Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 12:59
Behavioral task
behavioral1
Sample
b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe
-
Size
3.7MB
-
MD5
c722e843ae356cd0764da115f6f55430
-
SHA1
3bb76601ac55c18d393b3ff11b10de85e3c8ef58
-
SHA256
b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9
-
SHA512
92effee08d88dc4cf929c8e23380e6f1a9b6643794cf80bafd271af7eaad1a58a446ada6aa14a7fddb9444acaaaa2f0663231f3c01e47226345e4fe4b4ff5ebe
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98w:U6XLq/qPPslzKx/dJg1ErmNv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/2364-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-25-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/936-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1152-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-56-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2792-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2200-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1996-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1984-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2972-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1296-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1916-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/444-200-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1860-213-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1544-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1768-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1528-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1616-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/740-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1476-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/740-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2332-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2464-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/820-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2956-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1720-410-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2928-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1600-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1532-588-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1532-587-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2676-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1532-609-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2676-615-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2580-623-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2620-642-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/540-649-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1944-699-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2348-733-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2688-731-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1104-734-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1104-741-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1524-811-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2384-819-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2364-871-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2500-878-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2724-885-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2708-905-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-912-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2540-943-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2420-1007-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2404-1032-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1104-1045-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/680-1053-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1536-1066-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2376-1071-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/3040-1104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/884-1117-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
vvjdv.exebthtbh.exe7rfrfrx.exefxfxlxr.exennnnnn.exejdvvd.exejdvjv.exevpvdd.exexxxxllr.exejvpvd.exedpdjj.exerrxfllr.exexrfrlxf.exebnbnbh.exelrllxlf.exejjdjv.exe5bnntt.exenhthtn.exerflrxxf.exetnhntt.exexlfflrx.exevpvdj.exebnnntt.exerfxlxfl.exenhntbb.exe9hhnnh.exefrlllrr.exejjvpj.exetnthtb.exetthhtb.exerlxfxlf.exehbhtbh.exenbhttt.exelxffrfx.exerlxfffl.exerlflflx.exepppjd.exepjpvd.exenbhhhh.exehbhtbt.exenthbnt.exe7rrxxff.exe7jvdp.exehtbtbb.exenbtbhb.exe1fffxfr.exellxrffr.exejvjpd.exebnhtbb.exelfxllrr.exeddvpd.exejdppv.exetnhntt.exexlxllrf.exejdpvj.exevpdvd.exe7hnntt.exexrrflfl.exevppvd.exebntttt.exelrlffxf.exe1rfffxf.exedvvjv.exe1tbbhn.exepid Process 2056 vvjdv.exe 2492 bthtbh.exe 936 7rfrfrx.exe 1152 fxfxlxr.exe 2856 nnnnnn.exe 2792 jdvvd.exe 2796 jdvjv.exe 2588 vpvdd.exe 2200 xxxxllr.exe 1996 jvpvd.exe 2880 dpdjj.exe 1984 rrxfllr.exe 2972 xrfrlxf.exe 1968 bnbnbh.exe 1564 lrllxlf.exe 1296 jjdjv.exe 2612 5bnntt.exe 2412 nhthtn.exe 1916 rflrxxf.exe 2168 tnhntt.exe 444 xlfflrx.exe 1928 vpvdj.exe 1860 bnnntt.exe 1544 rfxlxfl.exe 1768 nhntbb.exe 1616 9hhnnh.exe 1528 frlllrr.exe 740 jjvpj.exe 1476 tnthtb.exe 1040 tthhtb.exe 2228 rlxfxlf.exe 1004 hbhtbh.exe 796 nbhttt.exe 2496 lxffrfx.exe 2332 rlxfffl.exe 2464 rlflflx.exe 2664 pppjd.exe 2720 pjpvd.exe 2728 nbhhhh.exe 764 hbhtbt.exe 2848 nthbnt.exe 2916 7rrxxff.exe 2252 7jvdp.exe 2588 htbtbb.exe 2680 nbtbhb.exe 820 1fffxfr.exe 2956 llxrffr.exe 2812 jvjpd.exe 2092 bnhtbb.exe 1720 lfxllrr.exe 2108 ddvpd.exe 1988 jdppv.exe 1760 tnhntt.exe 2912 xlxllrf.exe 2928 jdpvj.exe 2536 vpdvd.exe 2028 7hnntt.exe 2212 xrrflfl.exe 1080 vppvd.exe 2940 bntttt.exe 1600 lrlffxf.exe 1568 1rfffxf.exe 1732 dvvjv.exe 1028 1tbbhn.exe -
Processes:
resource yara_rule behavioral1/memory/2364-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d0000000141df-5.dat upx behavioral1/memory/2364-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2056-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000186f2-19.dat upx behavioral1/files/0x00060000000186f8-30.dat upx behavioral1/memory/936-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2492-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/936-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018731-37.dat upx behavioral1/files/0x0008000000018742-50.dat upx behavioral1/memory/2856-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1152-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1152-45-0x0000000000230000-0x0000000000257000-memory.dmp upx behavioral1/memory/2792-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000018669-61.dat upx behavioral1/memory/2856-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000018781-67.dat upx behavioral1/memory/2792-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000193a4-77.dat upx behavioral1/files/0x00050000000193ac-84.dat upx