ddjdd.exe PID 5008 wrote to memory of 3240 5008 ddvpv.exe ddjdd.exe PID 5008 wrote to memory of 3240 5008 ddvpv.exe ddjdd.exe PID 3240 wrote to memory of 1700 3240 ddjdd.exe jvvvp.exe PID 3240 wrote to memory of 1700 3240 ddjdd.exe jvvvp.exe PID 3240 wrote to memory of 1700 3240 ddjdd.exe jvvvp.exe PID 1700 wrote to memory of 4728 1700 jvvvp.exe ffxrffl.exe PID 1700 wrote to memory of 4728 1700 jvvvp.exe ffxrffl.exe PID 1700 wrote to memory of 4728 1700 jvvvp.exe ffxrffl.exe PID 4728 wrote to memory of 628 4728 ffxrffl.exe llxxxxf.exe PID 4728 wrote to memory of 628 4728 ffxrffl.exe llxxxxf.exe PID 4728 wrote to memory of 628 4728 ffxrffl.exe llxxxxf.exe PID 628 wrote to memory of 1812 628 llxxxxf.exe vddjj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe"C:\Users\Admin\AppData\Local\Temp\926847c64bbe37f6f2dd316ed6339a8dcebb78cbadb7a8828cb1ff068dc2f8e5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\vpppp.exec:\vpppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\9nttnn.exec:\9nttnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\5dvvd.exec:\5dvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\vjjjd.exec:\vjjjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\dvdjd.exec:\dvdjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\lrxrrxx.exec:\lrxrrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\9dddd.exec:\9dddd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\3ttbtt.exec:\3ttbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\xlfffff.exec:\xlfffff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\9hhnbh.exec:\9hhnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\ttnnhh.exec:\ttnnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\jppjp.exec:\jppjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\llrrrxx.exec:\llrrrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\jjjjj.exec:\jjjjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\hbbbbb.exec:\hbbbbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\nhtnnn.exec:\nhtnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\ddvpv.exec:\ddvpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\ddjdd.exec:\ddjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\jvvvp.exec:\jvvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\ffxrffl.exec:\ffxrffl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\llxxxxf.exec:\llxxxxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\vddjj.exec:\vddjj.exe23⤵
- Executes dropped EXE
PID:1812 -
\??\c:\bbhbbb.exec:\bbhbbb.exe24⤵
- Executes dropped EXE
PID:2700 -
\??\c:\rllxrrl.exec:\rllxrrl.exe25⤵
- Executes dropped EXE
PID:1592 -
\??\c:\jdpjj.exec:\jdpjj.exe26⤵
- Executes dropped EXE
PID:4736 -
