Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe
-
Size
455KB
-
MD5
d0246ea9665f16b301cd37508b7c8b78
-
SHA1
597a09e53cdcf69b04e1ee1bac61489a8fadbb18
-
SHA256
94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3
-
SHA512
44ced969ddbc215c50b8931f606dd0646bf62ec1cfedc72b8099b63bd1d8b99b8baef3bc1dcb90f808c47196c75a3e9f720acb5620d9fc27e34c75613ea2d6ee
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRd:q7Tc2NYHUrAwfMp3CDRd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1120-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/332-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-977-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-1029-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-1529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
xxxxrrr.exettbtbt.exevvjvv.exeddjjj.exe9rrlfll.exehhbbnn.exe1jvpp.exerfxxlxl.exetnnhnn.exefllxllf.exe9xllflf.exehbnhbb.exe7jjdp.exellrlllf.exe5tnhbb.exe7ddvp.exe5xfxxxf.exeppdvv.exepjpjd.exerlrxrxr.exenhnhhh.exejjvpj.exe5vvpd.exerxfxrlf.exentthbt.exedvvjd.exexllxxrl.exe3hbtht.exejppdp.exe7fllflr.exe5ppjv.exejvvpj.exefrrlxrl.exe5nhbnh.exe7ddvv.exerfxlxxr.exejdpjj.exeffflfff.exelxrfxrl.exe3bbbth.exevjpdp.exefxrrllf.exefrlfrlf.exe9nhbtt.exedjdvd.exerrrlxll.exe7bbbtb.exebbhbhb.exepjjdd.exejvjpv.exerfxrfxr.exebhhthb.exenntnhh.exe3jjdp.exerlflllx.exennbhbt.exe5llfllx.exe7flxfxx.exehhnnht.exe3pvpp.exerrxlfxr.exehtthtn.exedjjpj.exe3jppj.exepid Process 3176 xxxxrrr.exe 4276 ttbtbt.exe 4540 vvjvv.exe 3608 ddjjj.exe 2224 9rrlfll.exe 2832 hhbbnn.exe 2876 1jvpp.exe 1880 rfxxlxl.exe 4356 tnnhnn.exe 2040 fllxllf.exe 1868 9xllflf.exe 2616 hbnhbb.exe 4620 7jjdp.exe 2708 llrlllf.exe 3204 5tnhbb.exe 1768 7ddvp.exe 4832 5xfxxxf.exe 3256 ppdvv.exe 3164 pjpjd.exe 2568 rlrxrxr.exe 4408 nhnhhh.exe 1432 jjvpj.exe 3120 5vvpd.exe 4752 rxfxrlf.exe 4592 ntthbt.exe 2284 dvvjd.exe 2076 xllxxrl.exe 4776 3hbtht.exe 432 jppdp.exe 4844 7fllflr.exe 2180 5ppjv.exe 1848 jvvpj.exe 668 frrlxrl.exe 3308 5nhbnh.exe 4892 7ddvv.exe 3044 rfxlxxr.exe 2884 jdpjj.exe 3664 ffflfff.exe 1116 lxrfxrl.exe 1964 3bbbth.exe 4248 vjpdp.exe 1380 fxrrllf.exe 428 frlfrlf.exe 2812 9nhbtt.exe 4412 djdvd.exe 2368 rrrlxll.exe 4388 7bbbtb.exe 1780 bbhbhb.exe 4704 pjjdd.exe 2576 jvjpv.exe 2364 rfxrfxr.exe 2984 bhhthb.exe 2204 nntnhh.exe 2752 3jjdp.exe 1532 rlflllx.exe 3108 nnbhbt.exe 2508 5llfllx.exe 332 7flxfxx.exe 2208 hhnnht.exe 2988 3pvpp.exe 4856 rrxlfxr.exe 3748 htthtn.exe 4944 djjpj.exe 3212 3jppj.exe -
Processes:
resource yara_rule behavioral2/memory/1120-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/332-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-744-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5rfxxff.exe9vjdp.exennthtn.exehhbtnh.exellrfxff.exedddpj.exehtthtn.exedvdjd.exedvpdp.exe3jdvp.exexrlfllf.exe5ffxlxx.exe1jjdv.exeflxrllf.exe9tnhbb.exexlfxrrl.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exexxxxrrr.exettbtbt.exevvjvv.exeddjjj.exe9rrlfll.exehhbbnn.exe1jvpp.exerfxxlxl.exetnnhnn.exefllxllf.exe9xllflf.exehbnhbb.exe7jjdp.exellrlllf.exe5tnhbb.exe7ddvp.exe5xfxxxf.exeppdvv.exepjpjd.exerlrxrxr.exenhnhhh.exedescription pid Process procid_target PID 1120 wrote to memory of 3176 1120 94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe 82 PID 1120 wrote to memory of 3176 1120 94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe 82 PID 1120 wrote to memory of 3176 1120 94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe 82 PID 3176 wrote to memory of 4276 3176 xxxxrrr.exe 83 PID 3176 wrote to memory of 4276 3176 xxxxrrr.exe 83 PID 3176 wrote to memory of 4276 3176 xxxxrrr.exe 83 PID 4276 wrote to memory of 4540 4276 ttbtbt.exe 84 PID 4276 wrote to memory of 4540 4276 ttbtbt.exe 84 PID 4276 wrote to memory of 4540 4276 ttbtbt.exe 84 PID 4540 wrote to memory of 3608 4540 vvjvv.exe 85 PID 4540 wrote to memory of 3608 4540 vvjvv.exe 85 PID 4540 wrote to memory of 3608 4540 vvjvv.exe 85 PID 3608 wrote to memory of 2224 3608 ddjjj.exe 86 PID 3608 wrote to memory of 2224 3608 ddjjj.exe 86 PID 3608 wrote to memory of 2224 3608 ddjjj.exe 86 PID 2224 wrote to memory of 2832 2224 9rrlfll.exe 87 PID 2224 wrote to memory of 2832 2224 9rrlfll.exe 87 PID 2224 wrote to memory of 2832 2224 9rrlfll.exe 87 PID 2832 wrote to memory of 2876 2832 hhbbnn.exe 88 PID 2832 wrote to memory of 2876 2832 hhbbnn.exe 88 PID 2832 wrote to memory of 2876 2832 hhbbnn.exe 88 PID 2876 wrote to memory of 1880 2876 1jvpp.exe 89 PID 2876 wrote to memory of 1880 2876 1jvpp.exe 89 PID 2876 wrote to memory of 1880 2876 1jvpp.exe 89 PID 1880 wrote to memory of 4356 1880 rfxxlxl.exe 90 PID 1880 wrote to memory of 4356 1880 rfxxlxl.exe 90 PID 1880 wrote to memory of 4356 1880 rfxxlxl.exe 90 PID 4356 wrote to memory of 2040 4356 tnnhnn.exe 91 PID 4356 wrote to memory of 2040 4356 tnnhnn.exe 91 PID 4356 wrote to memory of 2040 4356 tnnhnn.exe 91 PID 2040 wrote to memory of 1868 2040 fllxllf.exe 92 PID 2040 wrote to memory of 1868 2040 fllxllf.exe 92 PID 2040 wrote to memory of 1868 2040 fllxllf.exe 92 PID 1868 wrote to memory of 2616 1868 9xllflf.exe 93 PID 1868 wrote to memory of 2616 1868 9xllflf.exe 93 PID 1868 wrote to memory of 2616 1868 9xllflf.exe 93 PID 2616 wrote to memory of 4620 2616 hbnhbb.exe 94 PID 2616 wrote to memory of 4620 2616 hbnhbb.exe 94 PID 2616 wrote to memory of 4620 2616 hbnhbb.exe 94 PID 4620 wrote to memory of 2708 4620 7jjdp.exe 95 PID 4620 wrote to memory of 2708 4620 7jjdp.exe 95 PID 4620 wrote to memory of 2708 4620 7jjdp.exe 95 PID 2708 wrote to memory of 3204 2708 llrlllf.exe 96 PID 