behavioral1/memory/2200-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001942c-95.dat upx behavioral1/memory/1996-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019438-104.dat upx behavioral1/memory/1984-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019456-114.dat upx behavioral1/files/0x000500000001945c-123.dat upx behavioral1/memory/2972-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019467-131.dat upx behavioral1/files/0x0005000000019496-140.dat upx behavioral1/files/0x00050000000194ad-148.dat upx behavioral1/files/0x00050000000194d0-157.dat upx behavioral1/memory/2612-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1296-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194ef-166.dat upx behavioral1/files/0x00050000000194fc-174.dat upx behavioral1/memory/1916-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019506-183.dat upx behavioral1/files/0x000500000001952f-189.dat upx behavioral1/memory/2168-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001957e-202.dat upx behavioral1/files/0x00050000000195a7-209.dat upx behavioral1/memory/1544-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195e6-219.dat upx behavioral1/memory/1768-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001961d-228.dat upx behavioral1/files/0x000500000001961f-236.dat upx behavioral1/memory/1528-246-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019621-245.dat upx behavioral1/memory/1616-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/740-255-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019622-254.dat upx behavioral1/memory/1476-265-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019623-264.dat upx behavioral1/files/0x0005000000019625-273.dat upx behavioral1/memory/740-262-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019627-281.dat upx behavioral1/files/0x0005000000019629-287.dat upx behavioral1/memory/2332-309-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2464-322-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2252-359-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2588-371-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/820-379-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dvdvj.exebtbtbn.exebntnnn.exehbtbnb.exefrlxlxx.exe3rrlffr.exefflxrff.exexxlrrxl.exentbhnn.exebhnnbb.exetnhntt.exejjvvj.exexrrxllx.exefrrxffr.exedvddd.exexlxxfxx.exe5nhthn.exehhttbn.exedpjdj.exelfflrrf.exejddjv.exethnthb.exe3bhttn.exellrxflr.exe1thnbh.exetttbbn.exevvpdp.exefxlrfff.exenhnthh.exejjvvd.exefffrfrx.exe1ttnht.exexxfrffl.exelrxfrlf.exehbhnbh.exexrlxllx.exexlxllrf.exe3xrxfrl.exelllrfff.exedjjvj.exehhttnn.exejjvvd.exedddpp.exetbtbtb.exebbnnbb.exennnntt.exe1jddj.exe5bnntt.exerxlxlxf.exetnthtt.exebtbbnt.exehtbhth.exelfffrxf.exentnhtb.exennhnbn.exevvvpj.exedvjjj.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exevvjdv.exebthtbh.exe7rfrfrx.exefxfxlxr.exennnnnn.exejdvvd.exejdvjv.exevpvdd.exexxxxllr.exejvpvd.exedpdjj.exerrxfllr.exexrfrlxf.exebnbnbh.exelrllxlf.exedescription pid Process procid_target PID 2364 wrote to memory of 2056 2364 b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe 31 PID 2364 wrote to memory of 2056 2364 b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe 31 PID 2364 wrote to memory of 2056 2364 b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe 31 PID 2364 wrote to memory of 2056 2364 b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe 31 PID 2056 wrote to memory of 2492 2056 vvjdv.exe 32 PID 2056 wrote