\??\c:\xflfrlf.exec:\xflfrlf.exe27⤵
- Executes dropped EXE
PID:4856 -
\??\c:\dvjdj.exec:\dvjdj.exe28⤵
- Executes dropped EXE
PID:3496 -
\??\c:\9bthtt.exec:\9bthtt.exe29⤵
- Executes dropped EXE
PID:392 -
\??\c:\lrxrrxr.exec:\lrxrrxr.exe30⤵
- Executes dropped EXE
PID:4880 -
\??\c:\1jjdp.exec:\1jjdp.exe31⤵
- Executes dropped EXE
PID:1616 -
\??\c:\fxllrrr.exec:\fxllrrr.exe32⤵
- Executes dropped EXE
PID:4660 -
\??\c:\nntntt.exec:\nntntt.exe33⤵
- Executes dropped EXE
PID:1236 -
\??\c:\xfxxrxr.exec:\xfxxrxr.exe34⤵
- Executes dropped EXE
PID:2468 -
\??\c:\tttbbb.exec:\tttbbb.exe35⤵
- Executes dropped EXE
PID:4380 -
\??\c:\vdjdd.exec:\vdjdd.exe36⤵
- Executes dropped EXE
PID:3752 -
\??\c:\9fffxfx.exec:\9fffxfx.exe37⤵
- Executes dropped EXE
PID:2188 -
\??\c:\bbtnth.exec:\bbtnth.exe38⤵
- Executes dropped EXE
PID:3932 -
\??\c:\7jppj.exec:\7jppj.exe39⤵
- Executes dropped EXE
PID:2164 -
\??\c:\jjpdv.exec:\jjpdv.exe40⤵
- Executes dropped EXE
PID:432 -
\??\c:\ffffxff.exec:\ffffxff.exe41⤵
- Executes dropped EXE
PID:320 -
\??\c:\tbnnht.exec:\tbnnht.exe42⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jdpjp.exec:\jdpjp.exe43⤵
- Executes dropped EXE
PID:5000 -
\??\c:\dvpjj.exec:\dvpjj.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4636 -
\??\c:\xlrllxx.exec:\xlrllxx.exe45⤵
- Executes dropped EXE
PID:2680 -
\??\c:\7htttt.exec:\7htttt.exe46⤵
- Executes dropped EXE
PID:4644 -
\??\c:\vpjdj.exec:\vpjdj.exe47⤵
- Executes dropped EXE
PID:4904 -
\??\c:\ffrrrrr.exec:\ffrrrrr.exe48⤵
- Executes dropped EXE
PID:996 -
\??\c:\xxlllll.exec:\xxlllll.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3404 -
\??\c:\tntbbb.exec:\tntbbb.exe50⤵
- Executes dropped EXE
PID:2208 -
\??\c:\ttbttb.exec:\ttbttb.exe51⤵
- Executes dropped EXE
PID:1716 -
\??\c:\5flfxxx.exec:\5flfxxx.exe52⤵
- Executes dropped EXE
PID:1636 -
\??\c:\frrxrxr.exec:\frrxrxr.exe53⤵
- Executes dropped EXE
PID:2832 -
\??\c:\1hthbb.exec:\1hthbb.exe54⤵
- Executes dropped EXE
PID:1296 -
\??\c:\5jppj.exec:\5jppj.exe55⤵
- Executes dropped EXE
PID:2696 -
\??\c:\dpvvp.exec:\dpvvp.exe56⤵
- Executes dropped EXE
PID:3596 -
\??\c:\lfxlxrl.exec:\lfxlxrl.exe57⤵
- Executes dropped EXE
PID:2296 -
\??\c:\tbhbtn.exec:\tbhbtn.exe58⤵
- Executes dropped EXE
PID:2964 -
\??\c:\djpjv.exec:\djpjv.exe59⤵
- Executes dropped EXE
PID:3840 -
\??\c:\rllfrrl.exec:\rllfrrl.exe60⤵
- Executes dropped EXE
PID:4768 -
\??\c:\1ttttb.exec:\1ttttb.exe61⤵
- Executes dropped EXE
PID:1780 -
\??\c:\ttbbbh.exec:\ttbbbh.exe62⤵
- Executes dropped EXE
PID:1984 -
\??\c:\rflxlfx.exec:\rflxlfx.exe63⤵
- Executes dropped EXE
PID:4068 -
\??\c:\lfrlrll.exec:\lfrlrll.exe64⤵
- Executes dropped EXE
PID:868 -
\??\c:\thhhhb.exec:\thhhhb.exe65⤵
