Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 23:07
Static task
static1
Behavioral task
behavioral1
Sample
8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe
Resource
win7-20240903-en
General
-
Target
8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe
-
Size
455KB
-
MD5
64f0950439188e0f675ce9bcb34cd0a0
-
SHA1
6cc13ea40df7ef104e08b367b74b325aa2a6a0a3
-
SHA256
8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35d
-
SHA512
f37f841a9fb9b4b515f27f604df3d1a62d600680aa72bddd3b11efdd1254f2ab98f752e6947e3e6476beeb912e538a23257fc47431dc8db0d326cd5352c26885
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRS:q7Tc2NYHUrAwfMp3CDRS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
Processes:
resource yara_rule behavioral2/memory/1028-3-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/492-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-853-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-1065-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-1854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
tnhbnn.exeppvvv.exenbnnhn.exerxlflxx.exethhthb.exedvdvp.exe1tnbtn.exe7jvpv.exerxlfxrf.exe1nthtn.exehbhthh.exe1vvvp.exelxxrllf.exelfrfllr.exepddvj.exe9lfxrrf.exehhhbth.exerffxxxl.exexlrlffx.exehhtthb.exefllfxfl.exettbbnb.exelrfrxxr.exebbttht.exebnbnbn.exexllrxxl.exenhhbtt.exepddpj.exehbbnhb.exenttnhh.exedpvpj.exerfxlxfr.exebnbnnh.exedvjjp.exedpdvj.exeffxxfxl.exenbthnb.exejvdpj.exerllrxxf.exennnttn.exedddpd.exeflxfrll.exe7ffrlfr.exentbnnh.exepvdvj.exerffrxlf.exefrxfrxl.exe1bbtnn.exevppvj.exerxxlflx.exenbbtnn.exevjjvj.exerfxlxlr.exelxrlfxr.exethhthh.exe3ppjd.exexflffff.exetthbtn.exedvvdd.exepvpdv.exexxrrrrr.exethnhbt.exe3dddv.exejvddd.exepid process 4152 tnhbnn.exe 4748 ppvvv.exe 492 nbnnhn.exe 3520 rxlflxx.exe 2080 thhthb.exe 3784 dvdvp.exe 3476 1tnbtn.exe 1928 7jvpv.exe 4064 rxlfxrf.exe 3436 1nthtn.exe 1900 hbhthh.exe 4516 1vvvp.exe 2960 lxxrllf.exe 4288 lfrfllr.exe 3236 pddvj.exe 2940 9lfxrrf.exe 4476 hhhbth.exe 1976 rffxxxl.exe 3000 xlrlffx.exe 4940 hhtthb.exe 3164 fllfxfl.exe 3740 ttbbnb.exe 4688 lrfrxxr.exe 3252 bbttht.exe 2412 bnbnbn.exe 4692 xllrxxl.exe 3952 nhhbtt.exe 4348 pddpj.exe 3532 hbbnhb.exe 2156 nttnhh.exe 4592 dpvpj.exe 672 rfxlxfr.exe 4896 bnbnnh.exe 1960 dvjjp.exe 3528 dpdvj.exe 1056 ffxxfxl.exe 4460 nbthnb.exe 3452 jvdpj.exe 3764 rllrxxf.exe 4204 nnnttn.exe 4432 dddpd.exe 492 flxfrll.exe 3076 7ffrlfr.exe 4300 ntbnnh.exe 4224 pvdvj.exe 3628 rffrxlf.exe 3476 frxfrxl.exe 4488 1bbtnn.exe 3292 vppvj.exe 864 rxxlflx.exe 3436 nbbtnn.exe 2444 vjjvj.exe 2296 rfxlxlr.exe 4700 lxrlfxr.exe 4516 thhthh.exe 4960 3ppjd.exe 3180 xflffff.exe 2064 tthbtn.exe 2876 dvvdd.exe 2000 pvpdv.exe 4504 xxrrrrr.exe 2940 thnhbt.exe 1904 3dddv.exe 1588 jvddd.exe -
