Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 03:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d2149e3d2b4370c3111a75a1b45938094877cfe31dc661f35fa92bfd7c27bc9N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1d2149e3d2b4370c3111a75a1b45938094877cfe31dc661f35fa92bfd7c27bc9N.exe
-
Size
456KB
-
MD5
96fce5078f6f51a076033a0fb4331190
-
SHA1
91ead86c8a5121dfae8cf390d6884af1840a6aba
-
SHA256
1d2149e3d2b4370c3111a75a1b45938094877cfe31dc661f35fa92bfd7c27bc9
-
SHA512
5b2c91c99840832c605bb5eeac6608d661c5001e7a38042be850c91b33963232cff7cb547ab34f2cca5734b927a149048d1fede2460075b5024bfc51ded7ac58
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRwt:q7Tc2NYHUrAwfMp3CDRwt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/2308-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-1416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-1615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-1804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-1942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
xxfxlff.exe3hhbtn.exepjpjv.exexxxrrlf.exehbtttb.exeddpdd.exetnnnhb.exe3rfxlrr.exeddvpj.exe3nnnhh.exefrxrlff.exenntbbn.exedpdpp.exefrrfxxr.exennhthb.exe9pvvp.exepdpdd.exexrlfrrf.exe1vvpj.exexrffrxr.exepvvpj.exelxfrffr.exethnhbb.exedvdvj.exelfrllrf.exexxxrllf.exelxxxxrr.exedvjdd.exe1ffxrxr.exepppdv.exehbnhtn.exe7flxrlf.exexlfffxr.exe7vddd.exe3fxrfxr.exefxlfxxr.exethnntn.exevdpjd.exeffxxlfr.exe5xxxrrl.exenbnhhh.exepjjpd.exefffrrfx.exe7rxrrxx.exethbthh.exedjvjd.exelrxfxlr.exelfrfxxr.exethhtnh.exe1pvpd.exenthbbb.exehbhbnn.exevvddj.exe3frllrr.exehbhbth.exevvjdp.exellrrrrr.exexfxfrfr.exenttbhb.exerfrxxrx.exebbbttn.exevvvjp.exe1jjdv.exerxlfrrr.exepid Process 2688 xxfxlff.exe 3136 3hhbtn.exe 2968 pjpjv.exe 3708 xxxrrlf.exe 1156 hbtttb.exe 2560 ddpdd.exe 1964 tnnnhb.exe 4308 3rfxlrr.exe 4224 ddvpj.exe 4080 3nnnhh.exe 4772 frxrlff.exe 2556 nntbbn.exe 5096 dpdpp.exe 2944 frrfxxr.exe 4124 nnhthb.exe 2412 9pvvp.exe 3904 pdpdd.exe 3736 xrlfrrf.exe 4920 1vvpj.exe 1956 xrffrxr.exe 2216 pvvpj.exe 4416 lxfrffr.exe 2608 thnhbb.exe 892 dvdvj.exe 1372 lfrllrf.exe 4484 xxxrllf.exe 428 lxxxxrr.exe 1348 dvjdd.exe 4948 1ffxrxr.exe 4844 pppdv.exe 4556 hbnhtn.exe 2552 7flxrlf.exe 876 xlfffxr.exe 3076 7vddd.exe 2080 3fxrfxr.exe 4632 fxlfxxr.exe 1516 thnntn.exe 1776 vdpjd.exe 4176 ffxxlfr.exe 2156 5xxxrrl.exe 3420 nbnhhh.exe 4148 pjjpd.exe 4968 fffrrfx.exe 2036 7rxrrxx.exe 2072 thbthh.exe 4744 djvjd.exe 4480 lrxfxlr.exe 2004 lfrfxxr.exe 5028 thhtnh.exe 4340 1pvpd.exe 2260 nthbbb.exe 1972 hbhbnn.exe 5104 vvddj.exe 2268 3frllrr.exe 4796 hbhbth.exe 724 vvjdp.exe 1228 llrrrrr.exe 3908 xfxfrfr.exe 2252 nttbhb.exe 2284 rfrxxrx.exe 2696 bbbttn.exe 3424 vvvjp.exe 4308 1jjdv.exe 3352 rxlfrrr.exe -
Processes:
resource yara_rule behavioral2/memory/2308-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-706-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dvjdd.exebhbhhh.exellfrllx.exentbtnn.exejdvvv.exepjjdv.exepdjdd.exe7pvvj.exejddvp.exerrfxxxx.exethbhnb.exe9rlxfxl.exerxffxfr.exehbhhbt.exedvjjj.exevvpjj.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1d2149e3d2b4370c3111a75a1b45938094877cfe31dc661f35fa92bfd7c27bc9N.exexxfxlff.exe3hhbtn.exepjpjv.exexxxrrlf.exehbtttb.exeddpdd.exetnnnhb.exe3rfxlrr.exeddvpj.exe3nnnhh.exefrxrlff.exenntbbn.exedpdpp.exefrrfxxr.exennhthb.exe9pvvp.exepdpdd.exexrlfrrf.exe1vvpj.exexrffrxr.exepvvpj.exedescription pid Process procid_target PID 2308 wrote to memory of 2688 2308 1d2149e3d2b4370c3111a75a1b45938094877cfe31dc661f35fa92bfd7c27bc9N.exe 83 PID 2308 wrote to memory of 2688 2308 1d2149e3d2b4370c3111a75a1b45938094877cfe31dc661f35fa92bfd7c27bc9N.exe 83 PID 2308 wrote to memory of 2688 2308 1d2149e3d2b4370c3111a75a1b45938094877cfe31dc661f35fa92bfd7c27bc9N.exe 83 PID 2688 wrote to memory of 3136 2688 xxfxlff.exe 84 PID 2688 wrote to memory of 3136 2688 xxfxlff.exe 84 PID 2688 wrote to memory of 3136 2688 xxfxlff.exe 84 PID 3136 wrote to memory of 2968 3136 3hhbtn.exe 85 PID 3136 wrote to memory of 2968 3136 3hhbtn.exe 85 PID 3136 wrote to memory of 2968 3136 3hhbtn.exe 85 PID 2968 wrote to memory of 3708 2968 pjpjv.exe 86 PID 2968 wrote to memory of 3708 2968 pjpjv.exe 86 PID 2968 wrote to memory of 3708 2968 pjpjv.exe 86 PID 3708 wrote to memory of 1156 3708 xxxrrlf.exe 87 PID 3708 wrote to memory of 1156 3708 xxxrrlf.exe 87 PID 3708 wrote to memory of 1156 3708 xxxrrlf.exe 87 PID 1156 wrote to memory of 2560 1156 hbtttb.exe 88 PID 1156 wrote to memory of 2560 1156 hbtttb.exe 88 PID 1156 wrote to memory of 2560 1156 hbtttb.exe 88 PID 2560 wrote to memory of 1964 2560 ddpdd.exe 89 PID 2560 wrote to memory of 1964 2560 ddpdd.exe 89 PID 2560 wrote to memory of 1964 2560 ddpdd.exe 89 PID 1964 wrote to memory of 4308 1964 tnnnhb.exe 90 PID 1964 wrote to memory of 4308 1964 tnnnhb.exe 90 PID 1964 wrote to memory of 4308 1964 tnnnhb.exe 90 PID 4308 wrote to memory of 4224 4308 3rfxlrr.exe 91 PID 4308 wrote to memory of 4224 4308 3rfxlrr.exe 91 PID 4308 wrote to memory of 4224 4308 3rfxlrr.exe 91 PID 4224 wrote to memory of 4080 4224 ddvpj.exe 92 PID 4224 wrote to memory of 4080 4224 ddvpj.exe 92 PID 4224 wrote to memory of 4080 4224 ddvpj.exe 92 PID 4080 wrote to memory of 4772 4080 3nnnhh.exe 93 PID 4080 wrote to memory of 4772 4080 3nnnhh.exe 93 PID 4080 wrote to memory of 4772 4080 3nnnhh.exe 93 PID 4772 wrote to memory of 2556 4772 frxrlff.exe 94 PID 4772 wrote to memory of 2556 4772 frxrlff.exe 94 PID 4772 wrote to memory of 2556 4772 frxrlff.exe 94 PID 2556 wrote to memory of 5096 2556 nntbbn.exe 95 PID 2556 wrote to memory of 5096 2556 nntbbn.exe 95 PID 2556 wrote to memory of 5096 2556 nntbbn.exe 95 PID 5096 wrote to memory of 2944 5096 dpdpp.exe 96 PID 5096 wrote to memory of 2944 5096 