Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 14:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe
-
Size
384KB
-
MD5
0ada576629d2a2c79ab1cafcf823718c
-
SHA1
6dde40cdbd6857ffc06569bdf9b9c8b5978c6046
-
SHA256
e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff
-
SHA512
9567227eb22f308cde4f42a5f6a271ea2ae314c4d6593fd436bd17a9039e9781041d68667eada4122431bff99364089c4efe0acfc4a662bc05d8476bdd763610
-
SSDEEP
3072:8hOm2sI93UufdC67cimD5t251UrRE9TTFw41/t49:8cm7ImGddXmNt251UriZFwkS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/5016-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/520-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-790-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-985-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-1179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
xxrrlxx.exehhnbtn.exebhtbnh.exexfrrllf.exethbbbt.exeffxxrrl.exe1dvpj.exetbntnn.exeflxlfll.exelflxrxr.exexlxrxrf.exehnhnht.exehhntnt.exedpvpd.exe1vvpd.exenhhbbh.exepjpjp.exethnnbb.exevppdv.exelrrrflf.exettbbtt.exefllfxff.exevvvvj.exenhttnn.exelxxrffx.exehtbnnh.exerlfxllf.exevdpdd.exebttnbt.exe7ddvj.exenhhbbb.exefrrlfrl.exehhnnbb.exe3vpjd.exe1xfxrrr.exehthbhh.exedddvp.exe5xxrrlf.exenbnhbt.exetnbtbt.exepvvjd.exefxfxlll.exebtnnhb.exepjvjd.exedvvpj.exe9ffxxrl.exetbbtnn.exeppdvd.exelflflfl.exehbnbtb.exeddvjd.exe9xxlffl.exennbtnh.exebhhbbb.exepdjvd.exe9flfllr.exevvvjv.exeppdvv.exe5lfxrrx.exehbhnbh.exejjdpj.exexllxrrl.exettnhbb.exennnnhh.exepid Process 4960 xxrrlxx.exe 3596 hhnbtn.exe 2012 bhtbnh.exe 3980 xfrrllf.exe 2644 thbbbt.exe 1016 ffxxrrl.exe 2684 1dvpj.exe 544 tbntnn.exe 3804 flxlfll.exe 2160 lflxrxr.exe 2212 xlxrxrf.exe 1768 hnhnht.exe 1216 hhntnt.exe 1104 dpvpd.exe 984 1vvpd.exe 3560 nhhbbh.exe 3064 pjpjp.exe 648 thnnbb.exe 4416 vppdv.exe 1144 lrrrflf.exe 2152 ttbbtt.exe 3948 fllfxff.exe 4648 vvvvj.exe 3700 nhttnn.exe 4692 lxxrffx.exe 2112 htbnnh.exe 4536 rlfxllf.exe 4484 vdpdd.exe 1500 bttnbt.exe 1044 7ddvj.exe 1924 nhhbbb.exe 3584 frrlfrl.exe 4376 hhnnbb.exe 2304 3vpjd.exe 4360 1xfxrrr.exe 3460 hthbhh.exe 3552 dddvp.exe 1472 5xxrrlf.exe 4232 nbnhbt.exe 2720 tnbtbt.exe 4124 pvvjd.exe 5040 fxfxlll.exe 1716 btnnhb.exe 1796 pjvjd.exe 1620 dvvpj.exe 2468 9ffxxrl.exe 3428 tbbtnn.exe 2612 ppdvd.exe 1492 lflflfl.exe 3820 hbnbtb.exe 3764 ddvjd.exe 3628 9xxlffl.exe 3512 nnbtnh.exe 644 bhhbbb.exe 3684 pdjvd.exe 2040 9flfllr.exe 4608 vvvjv.exe 544 ppdvv.exe 1968 5lfxrrx.exe 1668 hbhnbh.exe 5012 jjdpj.exe 3492 xllxrrl.exe 4036 ttnhbb.exe 3056 nnnnhh.exe -
Processes:
resource yara_rule behavioral2/memory/5016-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/520-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-821-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bntnnh.exefrrlfxx.exejvdvp.exeddvpd.exeflxrrff.exetnhbtn.exebthbtt.exeffxxxrr.exe3jpjj.exennnhtt.exexfrrllf.exevpvpj.exehhnbtn.exe9ppjd.exe3ddvj.exelfrxxrr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxrr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exexxrrlxx.exehhnbtn.exebhtbnh.exexfrrllf.exethbbbt.exeffxxrrl.exe1dvpj.exetbntnn.exeflxlfll.exelflxrxr.exexlxrxrf.exehnhnht.exehhntnt.exedpvpd.exe1vvpd.exenhhbbh.exepjpjp.exethnnbb.exevppdv.exelrrrflf.exettbbtt.exedescription pid Process procid_target PID 5016 wrote to memory of 4960 5016 e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe 83 PID 5016 wrote to memory of 4960 5016 e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe 83 PID 5016 wrote to memory of 4960 5016 e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe 83 PID 4960 wrote to memory of 3596 4960 xxrrlxx.exe 84 PID 4960 wrote to memory of 3596 4960 xxrrlxx.exe 84 PID 4960 wrote to memory of 3596 4960 xxrrlxx.exe 84 PID 3596 wrote to memory of 2012 3596 hhnbtn.exe 85 PID 3596 wrote to memory of 2012 3596 hhnbtn.exe 85 PID 3596 wrote to memory of 2012 3596 hhnbtn.exe 85 PID 2012 wrote to memory of 3980 2012 bhtbnh.exe 86 PID 2012 wrote to memory of 3980 2012 bhtbnh.exe 86 PID 2012 wrote to memory of 3980 2012 bhtbnh.exe 86 PID 3980 wrote to memory of 2644 3980 xfrrllf.exe 87 PID 3980 wrote to memory of 2644 3980 xfrrllf.exe 87 PID 3980 wrote to memory of 2644 3980 xfrrllf.exe 87 PID 2644 wrote to memory of 1016 2644 thbbbt.exe 88 PID 2644 wrote to memory of 1016 2644 thbbbt.exe 88 PID 2644 wrote to memory of 1016 2644 thbbbt.exe 88 PID 1016 wrote to memory of 2684 1016 ffxxrrl.exe 89 PID 1016 wrote to memory of 2684 1016 ffxxrrl.exe 89 PID 1016 wrote to memory of 2684 1016 ffxxrrl.exe 89 PID 2684 wrote to memory of 544 2684 1dvpj.exe 90 PID 2684 wrote to memory of 544 2684 1dvpj.exe 90 PID 2684 wrote to memory of 544 2684 1dvpj.exe 90 PID 544 wrote to memory of 3804 544 tbntnn.exe 91 PID 544 wrote to memory of 3804 544 tbntnn.exe 91 PID 544 wrote to memory of 3804 544 tbntnn.exe 91 PID 3804 wrote to memory of 2160 3804 flxlfll.exe 92 PID 3804 wrote to memory of 2160 3804 flxlfll.exe 92 PID 3804 wrote to memory of 2160 3804 flxlfll.exe 92 PID 2160 wrote to memory of 2212 2160 lflxrxr.exe 93 PID 2160 wrote to memory of 2212 2160 lflxrxr.exe 93 PID 2160 wrote to memory of 2212 2160 lflxrxr.exe 93 PID 2212 wrote to memory of 1768 2212 xlxrxrf.exe 94 PID 2212 wrote to memory of 1768 2212 xlxrxrf.exe 94 PID 2212 wrote to memory of 1768 2212 xlxrxrf.exe 94 PID 1768 wrote to memory of 1216 1768 hnhnht.exe 95 PID 1768 wrote to memory of 1216 1768 hnhnht.exe 95 PID 1768 wrote to memory of 1216 1768 hnhnht.exe 95 PID 1216 wrote to memory of 1104 1216 hhntnt.exe 96 PID 1216 wrote to memory of 1104 1216 hhntnt.exe 96 PID 1216 wrote to memory