to memory of 2492 2056 vvjdv.exe 32 PID 2056 wrote to memory of 2492 2056 vvjdv.exe 32 PID 2056 wrote to memory of 2492 2056 vvjdv.exe 32 PID 2492 wrote to memory of 936 2492 bthtbh.exe 33 PID 2492 wrote to memory of 936 2492 bthtbh.exe 33 PID 2492 wrote to memory of 936 2492 bthtbh.exe 33 PID 2492 wrote to memory of 936 2492 bthtbh.exe 33 PID 936 wrote to memory of 1152 936 7rfrfrx.exe 34 PID 936 wrote to memory of 1152 936 7rfrfrx.exe 34 PID 936 wrote to memory of 1152 936 7rfrfrx.exe 34 PID 936 wrote to memory of 1152 936 7rfrfrx.exe 34 PID 1152 wrote to memory of 2856 1152 fxfxlxr.exe 35 PID 1152 wrote to memory of 2856 1152 fxfxlxr.exe 35 PID 1152 wrote to memory of 2856 1152 fxfxlxr.exe 35 PID 1152 wrote to memory of 2856 1152 fxfxlxr.exe 35 PID 2856 wrote to memory of 2792 2856 nnnnnn.exe 36 PID 2856 wrote to memory of 2792 2856 nnnnnn.exe 36 PID 2856 wrote to memory of 2792 2856 nnnnnn.exe 36 PID 2856 wrote to memory of 2792 2856 nnnnnn.exe 36 PID 2792 wrote to memory of 2796 2792 jdvvd.exe 37 PID 2792 wrote to memory of 2796 2792 jdvvd.exe 37 PID 2792 wrote to memory of 2796 2792 jdvvd.exe 37 PID 2792 wrote to memory of 2796 2792 jdvvd.exe 37 PID 2796 wrote to memory of 2588 2796 jdvjv.exe 74 PID 2796 wrote to memory of 2588 2796 jdvjv.exe 74 PID 2796 wrote to memory of 2588 2796 jdvjv.exe 74 PID 2796 wrote to memory of 2588 2796 jdvjv.exe 74 PID 2588 wrote to memory of 2200 2588 vpvdd.exe 39 PID 2588 wrote to memory of 2200 2588 vpvdd.exe 39 PID 2588 wrote to memory of 2200 2588 vpvdd.exe 39 PID 2588 wrote to memory of 2200 2588 vpvdd.exe 39 PID 2200 wrote to memory of 1996 2200 xxxxllr.exe 40 PID 2200 wrote to memory of 1996 2200 xxxxllr.exe 40 PID 2200 wrote to memory of 1996 2200 xxxxllr.exe 40 PID 2200 wrote to memory of 1996 2200 xxxxllr.exe 40 PID 1996 wrote to memory of 2880 1996 jvpvd.exe 41 PID 1996 wrote to memory of 2880 1996 jvpvd.exe 41 PID 1996 wrote to memory of 2880 1996 jvpvd.exe 41 PID 1996 wrote to memory of 2880 1996 jvpvd.exe 41 PID 2880 wrote to memory of 1984 2880 dpdjj.exe 42 PID 2880 wrote to memory of 1984 2880 dpdjj.exe 42 PID 2880 wrote to memory of 1984 2880 dpdjj.exe 42 PID 2880 wrote to memory of 1984 2880 dpdjj.exe 42 PID 1984 wrote to memory of 2972 1984 rrxfllr.exe 43 PID 1984 wrote to memory of 2972 1984 rrxfllr.exe 43 PID 1984 wrote to memory of 2972 1984 rrxfllr.exe 43 PID 1984 wrote to memory of 2972 1984 rrxfllr.exe 43 PID 2972 wrote to memory of 1968 2972 xrfrlxf.exe 44 PID 2972 wrote to memory of 1968 2972 xrfrlxf.exe 44 PID 2972 wrote to memory of 1968 2972 xrfrlxf.exe 44 PID 2972 wrote to memory of 1968 2972 xrfrlxf.exe 44 PID 1968 wrote to memory of 1564 1968 bnbnbh.exe 45 PID 1968 wrote to memory of 1564 1968 bnbnbh.exe 45 PID 1968 wrote to memory of 1564 1968 bnbnbh.exe 45 PID 1968 wrote to memory of 1564 1968 bnbnbh.exe 45 PID 1564 wrote to memory of 1296 1564 lrllxlf.exe 46 PID 1564 wrote to memory of 1296 1564 lrllxlf.exe 46 PID 1564 wrote to memory of 1296 1564 lrllxlf.exe 46 PID 1564 wrote to memory of 1296 1564 