Processes:
resource yara_rule behavioral2/memory/1028-3-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/492-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-853-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vdddj.exetthbtn.exelfxrfrl.exellllfff.exepjjpp.exenhhbtt.exelrrlxrl.exellxlflr.exenbtbth.exe9jjdp.exebntnnh.exe9tbbtb.exebhnbtt.exenhbtbh.exeppvjp.exerrfxxxx.exe3rlfrxr.exexfxrrrf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exetnhbnn.exeppvvv.exenbnnhn.exerxlflxx.exethhthb.exedvdvp.exe1tnbtn.exe7jvpv.exerxlfxrf.exe1nthtn.exehbhthh.exe1vvvp.exelxxrllf.exelfrfllr.exepddvj.exe9lfxrrf.exehhhbth.exerffxxxl.exexlrlffx.exehhtthb.exefllfxfl.exedescription pid process target process PID 1028 wrote to memory of 4152 1028 8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe tnhbnn.exe PID 1028 wrote to memory of 4152 1028 8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe tnhbnn.exe PID 1028 wrote to memory of 4152 1028 8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe tnhbnn.exe PID 4152 wrote to memory of 4748 4152 tnhbnn.exe ppvvv.exe PID 4152 wrote to memory of 4748 4152 tnhbnn.exe ppvvv.exe PID 4152 wrote to memory of 4748 4152 tnhbnn.exe ppvvv.exe PID 4748 wrote to memory of 492 4748 ppvvv.exe nbnnhn.exe PID 4748 wrote to memory of 492 4748 ppvvv.exe nbnnhn.exe PID 4748 wrote to memory of 492 4748 ppvvv.exe nbnnhn.exe PID 492 wrote to memory of 3520 492 nbnnhn.exe rxlflxx.exe PID 492 wrote to memory of 3520 492 nbnnhn.exe rxlflxx.exe PID 492 wrote to memory of 3520 492 nbnnhn.exe rxlflxx.exe PID 3520 wrote to memory of 2080 3520 rxlflxx.exe thhthb.exe PID 3520 wrote to memory of 2080 3520 rxlflxx.exe thhthb.exe PID 3520 wrote to memory of 2080 3520 rxlflxx.exe thhthb.exe PID 2080 wrote to memory of 3784 2080 thhthb.exe dvdvp.exe PID 2080 wrote to memory of 3784 2080 thhthb.exe dvdvp.exe PID 2080 wrote to memory of 3784 2080 thhthb.exe dvdvp.exe PID 3784 wrote to memory of 3476 3784 dvdvp.exe 1tnbtn.exe PID 3784 wrote to memory of 3476 3784 dvdvp.exe 1tnbtn.exe PID 3784 wrote to memory of 3476 3784 dvdvp.exe 1tnbtn.exe PID 3476 wrote to memory of 1928 3476 1tnbtn.exe 7jvpv.exe PID 3476 wrote to memory of 1928 3476 1tnbtn.exe 7jvpv.exe PID 3476 wrote to memory of 1928 3476 1tnbtn.exe 7jvpv.exe PID 1928 wrote to memory of 4064 1928 7jvpv.exe