of 1104 1216 hhntnt.exe 96 PID 1104 wrote to memory of 984 1104 dpvpd.exe 97 PID 1104 wrote to memory of 984 1104 dpvpd.exe 97 PID 1104 wrote to memory of 984 1104 dpvpd.exe 97 PID 984 wrote to memory of 3560 984 1vvpd.exe 98 PID 984 wrote to memory of 3560 984 1vvpd.exe 98 PID 984 wrote to memory of 3560 984 1vvpd.exe 98 PID 3560 wrote to memory of 3064 3560 nhhbbh.exe 99 PID 3560 wrote to memory of 3064 3560 nhhbbh.exe 99 PID 3560 wrote to memory of 3064 3560 nhhbbh.exe 99 PID 3064 wrote to memory of 648 3064 pjpjp.exe 100 PID 3064 wrote to memory of 648 3064 pjpjp.exe 100 PID 3064 wrote to memory of 648 3064 pjpjp.exe 100 PID 648 wrote to memory of 4416 648 thnnbb.exe 101 PID 648 wrote to memory of 4416 648 thnnbb.exe 101 PID 648 wrote to memory of 4416 648 thnnbb.exe 101 PID 4416 wrote to memory of 1144 4416 vppdv.exe 102 PID 4416 wrote to memory of 1144 4416 vppdv.exe 102 PID 4416 wrote to memory of 1144 4416 vppdv.exe 102 PID 1144 wrote to memory of 2152 1144 lrrrflf.exe 103 PID 1144 wrote to memory of 2152 1144 lrrrflf.exe 103 PID 1144 wrote to memory of 2152 1144 lrrrflf.exe 103 PID 2152 wrote to memory of 3948 2152 ttbbtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe"C:\Users\Admin\AppData\Local\Temp\e410cd0189d8717eaceadd677ce79a8d8bdf68ae4ab865732858c677eac5f4ff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\xxrrlxx.exec:\xxrrlxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\hhnbtn.exec:\hhnbtn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\bhtbnh.exec:\bhtbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\xfrrllf.exec:\xfrrllf.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\thbbbt.exec:\thbbbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\ffxxrrl.exec:\ffxxrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\1dvpj.exec:\1dvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\tbntnn.exec:\tbntnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\flxlfll.exec:\flxlfll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\lflxrxr.exec:\lflxrxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\xlxrxrf.exec:\xlxrxrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\hnhnht.exec:\hnhnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\hhntnt.exec:\hhntnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\dpvpd.exec:\dpvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\1vvpd.exec:\1vvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\nhhbbh.exec:\nhhbbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\pjpjp.exec:\pjpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\thnnbb.exec:\thnnbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\vppdv.exec:\vppdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\lrrrflf.exec:\lrrrflf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\ttbbtt.exec:\ttbbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\fllfxff.exec:\fllfxff.exe23⤵