lrllxlf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe"C:\Users\Admin\AppData\Local\Temp\b1bd24133e8ea08c2bbaf6bbd519a089aec77ddb9050046ccab186737da6bff9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\vvjdv.exec:\vvjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\bthtbh.exec:\bthtbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\7rfrfrx.exec:\7rfrfrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\fxfxlxr.exec:\fxfxlxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\nnnnnn.exec:\nnnnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\jdvvd.exec:\jdvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\jdvjv.exec:\jdvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\vpvdd.exec:\vpvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\xxxxllr.exec:\xxxxllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\jvpvd.exec:\jvpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\dpdjj.exec:\dpdjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\rrxfllr.exec:\rrxfllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\xrfrlxf.exec:\xrfrlxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\bnbnbh.exec:\bnbnbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\lrllxlf.exec:\lrllxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\jjdjv.exec:\jjdjv.exe17⤵
- Executes dropped EXE
PID:1296 -
\??\c:\5bnntt.exec:\5bnntt.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612 -
\??\c:\nhthtn.exec:\nhthtn.exe19⤵
- Executes dropped EXE
PID:2412 -
\??\c:\rflrxxf.exec:\rflrxxf.exe20⤵
- Executes dropped EXE
PID:1916 -
\??\c:\tnhntt.exec:\tnhntt.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
\??\c:\xlfflrx.exec:\xlfflrx.exe22⤵
- Executes dropped EXE
PID:444 -
\??\c:\vpvdj.exec:\vpvdj.exe23⤵
- Executes dropped EXE
PID:1928 -
\??\c:\bnnntt.exec:\bnnntt.exe24⤵
- Executes dropped EXE
PID:1860 -
\??\c:\rfxlxfl.exec:\rfxlxfl.exe25⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nhntbb.exec:\nhntbb.exe26⤵
- Executes dropped EXE
PID:1768 -
\??\c:\9hhnnh.exec:\9hhnnh.exe27⤵
- Executes dropped EXE
PID:1616 -
\??\c:\frlllrr.exec:\frlllrr.exe28⤵
- Executes dropped EXE
PID:1528 -
\??\c:\jjvpj.exec:\jjvpj.exe29⤵
- Executes dropped EXE
PID:740 -
\??\c:\tnthtb.exec:\tnthtb.exe30⤵
- Executes dropped EXE
PID:1476 -
\??\c:\tthhtb.exec:\tthhtb.exe31⤵
- Executes dropped EXE
PID:1040 -
\??\c:\rlxfxlf.exec:\rlxfxlf.exe32⤵
- Executes dropped EXE
PID:2228 -
\??\c:\hbhtbh.exec:\hbhtbh.exe33⤵
- Executes dropped EXE
PID:1004 -
\??\c:\nbhttt.exec:\nbhttt.exe34⤵
- Executes dropped EXE
PID:796 -
\??\c:\lxffrfx.exec:\lxffrfx.exe35⤵
- Executes dropped EXE
PID:2496 -
\??\c:\rlxfffl.exec:\rlxfffl.exe36⤵
- Executes dropped EXE
PID:2332 -
\??\c:\rlflflx.exec:\rlflflx.exe37⤵
- Executes dropped EXE
PID:2464 -
\??\c:\pppjd.exec:\pppjd.exe38⤵
- Executes dropped EXE
PID:2664 -
\??\c:\pjpvd.exec:\pjpvd.exe39⤵
- Executes dropped EXE
PID:2720 -
\??\c:\nbhhhh.exec:\nbhhhh.exe40⤵
- Executes dropped EXE
PID:2728 -
\??\c:\hbhtbt.exec:\hbhtbt.exe41⤵
- Executes dropped EXE
PID:764 -
\??\c:\nthbnt.exec:\nthbnt.exe42⤵
- Executes dropped EXE
PID:2848 -
\??\c:\7rrxxff.exec:\7rrxxff.exe43⤵
- Executes dropped EXE
PID:2916 -
\??\c:\7jvdp.exec:\7jvdp.exe44⤵
- Executes dropped EXE
PID:2252 -
\??\c:\htbtbb.exec:\htbtbb.exe45⤵
- Executes dropped EXE
PID:2588 -
\??\c:\nbtbhb.exec:\nbtbhb.exe46⤵
- Executes dropped EXE
PID:2680 -
\??\c:\1fffxfr.exec:\1fffxfr.exe47⤵
- Executes dropped EXE
PID:820 -
\??\c:\llxrffr.exec:\llxrffr.exe48⤵
- Executes dropped EXE
PID:2956 -
\??\c:\jvjpd.exec:\jvjpd.exe49⤵
- Executes dropped EXE
PID:2812 -
\??\c:\bnhtbb.exec:\bnhtbb.exe50⤵
- Executes dropped EXE
PID:2092 -
\??\c:\lfxllrr.exec:\lfxllrr.exe51⤵
- Executes dropped EXE
PID:1720 -
\??\c:\ddvpd.exec:\ddvpd.exe52⤵
- Executes dropped EXE
PID:2108 -
\??\c:\jdppv.exec:\jdppv.exe53⤵
- Executes dropped EXE
PID:1988 -