rxlfxrf.exe PID 1928 wrote to memory of 4064 1928 7jvpv.exe rxlfxrf.exe PID 1928 wrote to memory of 4064 1928 7jvpv.exe rxlfxrf.exe PID 4064 wrote to memory of 3436 4064 rxlfxrf.exe 1nthtn.exe PID 4064 wrote to memory of 3436 4064 rxlfxrf.exe 1nthtn.exe PID 4064 wrote to memory of 3436 4064 rxlfxrf.exe 1nthtn.exe PID 3436 wrote to memory of 1900 3436 1nthtn.exe hbhthh.exe PID 3436 wrote to memory of 1900 3436 1nthtn.exe hbhthh.exe PID 3436 wrote to memory of 1900 3436 1nthtn.exe hbhthh.exe PID 1900 wrote to memory of 4516 1900 hbhthh.exe 1vvvp.exe PID 1900 wrote to memory of 4516 1900 hbhthh.exe 1vvvp.exe PID 1900 wrote to memory of 4516 1900 hbhthh.exe 1vvvp.exe PID 4516 wrote to memory of 2960 4516 1vvvp.exe lxxrllf.exe PID 4516 wrote to memory of 2960 4516 1vvvp.exe lxxrllf.exe PID 4516 wrote to memory of 2960 4516 1vvvp.exe lxxrllf.exe PID 2960 wrote to memory of 4288 2960 lxxrllf.exe lfrfllr.exe PID 2960 wrote to memory of 4288 2960 lxxrllf.exe lfrfllr.exe PID 2960 wrote to memory of 4288 2960 lxxrllf.exe lfrfllr.exe PID 4288 wrote to memory of 3236 4288 lfrfllr.exe pddvj.exe PID 4288 wrote to memory of 3236 4288 lfrfllr.exe pddvj.exe PID 4288 wrote to memory of 3236 4288 lfrfllr.exe pddvj.exe PID 3236 wrote to memory of 2940 3236 pddvj.exe 9lfxrrf.exe PID 3236 wrote to memory of 2940 3236 pddvj.exe 9lfxrrf.exe PID 3236 wrote to memory of 2940 3236 pddvj.exe 9lfxrrf.exe PID 2940 wrote to memory of 4476 2940 9lfxrrf.exe hhhbth.exe PID 2940 wrote to memory of 4476 2940 9lfxrrf.exe hhhbth.exe PID 2940 wrote to memory of 4476 2940 9lfxrrf.exe hhhbth.exe PID 4476 wrote to memory of 1976 4476 hhhbth.exe rffxxxl.exe PID 4476 wrote to memory of 1976 4476 hhhbth.exe rffxxxl.exe PID 4476 wrote to memory of 1976 4476 hhhbth.exe rffxxxl.exe PID 1976 wrote to memory of 3000 1976 rffxxxl.exe xlrlffx.exe PID 1976 wrote to memory of 3000 1976 rffxxxl.exe xlrlffx.exe PID 1976 wrote to memory of 3000 1976 rffxxxl.exe xlrlffx.exe PID 3000 wrote to memory of 4940 3000 xlrlffx.exe hhtthb.exe PID 3000 wrote to memory of 4940 3000 xlrlffx.exe hhtthb.exe PID 3000 wrote to memory of 4940 3000 xlrlffx.exe hhtthb.exe PID 4940 wrote to memory of 3164 4940 hhtthb.exe fllfxfl.exe PID 4940 wrote to memory of 3164 4940 hhtthb.exe fllfxfl.exe PID 4940 wrote to memory of 3164 4940 hhtthb.exe fllfxfl.exe PID 3164 wrote to memory of 3740 3164 fllfxfl.exe ttbbnb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe"C:\Users\Admin\AppData\Local\Temp\8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\tnhbnn.exec:\tnhbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\ppvvv.exec:\ppvvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\nbnnhn.exec:\nbnnhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