- Executes dropped EXE
PID:3948 -
\??\c:\vvvvj.exec:\vvvvj.exe24⤵
- Executes dropped EXE
PID:4648 -
\??\c:\nhttnn.exec:\nhttnn.exe25⤵
- Executes dropped EXE
PID:3700 -
\??\c:\lxxrffx.exec:\lxxrffx.exe26⤵
- Executes dropped EXE
PID:4692 -
\??\c:\htbnnh.exec:\htbnnh.exe27⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rlfxllf.exec:\rlfxllf.exe28⤵
- Executes dropped EXE
PID:4536 -
\??\c:\vdpdd.exec:\vdpdd.exe29⤵
- Executes dropped EXE
PID:4484 -
\??\c:\bttnbt.exec:\bttnbt.exe30⤵
- Executes dropped EXE
PID:1500 -
\??\c:\7ddvj.exec:\7ddvj.exe31⤵
- Executes dropped EXE
PID:1044 -
\??\c:\nhhbbb.exec:\nhhbbb.exe32⤵
- Executes dropped EXE
PID:1924 -
\??\c:\frrlfrl.exec:\frrlfrl.exe33⤵
- Executes dropped EXE
PID:3584 -
\??\c:\hhnnbb.exec:\hhnnbb.exe34⤵
- Executes dropped EXE
PID:4376 -
\??\c:\3vpjd.exec:\3vpjd.exe35⤵
- Executes dropped EXE
PID:2304 -
\??\c:\1xfxrrr.exec:\1xfxrrr.exe36⤵
- Executes dropped EXE
PID:4360 -
\??\c:\hthbhh.exec:\hthbhh.exe37⤵
- Executes dropped EXE
PID:3460 -
\??\c:\dddvp.exec:\dddvp.exe38⤵
- Executes dropped EXE
PID:3552 -
\??\c:\5xxrrlf.exec:\5xxrrlf.exe39⤵
- Executes dropped EXE
PID:1472 -
\??\c:\nbnhbt.exec:\nbnhbt.exe40⤵
- Executes dropped EXE
PID:4232 -
\??\c:\tnbtbt.exec:\tnbtbt.exe41⤵
- Executes dropped EXE
PID:2720 -
\??\c:\pvvjd.exec:\pvvjd.exe42⤵
- Executes dropped EXE
PID:4124 -
\??\c:\fxfxlll.exec:\fxfxlll.exe43⤵
- Executes dropped EXE
PID:5040 -
\??\c:\btnnhb.exec:\btnnhb.exe44⤵
- Executes dropped EXE
PID:1716 -
\??\c:\pjvjd.exec:\pjvjd.exe45⤵
- Executes dropped EXE
PID:1796 -
\??\c:\dvvpj.exec:\dvvpj.exe46⤵
- Executes dropped EXE
PID:1620 -
\??\c:\rrxrlrr.exec:\rrxrlrr.exe47⤵PID:1580
-
\??\c:\9ffxxrl.exec:\9ffxxrl.exe48⤵
- Executes dropped EXE
PID:2468 -
\??\c:\tbbtnn.exec:\tbbtnn.exe49⤵
- Executes dropped EXE
PID:3428 -
\??\c:\ppdvd.exec:\ppdvd.exe50⤵
- Executes dropped EXE
PID:2612 -
\??\c:\lflflfl.exec:\lflflfl.exe51⤵
- Executes dropped EXE
PID:1492 -
\??\c:\hbnbtb.exec:\hbnbtb.exe52⤵
- Executes dropped EXE
PID:3820 -
\??\c:\ddvjd.exec:\ddvjd.exe53⤵
- Executes dropped EXE
PID:3764 -
\??\c:\9xxlffl.exec:\9xxlffl.exe54⤵
- Executes dropped EXE
PID:3628 -
\??\c:\nnbtnh.exec:\nnbtnh.exe55⤵
- Executes dropped EXE
PID:3512 -
\??\c:\bhhbbb.exec:\bhhbbb.exe56⤵
- Executes dropped EXE
PID:644 -
\??\c:\pdjvd.exec:\pdjvd.exe57⤵
- Executes dropped EXE
PID:3684 -
\??\c:\9flfllr.exec:\9flfllr.exe58⤵
- Executes dropped EXE
PID:2040 -
\??\c:\vvvjv.exec:\vvvjv.exe59⤵
- Executes dropped EXE
PID:4608 -
\??\c:\ppdvv.exec:\ppdvv.exe60⤵
- Executes dropped EXE
PID:544 -
\??\c:\5lfxrrx.exec:\5lfxrrx.exe61⤵
- Executes dropped EXE
PID:1968 -
\??\c:\hbhnbh.exec:\hbhnbh.exe62⤵
- Executes dropped EXE