dpdpp.exe 96 PID 5096 wrote to memory of 2944 5096 dpdpp.exe 96 PID 2944 wrote to memory of 4124 2944 frrfxxr.exe 97 PID 2944 wrote to memory of 4124 2944 frrfxxr.exe 97 PID 2944 wrote to memory of 4124 2944 frrfxxr.exe 97 PID 4124 wrote to memory of 2412 4124 nnhthb.exe 98 PID 4124 wrote to memory of 2412 4124 nnhthb.exe 98 PID 4124 wrote to memory of 2412 4124 nnhthb.exe 98 PID 2412 wrote to memory of 3904 2412 9pvvp.exe 99 PID 2412 wrote to memory of 3904 2412 9pvvp.exe 99 PID 2412 wrote to memory of 3904 2412 9pvvp.exe 99 PID 3904 wrote to memory of 3736 3904 pdpdd.exe 100 PID 3904 wrote to memory of 3736 3904 pdpdd.exe 100 PID 3904 wrote to memory of 3736 3904 pdpdd.exe 100 PID 3736 wrote to memory of 4920 3736 xrlfrrf.exe 101 PID 3736 wrote to memory of 4920 3736 xrlfrrf.exe 101 PID 3736 wrote to memory of 4920 3736 xrlfrrf.exe 101 PID 4920 wrote to memory of 1956 4920 1vvpj.exe 102 PID 4920 wrote to memory of 1956 4920 1vvpj.exe 102 PID 4920 wrote to memory of 1956 4920 1vvpj.exe 102 PID 1956 wrote to memory of 2216 1956 xrffrxr.exe 103 PID 1956 wrote to memory of 2216 1956 xrffrxr.exe 103 PID 1956 wrote to memory of 2216 1956 xrffrxr.exe 103 PID 2216 wrote to memory of 4416 2216 pvvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d2149e3d2b4370c3111a75a1b45938094877cfe31dc661f35fa92bfd7c27bc9N.exe"C:\Users\Admin\AppData\Local\Temp\1d2149e3d2b4370c3111a75a1b45938094877cfe31dc661f35fa92bfd7c27bc9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\xxfxlff.exec:\xxfxlff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\3hhbtn.exec:\3hhbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\pjpjv.exec:\pjpjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\xxxrrlf.exec:\xxxrrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\hbtttb.exec:\hbtttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\ddpdd.exec:\ddpdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\tnnnhb.exec:\tnnnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\3rfxlrr.exec:\3rfxlrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\ddvpj.exec:\ddvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\3nnnhh.exec:\3nnnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\frxrlff.exec:\frxrlff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\nntbbn.exec:\nntbbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\dpdpp.exec:\dpdpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\frrfxxr.exec:\frrfxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\nnhthb.exec:\nnhthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\9pvvp.exec:\9pvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\pdpdd.exec:\pdpdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\xrlfrrf.exec:\xrlfrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\1vvpj.exec:\1vvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\xrffrxr.exec:\xrffrxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\pvvpj.exec:\pvvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\lxfrffr.exec:\lxfrffr.exe23⤵