\??\c:\rxlflxx.exec:\rxlflxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\thhthb.exec:\thhthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\dvdvp.exec:\dvdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\1tnbtn.exec:\1tnbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\7jvpv.exec:\7jvpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\rxlfxrf.exec:\rxlfxrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\1nthtn.exec:\1nthtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\hbhthh.exec:\hbhthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\1vvvp.exec:\1vvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\lxxrllf.exec:\lxxrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\lfrfllr.exec:\lfrfllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\pddvj.exec:\pddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\9lfxrrf.exec:\9lfxrrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\hhhbth.exec:\hhhbth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\rffxxxl.exec:\rffxxxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\xlrlffx.exec:\xlrlffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\hhtthb.exec:\hhtthb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\fllfxfl.exec:\fllfxfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\ttbbnb.exec:\ttbbnb.exe23⤵
- Executes dropped EXE
PID:3740 -
\??\c:\lrfrxxr.exec:\lrfrxxr.exe24⤵
- Executes dropped EXE
PID:4688 -
\??\c:\bbttht.exec:\bbttht.exe25⤵
- Executes dropped EXE
PID:3252 -
\??\c:\bnbnbn.exec:\bnbnbn.exe26⤵
- Executes dropped EXE
PID:2412 -
\??\c:\xllrxxl.exec:\xllrxxl.exe27⤵
- Executes dropped EXE
PID:4692 -
\??\c:\nhhbtt.exec:\nhhbtt.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3952 -
\??\c:\pddpj.exec:\pddpj.exe29⤵
- Executes dropped EXE
PID:4348 -
\??\c:\hbbnhb.exec:\hbbnhb.exe30⤵
- Executes dropped EXE
PID:3532 -
\??\c:\nttnhh.exec:\nttnhh.exe31⤵
- Executes dropped EXE
PID:2156 -
\??\c:\dpvpj.exec:\dpvpj.exe32⤵
- Executes dropped EXE
PID:4592 -
\??\c:\rfxlxfr.exec:\rfxlxfr.exe33⤵
- Executes dropped EXE
PID:672 -
\??\c:\bnbnnh.exec:\bnbnnh.exe34⤵
- Executes dropped EXE
PID:4896 -
\??\c:\dvjjp.exec:\dvjjp.exe35⤵
- Executes dropped EXE
PID:1960 -
\??\c:\dpdvj.exec:\dpdvj.exe36⤵
- Executes dropped EXE
PID:3528 -
\??\c:\ffxxfxl.exec:\ffxxfxl.exe37⤵