- Executes dropped EXE
PID:4016 -
\??\c:\7ppjv.exec:\7ppjv.exe66⤵PID:2588
-
\??\c:\lfllfll.exec:\lfllfll.exe67⤵PID:912
-
\??\c:\bttnbn.exec:\bttnbn.exe68⤵PID:2840
-
\??\c:\pjvpv.exec:\pjvpv.exe69⤵PID:3320
-
\??\c:\djvpp.exec:\djvpp.exe70⤵PID:4900
-
\??\c:\lrffrxx.exec:\lrffrxx.exe71⤵PID:1208
-
\??\c:\thhhhh.exec:\thhhhh.exe72⤵PID:2288
-
\??\c:\ppvpp.exec:\ppvpp.exe73⤵PID:1828
-
\??\c:\dvjdd.exec:\dvjdd.exe74⤵PID:3884
-
\??\c:\rrrllll.exec:\rrrllll.exe75⤵PID:516
-
\??\c:\tnbbhn.exec:\tnbbhn.exe76⤵PID:3316
-
\??\c:\thtnhh.exec:\thtnhh.exe77⤵PID:1072
-
\??\c:\3pddd.exec:\3pddd.exe78⤵PID:3988
-
\??\c:\flfrlfx.exec:\flfrlfx.exe79⤵PID:1752
-
\??\c:\bthbtn.exec:\bthbtn.exe80⤵PID:4728
-
\??\c:\pvjdp.exec:\pvjdp.exe81⤵PID:1252
-
\??\c:\rlrllll.exec:\rlrllll.exe82⤵PID:4436
-
\??\c:\nttnhb.exec:\nttnhb.exe83⤵PID:3636
-
\??\c:\ppvdp.exec:\ppvdp.exe84⤵PID:1672
-
\??\c:\rxllfll.exec:\rxllfll.exe85⤵PID:4592
-
\??\c:\3bttbb.exec:\3bttbb.exe86⤵PID:4736
-
\??\c:\hbtthn.exec:\hbtthn.exe87⤵PID:3760
-
\??\c:\5djdj.exec:\5djdj.exe88⤵PID:2020
-
\??\c:\fxrrfxf.exec:\fxrrfxf.exe89⤵PID:1568
-
\??\c:\lxllllf.exec:\lxllllf.exe90⤵
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\hthtbt.exec:\hthtbt.exe91⤵PID:4880
-
\??\c:\1jdpj.exec:\1jdpj.exe92⤵PID:2004
-
\??\c:\xxffffx.exec:\xxffffx.exe93⤵PID:3424
-
\??\c:\thnnhh.exec:\thnnhh.exe94⤵PID:4184
-
\??\c:\nbnhhh.exec:\nbnhhh.exe95⤵PID:4240
-
\??\c:\vpvpp.exec:\vpvpp.exe96⤵PID:1144
-
\??\c:\rrrlffx.exec:\rrrlffx.exe97⤵PID:1132
-
\??\c:\hbnnnt.exec:\hbnnnt.exe98⤵PID:2024
-
\??\c:\djddv.exec:\djddv.exe99⤵PID:2360
-
\??\c:\llxlxxr.exec:\llxlxxr.exe100⤵PID:4164
-
\??\c:\9tbbtn.exec:\9tbbtn.exe101⤵PID:2952
-
\??\c:\ttbtnn.exec:\ttbtnn.exe102⤵PID:2384
-
\??\c:\pvpjj.exec:\pvpjj.exe103⤵
- System Location Discovery: System Language Discovery
PID:4396 -
\??\c:\9fllfff.exec:\9fllfff.exe104⤵PID:3340
-
\??\c:\3tthtt.exec:\3tthtt.exe105⤵PID:4384
-
\??\c:\pjpjd.exec:\pjpjd.exe106⤵PID:316
-
\??\c:\jdvpp.exec:\jdvpp.exe107⤵PID:920
-
\??\c:\lxllfff.exec:\lxllfff.exe108⤵PID:2680
-
\??\c:\5hthnt.exec:\5hthnt.exe109⤵PID:5040
-
\??\c:\dvddd.exec:\dvddd.exe110⤵PID:2220
-
\??\c:\3xfxxll.exec:\3xfxxll.exe111⤵PID:1436
-
\??\c:\1ttnhh.exec:\1ttnhh.exe112⤵PID:3016
-
\??\c:\9tbhhh.exec:\9tbhhh.exe113⤵PID:2208
-
\??\c:\pjpdv.exec:\pjpdv.exe114⤵PID:1716
-
\??\c:\fxfrfff.exec:\fxfrfff.exe115⤵PID:1636
-
\??\c:\nhtnbt.exec:\nhtnbt.exe116⤵PID:1468
-
\??\c:\5nnnhn.exec:\5nnnhn.exe117⤵PID:4748
-
\??\c:\pjvpj.exec:\pjvpj.exe118⤵PID:2672
-
\??\c:\5lrrfff.exec:\5lrrfff.exe119⤵PID:3164
-
\??\c:\nthnnb.exec:\nthnnb.exe120⤵PID:2296
-
\??\c:\hhbbbb.exec:\hhbbbb.exe121⤵PID:2964
-
\??\c:\djpjj.exec:\djpjj.exe122⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-