2708 wrote to memory of 3204 2708 llrlllf.exe 96 PID 2708 wrote to memory of 3204 2708 llrlllf.exe 96 PID 3204 wrote to memory of 1768 3204 5tnhbb.exe 97 PID 3204 wrote to memory of 1768 3204 5tnhbb.exe 97 PID 3204 wrote to memory of 1768 3204 5tnhbb.exe 97 PID 1768 wrote to memory of 4832 1768 7ddvp.exe 98 PID 1768 wrote to memory of 4832 1768 7ddvp.exe 98 PID 1768 wrote to memory of 4832 1768 7ddvp.exe 98 PID 4832 wrote to memory of 3256 4832 5xfxxxf.exe 99 PID 4832 wrote to memory of 3256 4832 5xfxxxf.exe 99 PID 4832 wrote to memory of 3256 4832 5xfxxxf.exe 99 PID 3256 wrote to memory of 3164 3256 ppdvv.exe 100 PID 3256 wrote to memory of 3164 3256 ppdvv.exe 100 PID 3256 wrote to memory of 3164 3256 ppdvv.exe 100 PID 3164 wrote to memory of 2568 3164 pjpjd.exe 101 PID 3164 wrote to memory of 2568 3164 pjpjd.exe 101 PID 3164 wrote to memory of 2568 3164 pjpjd.exe 101 PID 2568 wrote to memory of 4408 2568 rlrxrxr.exe 102 PID 2568 wrote to memory of 4408 2568 rlrxrxr.exe 102 PID 2568 wrote to memory of 4408 2568 rlrxrxr.exe 102 PID 4408 wrote to memory of 1432 4408 nhnhhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe"C:\Users\Admin\AppData\Local\Temp\94d99496a9087ccd0cafd80fa38b5fefd22ea107e580c0c9475c1af576a570b3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\ttbtbt.exec:\ttbtbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\vvjvv.exec:\vvjvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\ddjjj.exec:\ddjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\9rrlfll.exec:\9rrlfll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\hhbbnn.exec:\hhbbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\1jvpp.exec:\1jvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\rfxxlxl.exec:\rfxxlxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\tnnhnn.exec:\tnnhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\fllxllf.exec:\fllxllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\9xllflf.exec:\9xllflf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\hbnhbb.exec:\hbnhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\7jjdp.exec:\7jjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\llrlllf.exec:\llrlllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\5tnhbb.exec:\5tnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\7ddvp.exec:\7ddvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\5xfxxxf.exec:\5xfxxxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\ppdvv.exec:\ppdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\pjpjd.exec:\pjpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\rlrxrxr.exec:\rlrxrxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\nhnhhh.exec:\nhnhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\jjvpj.exec:\jjvpj.exe23⤵
- Executes dropped EXE