- Executes dropped EXE
PID:1056 -
\??\c:\nbthnb.exec:\nbthnb.exe38⤵
- Executes dropped EXE
PID:4460 -
\??\c:\jvdpj.exec:\jvdpj.exe39⤵
- Executes dropped EXE
PID:3452 -
\??\c:\rllrxxf.exec:\rllrxxf.exe40⤵
- Executes dropped EXE
PID:3764 -
\??\c:\nnnttn.exec:\nnnttn.exe41⤵
- Executes dropped EXE
PID:4204 -
\??\c:\dddpd.exec:\dddpd.exe42⤵
- Executes dropped EXE
PID:4432 -
\??\c:\flxfrll.exec:\flxfrll.exe43⤵
- Executes dropped EXE
PID:492 -
\??\c:\7ffrlfr.exec:\7ffrlfr.exe44⤵
- Executes dropped EXE
PID:3076 -
\??\c:\ntbnnh.exec:\ntbnnh.exe45⤵
- Executes dropped EXE
PID:4300 -
\??\c:\pvdvj.exec:\pvdvj.exe46⤵
- Executes dropped EXE
PID:4224 -
\??\c:\rffrxlf.exec:\rffrxlf.exe47⤵
- Executes dropped EXE
PID:3628 -
\??\c:\frxfrxl.exec:\frxfrxl.exe48⤵
- Executes dropped EXE
PID:3476 -
\??\c:\1bbtnn.exec:\1bbtnn.exe49⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vppvj.exec:\vppvj.exe50⤵
- Executes dropped EXE
PID:3292 -
\??\c:\rxxlflx.exec:\rxxlflx.exe51⤵
- Executes dropped EXE
PID:864 -
\??\c:\nbbtnn.exec:\nbbtnn.exe52⤵
- Executes dropped EXE
PID:3436 -
\??\c:\vjjvj.exec:\vjjvj.exe53⤵
- Executes dropped EXE
PID:2444 -
\??\c:\rfxlxlr.exec:\rfxlxlr.exe54⤵
- Executes dropped EXE
PID:2296 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe55⤵
- Executes dropped EXE
PID:4700 -
\??\c:\thhthh.exec:\thhthh.exe56⤵
- Executes dropped EXE
PID:4516 -
\??\c:\3ppjd.exec:\3ppjd.exe57⤵
- Executes dropped EXE
PID:4960 -
\??\c:\xflffff.exec:\xflffff.exe58⤵
- Executes dropped EXE
PID:3180 -
\??\c:\tthbtn.exec:\tthbtn.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
\??\c:\dvvdd.exec:\dvvdd.exe60⤵
- Executes dropped EXE
PID:2876 -
\??\c:\pvpdv.exec:\pvpdv.exe61⤵
- Executes dropped EXE
PID:2000 -
\??\c:\xxrrrrr.exec:\xxrrrrr.exe62⤵
- Executes dropped EXE
PID:4504 -
\??\c:\thnhbt.exec:\thnhbt.exe63⤵
- Executes dropped EXE
PID:2940 -
\??\c:\3dddv.exec:\3dddv.exe64⤵
- Executes dropped EXE
PID:1904 -
\??\c:\jvddd.exec:\jvddd.exe65⤵
- Executes dropped EXE
PID:1588 -
\??\c:\1lrrrrr.exec:\1lrrrrr.exe66⤵PID:4720
-
\??\c:\bnbbnn.exec:\bnbbnn.exe67⤵PID:3908
-
\??\c:\tntnhb.exec:\tntnhb.exe68⤵PID:4956
-
\??\c:\dpppj.exec:\dpppj.exe69⤵PID:1872
-
\??\c:\rlllfff.exec:\rlllfff.exe70⤵PID:3820
-
\??\c:\bnnnhh.exec:\bnnnhh.exe71⤵PID:3196
-
\??\c:\ntbtnh.exec:\ntbtnh.exe72⤵PID:920
-
\??\c:\jddvp.exec:\jddvp.exe73⤵PID:4384
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe74⤵PID:3488
-
\??\c:\nhtttb.exec:\nhtttb.exe75⤵PID:2380
-
\??\c:\nnbtth.exec:\nnbtth.exe76⤵PID:884
-
\??\c:\1ppdd.exec:\1ppdd.exe77⤵PID:3192
-