\??\c:\tnhntt.exec:\tnhntt.exe54⤵
- Executes dropped EXE
PID:1760 -
\??\c:\xlxllrf.exec:\xlxllrf.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
\??\c:\jdpvj.exec:\jdpvj.exe56⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vpdvd.exec:\vpdvd.exe57⤵
- Executes dropped EXE
PID:2536 -
\??\c:\7hnntt.exec:\7hnntt.exe58⤵
- Executes dropped EXE
PID:2028 -
\??\c:\xrrflfl.exec:\xrrflfl.exe59⤵
- Executes dropped EXE
PID:2212 -
\??\c:\vppvd.exec:\vppvd.exe60⤵
- Executes dropped EXE
PID:1080 -
\??\c:\bntttt.exec:\bntttt.exe61⤵
- Executes dropped EXE
PID:2940 -
\??\c:\lrlffxf.exec:\lrlffxf.exe62⤵
- Executes dropped EXE
PID:1600 -
\??\c:\1rfffxf.exec:\1rfffxf.exe63⤵
- Executes dropped EXE
PID:1568 -
\??\c:\dvvjv.exec:\dvvjv.exe64⤵
- Executes dropped EXE
PID:1732 -
\??\c:\1tbbhn.exec:\1tbbhn.exe65⤵
- Executes dropped EXE
PID:1028 -
\??\c:\frxlrrx.exec:\frxlrrx.exe66⤵PID:2232
-
\??\c:\pjdpv.exec:\pjdpv.exe67⤵PID:988
-
\??\c:\3nbbhb.exec:\3nbbhb.exe68⤵PID:1528
-
\??\c:\xlfrrlx.exec:\xlfrrlx.exe69⤵PID:1908
-
\??\c:\3vvpv.exec:\3vvpv.exe70⤵PID:1592
-
\??\c:\nhnhnh.exec:\nhnhnh.exe71⤵PID:1780
-
\??\c:\xxxlllf.exec:\xxxlllf.exe72⤵PID:1496
-
\??\c:\lflrffl.exec:\lflrffl.exe73⤵PID:916
-
\??\c:\xrxxlff.exec:\xrxxlff.exe74⤵PID:2032
-
\??\c:\pjvdv.exec:\pjvdv.exe75⤵PID:892
-
\??\c:\nhtthh.exec:\nhtthh.exe76⤵PID:2460
-
\??\c:\rlrfxlx.exec:\rlrfxlx.exe77⤵PID:2472
-
\??\c:\rlxflxf.exec:\rlxflxf.exe78⤵PID:2492
-
\??\c:\jvpjv.exec:\jvpjv.exe79⤵PID:1532
-
\??\c:\tnbbnb.exec:\tnbbnb.exe80⤵PID:2676
-
\??\c:\lxxxlff.exec:\lxxxlff.exe81⤵PID:2832
-
\??\c:\xxxlxfl.exec:\xxxlxfl.exe82⤵PID:2844
-
\??\c:\pdpvd.exec:\pdpvd.exe83⤵PID:2728
-
\??\c:\bntbnh.exec:\bntbnh.exe84⤵PID:2580
-
\??\c:\3bnnbb.exec:\3bnnbb.exe85⤵PID:2596
-
\??\c:\lrrlxlf.exec:\lrrlxlf.exe86⤵PID:2248
-
\??\c:\ppjvd.exec:\ppjvd.exe87⤵PID:2620
-
\??\c:\1bhhtt.exec:\1bhhtt.exe88⤵PID:540
-
\??\c:\bnhnbb.exec:\bnhnbb.exe89⤵PID:1624
-
\??\c:\fxflflf.exec:\fxflflf.exe90⤵PID:468
-
\??\c:\7vvpv.exec:\7vvpv.exe91⤵PID:2804
-
\??\c:\pjvjp.exec:\pjvjp.exe92⤵PID:2808
-
\??\c:\1ttthn.exec:\1ttthn.exe93⤵PID:2828
-
\??\c:\1frrlll.exec:\1frrlll.exe94⤵PID:2092
-
\??\c:\lfflffl.exec:\lfflffl.exe95⤵PID:1940
-
\??\c:\vjppv.exec:\vjppv.exe96⤵PID:1944
-
\??\c:\9nttbb.exec:\9nttbb.exe97⤵PID:772
-
\??\c:\3xrrlrr.exec:\3xrrlrr.exe98⤵PID:2688
-
\??\c:\7pddd.exec:\7pddd.exe99⤵PID:620
-
\??\c:\3pddv.exec:\3pddv.exe100⤵PID:2144
-
\??\c:\thnbbt.exec:\thnbbt.exe101⤵PID:2348
-
\??\c:\xrrlrxx.exec:\xrrlrxx.exe102⤵PID:1104
-
\??\c:\7frllff.exec:\7frllff.exe103⤵PID:2168
-
\??\c:\7vpvd.exec:\7vpvd.exe104⤵PID:2904
-
\??\c:\jdppd.exec:\jdppd.exe105⤵PID:1604
-
\??\c:\5thbnt.exec:\5thbnt.exe106⤵PID:1636
-
\??\c:\xrrllxx.exec:\xrrllxx.exe107⤵PID:848
-
\??\c:\9xxfrxl.exec:\9xxfrxl.exe108⤵PID:1536
-
\??\c:\5ddjp.exec:\5ddjp.exe109⤵PID:2376
-
\??\c:\nnnbth.exec:\nnnbth.exe110⤵PID:1524
-
\??\c:\hbtbnh.exec:\hbtbnh.exe111⤵PID:2004
-
\??\c:\xxrlllx.exec:\xxrlllx.exe112⤵PID:3056
-
\??\c:\5pdpp.exec:\5pdpp.exe113⤵PID:2236
-
\??\c:\dpjdj.exec:\dpjdj.exe114⤵
- System Location Discovery: System Language Discovery
PID:2384 -
\??\c:\bbnthb.exec:\bbnthb.exe115⤵PID:1036
-
\??\c:\7xrxlxf.exec:\7xrxlxf.exe116⤵PID:884
-
\??\c:\xxrrxlr.exec:\xxrrxlr.exe117⤵PID:1560
-
\??\c:\pjppd.exec:\pjppd.exe118⤵PID:1580
-
\??\c:\hhbttb.exec:\hhbttb.exe119⤵PID:2364
-
\??\c:\bntnbt.exec:\bntnbt.exe120⤵PID:2500
-
\??\c:\xfxfxlr.exec:\xfxfxlr.exe121⤵PID:2208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-