PID:1432 -
\??\c:\5vvpd.exec:\5vvpd.exe24⤵
- Executes dropped EXE
PID:3120 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe25⤵
- Executes dropped EXE
PID:4752 -
\??\c:\ntthbt.exec:\ntthbt.exe26⤵
- Executes dropped EXE
PID:4592 -
\??\c:\dvvjd.exec:\dvvjd.exe27⤵
- Executes dropped EXE
PID:2284 -
\??\c:\xllxxrl.exec:\xllxxrl.exe28⤵
- Executes dropped EXE
PID:2076 -
\??\c:\3hbtht.exec:\3hbtht.exe29⤵
- Executes dropped EXE
PID:4776 -
\??\c:\jppdp.exec:\jppdp.exe30⤵
- Executes dropped EXE
PID:432 -
\??\c:\7fllflr.exec:\7fllflr.exe31⤵
- Executes dropped EXE
PID:4844 -
\??\c:\5ppjv.exec:\5ppjv.exe32⤵
- Executes dropped EXE
PID:2180 -
\??\c:\jvvpj.exec:\jvvpj.exe33⤵
- Executes dropped EXE
PID:1848 -
\??\c:\frrlxrl.exec:\frrlxrl.exe34⤵
- Executes dropped EXE
PID:668 -
\??\c:\5nhbnh.exec:\5nhbnh.exe35⤵
- Executes dropped EXE
PID:3308 -
\??\c:\7ddvv.exec:\7ddvv.exe36⤵
- Executes dropped EXE
PID:4892 -
\??\c:\rfxlxxr.exec:\rfxlxxr.exe37⤵
- Executes dropped EXE
PID:3044 -
\??\c:\jdpjj.exec:\jdpjj.exe38⤵
- Executes dropped EXE
PID:2884 -
\??\c:\ffflfff.exec:\ffflfff.exe39⤵
- Executes dropped EXE
PID:3664 -
\??\c:\lxrfxrl.exec:\lxrfxrl.exe40⤵
- Executes dropped EXE
PID:1116 -
\??\c:\3bbbth.exec:\3bbbth.exe41⤵
- Executes dropped EXE
PID:1964 -
\??\c:\vjpdp.exec:\vjpdp.exe42⤵
- Executes dropped EXE
PID:4248 -
\??\c:\fxrrllf.exec:\fxrrllf.exe43⤵
- Executes dropped EXE
PID:1380 -
\??\c:\frlfrlf.exec:\frlfrlf.exe44⤵
- Executes dropped EXE
PID:428 -
\??\c:\9nhbtt.exec:\9nhbtt.exe45⤵
- Executes dropped EXE
PID:2812 -
\??\c:\djdvd.exec:\djdvd.exe46⤵
- Executes dropped EXE
PID:4412 -
\??\c:\rrrlxll.exec:\rrrlxll.exe47⤵
- Executes dropped EXE
PID:2368 -
\??\c:\7bbbtb.exec:\7bbbtb.exe48⤵
- Executes dropped EXE
PID:4388 -
\??\c:\bbhbhb.exec:\bbhbhb.exe49⤵
- Executes dropped EXE
PID:1780 -
\??\c:\pjjdd.exec:\pjjdd.exe50⤵
- Executes dropped EXE
PID:4704 -
\??\c:\jvjpv.exec:\jvjpv.exe51⤵
- Executes dropped EXE
PID:2576 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe52⤵
- Executes dropped EXE
PID:2364 -
\??\c:\bhhthb.exec:\bhhthb.exe53⤵
- Executes dropped EXE
PID:2984 -
\??\c:\nntnhh.exec:\nntnhh.exe54⤵
- Executes dropped EXE
PID:2204 -
\??\c:\3jjdp.exec:\3jjdp.exe55⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rlflllx.exec:\rlflllx.exe56⤵
- Executes dropped EXE
PID:1532 -
\??\c:\nnbhbt.exec:\nnbhbt.exe57⤵
- Executes dropped EXE
PID:3108 -
\??\c:\5llfllx.exec:\5llfllx.exe58⤵
- Executes dropped EXE
PID:2508 -
\??\c:\7flxfxx.exec:\7flxfxx.exe59⤵
- Executes dropped EXE
PID:332 -
\??\c:\hhnnht.exec:\hhnnht.exe60⤵
- Executes dropped EXE
PID:2208 -
\??\c:\3pvpp.exec:\3pvpp.exe61⤵
- Executes dropped EXE
PID:2988 -
\??\c:\rrxlfxr.exec:\rrxlfxr.exe62⤵
- Executes dropped EXE
PID:4856 -
\??\c:\htthtn.exec:\htthtn.exe63⤵