\??\c:\lrrrllf.exec:\lrrrllf.exe78⤵PID:3952
-
\??\c:\tntnhb.exec:\tntnhb.exe79⤵PID:4348
-
\??\c:\5pddv.exec:\5pddv.exe80⤵PID:4196
-
\??\c:\ddvjd.exec:\ddvjd.exe81⤵PID:3144
-
\??\c:\bhbhnb.exec:\bhbhnb.exe82⤵PID:1728
-
\??\c:\djppj.exec:\djppj.exe83⤵PID:3992
-
\??\c:\jpjdv.exec:\jpjdv.exe84⤵PID:4896
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe85⤵PID:5108
-
\??\c:\hhbntn.exec:\hhbntn.exe86⤵PID:2180
-
\??\c:\ppvjp.exec:\ppvjp.exe87⤵
- System Location Discovery: System Language Discovery
PID:4304 -
\??\c:\xrrllff.exec:\xrrllff.exe88⤵PID:4460
-
\??\c:\nbnnhh.exec:\nbnnhh.exe89⤵PID:3104
-
\??\c:\tbhhbb.exec:\tbhhbb.exe90⤵PID:3764
-
\??\c:\jdvvp.exec:\jdvvp.exe91⤵PID:4624
-
\??\c:\fxfrllf.exec:\fxfrllf.exe92⤵PID:2008
-
\??\c:\htbtnb.exec:\htbtnb.exe93⤵PID:116
-
\??\c:\tttnhh.exec:\tttnhh.exe94⤵PID:216
-
\??\c:\dpvpp.exec:\dpvpp.exe95⤵PID:1112
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe96⤵
- System Location Discovery: System Language Discovery
PID:3576 -
\??\c:\thnnht.exec:\thnnht.exe97⤵PID:3596
-
\??\c:\tntttt.exec:\tntttt.exe98⤵PID:3928
-
\??\c:\pdjpj.exec:\pdjpj.exe99⤵PID:3248
-
\??\c:\7xffxff.exec:\7xffxff.exe100⤵PID:4064
-
\??\c:\hhtttt.exec:\hhtttt.exe101⤵PID:5040
-
\??\c:\vpvpp.exec:\vpvpp.exe102⤵PID:3176
-
\??\c:\jdjdj.exec:\jdjdj.exe103⤵PID:1900
-
\??\c:\fxfxrll.exec:\fxfxrll.exe104⤵PID:4500
-
\??\c:\nhhbbh.exec:\nhhbbh.exe105⤵PID:4368
-
\??\c:\pvpjj.exec:\pvpjj.exe106⤵PID:2268
-
\??\c:\xxxxxxr.exec:\xxxxxxr.exe107⤵PID:2832
-
\??\c:\hbttnn.exec:\hbttnn.exe108⤵PID:3652
-
\??\c:\jpjjp.exec:\jpjjp.exe109⤵PID:2392
-
\??\c:\frxxxxf.exec:\frxxxxf.exe110⤵PID:1656
-
\??\c:\ttbnbb.exec:\ttbnbb.exe111⤵PID:1088
-
\??\c:\ppdpd.exec:\ppdpd.exe112⤵PID:4260
-
\??\c:\1fffxxx.exec:\1fffxxx.exe113⤵PID:3792
-
\??\c:\5hhbtt.exec:\5hhbtt.exe114⤵PID:1520
-
\??\c:\3nbbtt.exec:\3nbbtt.exe115⤵PID:2340
-
\??\c:\jpjjj.exec:\jpjjj.exe116⤵PID:1560
-
\??\c:\xlfflfl.exec:\xlfflfl.exe117⤵PID:3956
-
\??\c:\nhthth.exec:\nhthth.exe118⤵PID:2896
-
\??\c:\pjjjd.exec:\pjjjd.exe119⤵PID:2516
-
\??\c:\fxrrrxf.exec:\fxrrrxf.exe120⤵PID:4016
-
\??\c:\tbnbnb.exec:\tbnbnb.exe121⤵PID:3160
-
\??\c:\vpjpv.exec:\vpjpv.exe122⤵PID:4988
-
\??\c:\rlxxfll.exec:\rlxxfll.exe123⤵PID:4948
-
\??\c:\btbtbt.exec:\btbtbt.exe124⤵PID:4192
-
\??\c:\jvvpd.exec:\jvvpd.exe125⤵PID:2488
-
\??\c:\lfxrfrf.exec:\lfxrfrf.exe126⤵PID:2772
-
\??\c:\bntttn.exec:\bntttn.exe127⤵PID:660
-
\??\c:\hbnbtt.exec:\hbnbtt.exe128⤵PID:1896
-
\??\c:\vvpvj.exec:\vvpvj.exe129⤵PID:1760
-
\??\c:\lfllllx.exec:\lfllllx.exe130⤵PID:3528
-