PID:1668 -
\??\c:\jjdpj.exec:\jjdpj.exe63⤵
- Executes dropped EXE
PID:5012 -
\??\c:\xllxrrl.exec:\xllxrrl.exe64⤵
- Executes dropped EXE
PID:3492 -
\??\c:\ttnhbb.exec:\ttnhbb.exe65⤵
- Executes dropped EXE
PID:4036 -
\??\c:\nnnnhh.exec:\nnnnhh.exe66⤵
- Executes dropped EXE
PID:3056 -
\??\c:\pvdjj.exec:\pvdjj.exe67⤵PID:4320
-
\??\c:\xxfxllf.exec:\xxfxllf.exe68⤵PID:2208
-
\??\c:\llfxxxr.exec:\llfxxxr.exe69⤵PID:3996
-
\??\c:\9hnntt.exec:\9hnntt.exe70⤵PID:1432
-
\??\c:\dvvpj.exec:\dvvpj.exe71⤵PID:2796
-
\??\c:\9pjvp.exec:\9pjvp.exe72⤵PID:648
-
\??\c:\frxxlrl.exec:\frxxlrl.exe73⤵PID:436
-
\??\c:\ttbtbb.exec:\ttbtbb.exe74⤵PID:2204
-
\??\c:\hhnhbb.exec:\hhnhbb.exe75⤵PID:1440
-
\??\c:\pdddv.exec:\pdddv.exe76⤵PID:3972
-
\??\c:\fxfxxrr.exec:\fxfxxrr.exe77⤵PID:232
-
\??\c:\9nbtbb.exec:\9nbtbb.exe78⤵PID:3776
-
\??\c:\3jpjp.exec:\3jpjp.exe79⤵PID:2856
-
\??\c:\3ppvv.exec:\3ppvv.exe80⤵PID:4596
-
\??\c:\xrffxxx.exec:\xrffxxx.exe81⤵PID:3992
-
\??\c:\hhnnnn.exec:\hhnnnn.exe82⤵PID:3532
-
\??\c:\pvvvp.exec:\pvvvp.exe83⤵PID:4396
-
\??\c:\fxllrrl.exec:\fxllrrl.exe84⤵PID:3332
-
\??\c:\9ntttt.exec:\9ntttt.exe85⤵PID:1396
-
\??\c:\rlrlxxx.exec:\rlrlxxx.exe86⤵PID:1156
-
\??\c:\ntbntt.exec:\ntbntt.exe87⤵PID:2304
-
\??\c:\3jjpj.exec:\3jjpj.exe88⤵PID:1004
-
\??\c:\xxxlxfl.exec:\xxxlxfl.exe89⤵PID:2232
-
\??\c:\rllffff.exec:\rllffff.exe90⤵PID:3452
-
\??\c:\9nbbth.exec:\9nbbth.exe91⤵PID:1472
-
\??\c:\vpvpp.exec:\vpvpp.exe92⤵PID:1000
-
\??\c:\lflfrxr.exec:\lflfrxr.exe93⤵PID:2756
-
\??\c:\fxrrfxr.exec:\fxrrfxr.exe94⤵PID:1068
-
\??\c:\5hnhbt.exec:\5hnhbt.exe95⤵PID:5040
-
\??\c:\pppvp.exec:\pppvp.exe96⤵PID:1716
-
\??\c:\pvddv.exec:\pvddv.exe97⤵PID:1876
-
\??\c:\fxxrlrl.exec:\fxxrlrl.exe98⤵PID:4584
-
\??\c:\hbnhhh.exec:\hbnhhh.exe99⤵PID:3088
-
\??\c:\9jjvj.exec:\9jjvj.exe100⤵PID:4532
-
\??\c:\fxlfffl.exec:\fxlfffl.exe101⤵PID:920
-
\??\c:\llrlxff.exec:\llrlxff.exe102⤵PID:4028
-
\??\c:\nttnbb.exec:\nttnbb.exe103⤵PID:4072
-
\??\c:\jpvjd.exec:\jpvjd.exe104⤵PID:3236
-
\??\c:\9rllxxl.exec:\9rllxxl.exe105⤵PID:3980
-
\??\c:\bnbntt.exec:\bnbntt.exe106⤵PID:4744
-
\??\c:\nnhhhb.exec:\nnhhhb.exe107⤵PID:408
-
\??\c:\ddjdj.exec:\ddjdj.exe108⤵PID:1016
-
\??\c:\7xlffff.exec:\7xlffff.exe109⤵PID:3044
-
\??\c:\llxxllr.exec:\llxxllr.exe110⤵PID:1292
-
\??\c:\1hnhnn.exec:\1hnhnn.exe111⤵PID:3804
-
\??\c:\7dppj.exec:\7dppj.exe112⤵PID:3600
-
\??\c:\jpvjd.exec:\jpvjd.exe113⤵PID:2160
-
\??\c:\rrrlfxf.exec:\rrrlfxf.exe114⤵PID:4820
-
\??\c:\hhnbth.exec:\hhnbth.exe115⤵PID:3756
-
\??\c:\dvjdj.exec:\dvjdj.exe116⤵PID:3748
-
\??\c:\jdjdv.exec:\jdjdv.exe117⤵PID:3492
-
\??\c:\7rlrxxr.exec:\7rlrxxr.exe118⤵PID:4640
-
\??\c:\nbnttt.exec:\nbnttt.exe119⤵PID:2964
-
\??\c:\9hhbhh.exec:\9hhbhh.exe120⤵PID:3092
-
\??\c:\jvjdv.exec:\jvjdv.exe121⤵PID:2268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-