- Executes dropped EXE
PID:4416 -
\??\c:\thnhbb.exec:\thnhbb.exe24⤵
- Executes dropped EXE
PID:2608 -
\??\c:\dvdvj.exec:\dvdvj.exe25⤵
- Executes dropped EXE
PID:892 -
\??\c:\lfrllrf.exec:\lfrllrf.exe26⤵
- Executes dropped EXE
PID:1372 -
\??\c:\xxxrllf.exec:\xxxrllf.exe27⤵
- Executes dropped EXE
PID:4484 -
\??\c:\lxxxxrr.exec:\lxxxxrr.exe28⤵
- Executes dropped EXE
PID:428 -
\??\c:\dvjdd.exec:\dvjdd.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1348 -
\??\c:\1ffxrxr.exec:\1ffxrxr.exe30⤵
- Executes dropped EXE
PID:4948 -
\??\c:\pppdv.exec:\pppdv.exe31⤵
- Executes dropped EXE
PID:4844 -
\??\c:\hbnhtn.exec:\hbnhtn.exe32⤵
- Executes dropped EXE
PID:4556 -
\??\c:\7flxrlf.exec:\7flxrlf.exe33⤵
- Executes dropped EXE
PID:2552 -
\??\c:\xlfffxr.exec:\xlfffxr.exe34⤵
- Executes dropped EXE
PID:876 -
\??\c:\7vddd.exec:\7vddd.exe35⤵
- Executes dropped EXE
PID:3076 -
\??\c:\3fxrfxr.exec:\3fxrfxr.exe36⤵
- Executes dropped EXE
PID:2080 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe37⤵
- Executes dropped EXE
PID:4632 -
\??\c:\thnntn.exec:\thnntn.exe38⤵
- Executes dropped EXE
PID:1516 -
\??\c:\vdpjd.exec:\vdpjd.exe39⤵
- Executes dropped EXE
PID:1776 -
\??\c:\ffxxlfr.exec:\ffxxlfr.exe40⤵
- Executes dropped EXE
PID:4176 -
\??\c:\5xxxrrl.exec:\5xxxrrl.exe41⤵
- Executes dropped EXE
PID:2156 -
\??\c:\nbnhhh.exec:\nbnhhh.exe42⤵
- Executes dropped EXE
PID:3420 -
\??\c:\pjjpd.exec:\pjjpd.exe43⤵
- Executes dropped EXE
PID:4148 -
\??\c:\fffrrfx.exec:\fffrrfx.exe44⤵
- Executes dropped EXE
PID:4968 -
\??\c:\7rxrrxx.exec:\7rxrrxx.exe45⤵
- Executes dropped EXE
PID:2036 -
\??\c:\thbthh.exec:\thbthh.exe46⤵
- Executes dropped EXE
PID:2072 -
\??\c:\djvjd.exec:\djvjd.exe47⤵
- Executes dropped EXE
PID:4744 -
\??\c:\lrxfxlr.exec:\lrxfxlr.exe48⤵
- Executes dropped EXE
PID:4480 -
\??\c:\lfrfxxr.exec:\lfrfxxr.exe49⤵
- Executes dropped EXE
PID:2004 -
\??\c:\thhtnh.exec:\thhtnh.exe50⤵
- Executes dropped EXE
PID:5028 -
\??\c:\1pvpd.exec:\1pvpd.exe51⤵
- Executes dropped EXE
PID:4340 -
\??\c:\nthbbb.exec:\nthbbb.exe52⤵
- Executes dropped EXE
PID:2260 -
\??\c:\hbhbnn.exec:\hbhbnn.exe53⤵
- Executes dropped EXE
PID:1972 -
\??\c:\vvddj.exec:\vvddj.exe54⤵
- Executes dropped EXE
PID:5104 -
\??\c:\3frllrr.exec:\3frllrr.exe55⤵
- Executes dropped EXE
PID:2268 -
\??\c:\hbhbth.exec:\hbhbth.exe56⤵
- Executes dropped EXE
PID:4796 -
\??\c:\vvjdp.exec:\vvjdp.exe57⤵
- Executes dropped EXE
PID:724 -
\??\c:\llrrrrr.exec:\llrrrrr.exe58⤵
- Executes dropped EXE
PID:1228 -
\??\c:\xfxfrfr.exec:\xfxfrfr.exe59⤵
- Executes dropped EXE
PID:3908 -
\??\c:\nttbhb.exec:\nttbhb.exe60⤵
- Executes dropped EXE
PID:2252 -
\??\c:\rfrxxrx.exec:\rfrxxrx.exe61⤵
- Executes dropped EXE
PID:2284 -