\??\c:\nhnhhb.exec:\nhnhhb.exe131⤵PID:3856
-
\??\c:\vdvjd.exec:\vdvjd.exe132⤵PID:4404
-
\??\c:\lrxlrrf.exec:\lrxlrrf.exe133⤵PID:2664
-
\??\c:\ntnhtn.exec:\ntnhtn.exe134⤵PID:4512
-
\??\c:\rxlxfxr.exec:\rxlxfxr.exe135⤵PID:4204
-
\??\c:\hbhthb.exec:\hbhthb.exe136⤵PID:4432
-
\??\c:\jdvjd.exec:\jdvjd.exe137⤵PID:348
-
\??\c:\3fxrfxl.exec:\3fxrfxl.exe138⤵PID:2024
-
\??\c:\ntntnb.exec:\ntntnb.exe139⤵PID:3784
-
\??\c:\nntbbn.exec:\nntbbn.exe140⤵PID:5004
-
\??\c:\rrflxlr.exec:\rrflxlr.exe141⤵PID:3220
-
\??\c:\7xrlfxr.exec:\7xrlfxr.exe142⤵PID:4488
-
\??\c:\ntbnht.exec:\ntbnht.exe143⤵PID:3292
-
\??\c:\7pvvj.exec:\7pvvj.exe144⤵PID:4908
-
\??\c:\rxrlxrf.exec:\rxrlxrf.exe145⤵PID:2284
-
\??\c:\bbthbn.exec:\bbthbn.exe146⤵PID:1768
-
\??\c:\djjdv.exec:\djjdv.exe147⤵PID:4128
-
\??\c:\pppjd.exec:\pppjd.exe148⤵PID:2504
-
\??\c:\xrlxrrf.exec:\xrlxrrf.exe149⤵PID:3560
-
\??\c:\thhbtn.exec:\thhbtn.exe150⤵PID:3684
-
\??\c:\pjddv.exec:\pjddv.exe151⤵PID:2436
-
\??\c:\ddjdd.exec:\ddjdd.exe152⤵PID:448
-
\??\c:\1flfxxr.exec:\1flfxxr.exe153⤵PID:4388
-
\??\c:\nhbttn.exec:\nhbttn.exe154⤵PID:4776
-
\??\c:\djjvj.exec:\djjvj.exe155⤵PID:4648
-
\??\c:\3vvjd.exec:\3vvjd.exe156⤵PID:4956
-
\??\c:\3fffrrr.exec:\3fffrrr.exe157⤵PID:1872
-
\??\c:\7btnbt.exec:\7btnbt.exe158⤵PID:3728
-
\??\c:\nbhhbb.exec:\nbhhbb.exe159⤵PID:4688
-
\??\c:\vdjdd.exec:\vdjdd.exe160⤵PID:3252
-
\??\c:\tnthbn.exec:\tnthbn.exe161⤵PID:2412
-
\??\c:\jjddv.exec:\jjddv.exe162⤵PID:4112
-
\??\c:\frrrlrr.exec:\frrrlrr.exe163⤵PID:5060
-
\??\c:\hnnbtt.exec:\hnnbtt.exe164⤵PID:2844
-
\??\c:\vjpdv.exec:\vjpdv.exe165⤵PID:4980
-
\??\c:\xfrxffr.exec:\xfrxffr.exe166⤵PID:2720
-
\??\c:\hnhnht.exec:\hnhnht.exe167⤵PID:1068
-
\??\c:\vpjvd.exec:\vpjvd.exe168⤵PID:2680
-
\??\c:\fxrrxfr.exec:\fxrrxfr.exe169⤵PID:2488
-
\??\c:\5bhbbb.exec:\5bhbbb.exe170⤵PID:532
-
\??\c:\jppjv.exec:\jppjv.exe171⤵PID:372
-
\??\c:\pjdvp.exec:\pjdvp.exe172⤵PID:4728
-
\??\c:\rrlxrrl.exec:\rrlxrrl.exe173⤵PID:1960
-
\??\c:\tnbnht.exec:\tnbnht.exe174⤵PID:3640
-
\??\c:\ppjdp.exec:\ppjdp.exe175⤵PID:1556
-
\??\c:\lrfxffr.exec:\lrfxffr.exe176⤵PID:2264
-
\??\c:\nhnhhh.exec:\nhnhhh.exe177⤵PID:2664
-
\??\c:\jvppj.exec:\jvppj.exe178⤵PID:2032
-
\??\c:\fxrrlll.exec:\fxrrlll.exe179⤵PID:3636
-
\??\c:\flfxxxx.exec:\flfxxxx.exe180⤵PID:1444
-
\??\c:\hhtnnh.exec:\hhtnnh.exe181⤵PID:4204
-
\??\c:\vdjvp.exec:\vdjvp.exe182⤵PID:4624
-
\??\c:\rxlxxxf.exec:\rxlxxxf.exe183⤵PID:1108
-
\??\c:\xfxrllf.exec:\xfxrllf.exe184⤵PID:1120
-
\??\c:\ntnhbh.exec:\ntnhbh.exe185⤵PID:1112
-
\??\c:\vpdvv.exec:\vpdvv.exe186⤵PID:4520