- Executes dropped EXE
PID:3748 -
\??\c:\djjpj.exec:\djjpj.exe64⤵
- Executes dropped EXE
PID:4944 -
\??\c:\3jppj.exec:\3jppj.exe65⤵
- Executes dropped EXE
PID:3212 -
\??\c:\lrfrrfr.exec:\lrfrrfr.exe66⤵PID:3704
-
\??\c:\htbtnt.exec:\htbtnt.exe67⤵PID:2964
-
\??\c:\hhhhbt.exec:\hhhhbt.exe68⤵PID:3576
-
\??\c:\jjjpv.exec:\jjjpv.exe69⤵PID:4040
-
\??\c:\lffffff.exec:\lffffff.exe70⤵PID:4048
-
\??\c:\hhhbtt.exec:\hhhbtt.exe71⤵PID:700
-
\??\c:\htnhbn.exec:\htnhbn.exe72⤵PID:3256
-
\??\c:\ppdjd.exec:\ppdjd.exe73⤵PID:3440
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe74⤵PID:1064
-
\??\c:\xxfxxrl.exec:\xxfxxrl.exe75⤵PID:1644
-
\??\c:\bbnhnn.exec:\bbnhnn.exe76⤵PID:3888
-
\??\c:\ppvpp.exec:\ppvpp.exe77⤵PID:1804
-
\??\c:\3xrlffx.exec:\3xrlffx.exe78⤵PID:4332
-
\??\c:\rllflll.exec:\rllflll.exe79⤵PID:2020
-
\??\c:\9tthbn.exec:\9tthbn.exe80⤵PID:2372
-
\??\c:\9btnbb.exec:\9btnbb.exe81⤵PID:2284
-
\??\c:\5jvpj.exec:\5jvpj.exe82⤵PID:5116
-
\??\c:\xrffrfx.exec:\xrffrfx.exe83⤵PID:2628
-
\??\c:\vdddv.exec:\vdddv.exe84⤵PID:2392
-
\??\c:\jvpjv.exec:\jvpjv.exe85⤵PID:1244
-
\??\c:\fxrrrrf.exec:\fxrrrrf.exe86⤵PID:2024
-
\??\c:\frffxxx.exec:\frffxxx.exe87⤵PID:4312
-
\??\c:\9hhtnh.exec:\9hhtnh.exe88⤵PID:2644
-
\??\c:\frrfrrf.exec:\frrfrrf.exe89⤵PID:396
-
\??\c:\hnhtnh.exec:\hnhtnh.exe90⤵PID:4596
-
\??\c:\ddjvj.exec:\ddjvj.exe91⤵PID:3036
-
\??\c:\lxxrfxl.exec:\lxxrfxl.exe92⤵PID:4208
-
\??\c:\bnttth.exec:\bnttth.exe93⤵PID:4892
-
\??\c:\9bhbbb.exec:\9bhbbb.exe94⤵PID:4652
-
\??\c:\bnnbnb.exec:\bnnbnb.exe95⤵PID:2352
-
\??\c:\lxlxxlr.exec:\lxlxxlr.exe96⤵PID:4192
-
\??\c:\htnhbb.exec:\htnhbb.exe97⤵PID:4072
-
\??\c:\fllfrlf.exec:\fllfrlf.exe98⤵PID:8
-
\??\c:\hbbthb.exec:\hbbthb.exe99⤵PID:3612
-
\??\c:\pdpvd.exec:\pdpvd.exe100⤵PID:4668
-
\??\c:\vjdpd.exec:\vjdpd.exe101⤵PID:1416
-
\??\c:\9xfxlrf.exec:\9xfxlrf.exe102⤵PID:428
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe103⤵PID:1376
-
\??\c:\bththb.exec:\bththb.exe104⤵PID:4524
-
\??\c:\dvjjd.exec:\dvjjd.exe105⤵PID:4576
-
\??\c:\5llxlfx.exec:\5llxlfx.exe106⤵PID:2732
-
\??\c:\5lllxxr.exec:\5lllxxr.exe107⤵PID:3228
-
\??\c:\tnnhtn.exec:\tnnhtn.exe108⤵PID:2916
-
\??\c:\ppvpd.exec:\ppvpd.exe109⤵PID:3216
-
\??\c:\bhnhbt.exec:\bhnhbt.exe110⤵PID:3184
-
\??\c:\dvpdp.exec:\dvpdp.exe111⤵PID:2204
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe112⤵PID:4496
-
\??\c:\rxlxrxf.exec:\rxlxrxf.exe113⤵PID:60
-
\??\c:\bthnbt.exec:\bthnbt.exe114⤵PID:1880
-
\??\c:\xlllrfx.exec:\xlllrfx.exe115⤵PID:2400
-
\??\c:\ttnbnh.exec:\ttnbnh.exe116⤵PID:4824
-
\??\c:\pvvpd.exec:\pvvpd.exe117⤵PID:452
-
\??\c:\tbbtbt.exec:\tbbtbt.exe118⤵PID:1232
-
\??\c:\fxrrrrr.exec:\fxrrrrr.exe119⤵PID:3940
-
\??\c:\jvvpd.exec:\jvvpd.exe120⤵PID:1460
-
\??\c:\jdpdd.exec:\jdpdd.exe121⤵PID:3924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-