\??\c:\bbbttn.exec:\bbbttn.exe62⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vvvjp.exec:\vvvjp.exe63⤵
- Executes dropped EXE
PID:3424 -
\??\c:\1jjdv.exec:\1jjdv.exe64⤵
- Executes dropped EXE
PID:4308 -
\??\c:\rxlfrrr.exec:\rxlfrrr.exe65⤵
- Executes dropped EXE
PID:3352 -
\??\c:\htbhtn.exec:\htbhtn.exe66⤵PID:388
-
\??\c:\jvdpd.exec:\jvdpd.exe67⤵PID:4624
-
\??\c:\3rxxlll.exec:\3rxxlll.exe68⤵PID:5060
-
\??\c:\tbbhbt.exec:\tbbhbt.exe69⤵PID:5096
-
\??\c:\jdppv.exec:\jdppv.exe70⤵PID:3108
-
\??\c:\1pjdp.exec:\1pjdp.exe71⤵PID:2944
-
\??\c:\rllfxxr.exec:\rllfxxr.exe72⤵PID:4696
-
\??\c:\bbnntt.exec:\bbnntt.exe73⤵PID:2412
-
\??\c:\ddjjj.exec:\ddjjj.exe74⤵PID:1324
-
\??\c:\jddvv.exec:\jddvv.exe75⤵PID:3376
-
\??\c:\xlffxxx.exec:\xlffxxx.exe76⤵PID:4056
-
\??\c:\tntnhh.exec:\tntnhh.exe77⤵PID:1788
-
\??\c:\dvpvv.exec:\dvpvv.exe78⤵PID:3128
-
\??\c:\lfffxfx.exec:\lfffxfx.exe79⤵PID:3600
-
\??\c:\nbtnnt.exec:\nbtnnt.exe80⤵PID:4000
-
\??\c:\vdvjd.exec:\vdvjd.exe81⤵PID:3468
-
\??\c:\ppvpj.exec:\ppvpj.exe82⤵PID:3588
-
\??\c:\rlxflxl.exec:\rlxflxl.exe83⤵PID:3940
-
\??\c:\nbhnbh.exec:\nbhnbh.exe84⤵PID:1488
-
\??\c:\pdvpj.exec:\pdvpj.exe85⤵PID:1528
-
\??\c:\llrfrlf.exec:\llrfrlf.exe86⤵PID:2908
-
\??\c:\nnhbtb.exec:\nnhbtb.exe87⤵PID:3984
-
\??\c:\vdpjd.exec:\vdpjd.exe88⤵PID:1712
-
\??\c:\dvjjd.exec:\dvjjd.exe89⤵PID:1304
-
\??\c:\bbhbbb.exec:\bbhbbb.exe90⤵PID:3052
-
\??\c:\bhtnhb.exec:\bhtnhb.exe91⤵PID:4880
-
\??\c:\5dvjp.exec:\5dvjp.exe92⤵PID:1308
-
\??\c:\9xxrrrr.exec:\9xxrrrr.exe93⤵PID:4896
-
\??\c:\lrlxrll.exec:\lrlxrll.exe94⤵PID:4240
-
\??\c:\tttbtt.exec:\tttbtt.exe95⤵PID:992
-
\??\c:\vvpvv.exec:\vvpvv.exe96⤵PID:1492
-
\??\c:\vpppv.exec:\vpppv.exe97⤵PID:1812
-
\??\c:\7xfxrll.exec:\7xfxrll.exe98⤵PID:1676
-
\??\c:\ntbtnt.exec:\ntbtnt.exe99⤵PID:2248
-
\??\c:\9thbnn.exec:\9thbnn.exe100⤵PID:1480
-
\??\c:\ddvdv.exec:\ddvdv.exe101⤵PID:2112
-
\??\c:\lxfxxll.exec:\lxfxxll.exe102⤵PID:4560
-
\??\c:\rffffff.exec:\rffffff.exe103⤵PID:4408
-
\??\c:\tttntt.exec:\tttntt.exe104⤵PID:1320
-
\??\c:\1vppj.exec:\1vppj.exe105⤵PID:2036
-
\??\c:\lxfrxfl.exec:\lxfrxfl.exe106⤵PID:3636
-
\??\c:\hbhhbt.exec:\hbhhbt.exe107⤵
- System Location Discovery: System Language Discovery
PID:452 -
\??\c:\5ntnhn.exec:\5ntnhn.exe108⤵PID:3472
-
\??\c:\dppdv.exec:\dppdv.exe109⤵PID:956
-
\??\c:\frxrfrx.exec:\frxrfrx.exe110⤵PID:3936
-
\??\c:\9httnb.exec:\9httnb.exe111⤵PID:1156
-
\??\c:\vpdvp.exec:\vpdvp.exe112⤵PID:4720
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe113⤵PID:1780
-
\??\c:\htnnnn.exec:\htnnnn.exe114⤵PID:320
-
\??\c:\3pjjd.exec:\3pjjd.exe115⤵PID:4776
-
\??\c:\1pvpd.exec:\1pvpd.exe116⤵PID:5032
-
\??\c:\9ffxllf.exec:\9ffxllf.exe117⤵PID:3948
-
\??\c:\3bbbtb.exec:\3bbbtb.exe118⤵PID:3424
-
\??\c:\tnhbbb.exec:\tnhbbb.exe119⤵PID:4224
-
\??\c:\pjjjp.exec:\pjjjp.exe120⤵PID:4788
-
\??\c:\rrrrrrr.exec:\rrrrrrr.exe121⤵PID:1472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-