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe187⤵PID:4972
-
\??\c:\tttttt.exec:\tttttt.exe188⤵PID:4076
-
\??\c:\5pjvp.exec:\5pjvp.exe189⤵PID:3588
-
\??\c:\pdvpp.exec:\pdvpp.exe190⤵PID:2444
-
\??\c:\7flfffl.exec:\7flfffl.exe191⤵PID:3624
-
\??\c:\tbhbnn.exec:\tbhbnn.exe192⤵PID:2204
-
\??\c:\dpvdd.exec:\dpvdd.exe193⤵PID:4368
-
\??\c:\nhbtnb.exec:\nhbtnb.exe194⤵PID:2784
-
\??\c:\nbhhhn.exec:\nbhhhn.exe195⤵PID:4968
-
\??\c:\7vpdv.exec:\7vpdv.exe196⤵PID:3016
-
\??\c:\rlxllff.exec:\rlxllff.exe197⤵PID:644
-
\??\c:\bnhtbn.exec:\bnhtbn.exe198⤵PID:1656
-
\??\c:\vdjpp.exec:\vdjpp.exe199⤵PID:1088
-
\??\c:\3rlxlfr.exec:\3rlxlfr.exe200⤵PID:3748
-
\??\c:\tbbttt.exec:\tbbttt.exe201⤵PID:3012
-
\??\c:\htnbth.exec:\htnbth.exe202⤵PID:1500
-
\??\c:\djvpj.exec:\djvpj.exe203⤵PID:3724
-
\??\c:\llrxlxl.exec:\llrxlxl.exe204⤵PID:3728
-
\??\c:\htnnnn.exec:\htnnnn.exe205⤵PID:2108
-
\??\c:\jpvpj.exec:\jpvpj.exe206⤵PID:3252
-
\??\c:\xxfxrfx.exec:\xxfxrfx.exe207⤵PID:984
-
\??\c:\nhbtbh.exec:\nhbtbh.exe208⤵
- System Location Discovery: System Language Discovery
PID:2412 -
\??\c:\hhhbth.exec:\hhhbth.exe209⤵PID:1820
-
\??\c:\ppjjj.exec:\ppjjj.exe210⤵PID:1640
-
\??\c:\xrlffrf.exec:\xrlffrf.exe211⤵PID:4532
-
\??\c:\tnbbbh.exec:\tnbbbh.exe212⤵PID:4988
-
\??\c:\jjvpd.exec:\jjvpd.exe213⤵PID:4980
-
\??\c:\jjjpv.exec:\jjjpv.exe214⤵PID:2720
-
\??\c:\thhtnh.exec:\thhtnh.exe215⤵PID:1068
-
\??\c:\thhhtt.exec:\thhhtt.exe216⤵PID:672
-
\??\c:\ppvpp.exec:\ppvpp.exe217⤵PID:2772
-
\??\c:\5rlfrlf.exec:\5rlfrlf.exe218⤵PID:660
-
\??\c:\bhbntn.exec:\bhbntn.exe219⤵PID:1896
-
\??\c:\hbnhnn.exec:\hbnhnn.exe220⤵PID:4456
-
\??\c:\ppjjd.exec:\ppjjd.exe221⤵PID:1960
-
\??\c:\lfffxxx.exec:\lfffxxx.exe222⤵PID:3640
-
\??\c:\llffxxr.exec:\llffxxr.exe223⤵PID:1556
-
\??\c:\btnhtn.exec:\btnhtn.exe224⤵PID:2264
-
\??\c:\pjjvj.exec:\pjjvj.exe225⤵PID:4652
-
\??\c:\xrrfxrx.exec:\xrrfxrx.exe226⤵PID:2032
-
\??\c:\bnhbhb.exec:\bnhbhb.exe227⤵PID:3140
-
\??\c:\vdvpd.exec:\vdvpd.exe228⤵PID:3520
-
\??\c:\llxlflr.exec:\llxlflr.exe229⤵
- System Location Discovery: System Language Discovery
PID:1812 -
\??\c:\tthhbn.exec:\tthhbn.exe230⤵PID:2020
-
\??\c:\pvvjv.exec:\pvvjv.exe231⤵PID:4900
-
\??\c:\7xxxrlx.exec:\7xxxrlx.exe232⤵PID:1120
-
\??\c:\xxfxffx.exec:\xxfxffx.exe233⤵PID:4300
-
\??\c:\1hhhht.exec:\1hhhht.exe234⤵PID:2420
-
\??\c:\1jpjj.exec:\1jpjj.exe235⤵PID:4972
-
\??\c:\7xfxxxr.exec:\7xfxxxr.exe236⤵PID:2212
-
\??\c:\tnbtnn.exec:\tnbtnn.exe237⤵PID:3436
-
\??\c:\djjdv.exec:\djjdv.exe238⤵PID:1692
-
\??\c:\djvdd.exec:\djvdd.exe239⤵PID:3100
-
\??\c:\rlxrrrl.exec:\rlxrrrl.exe240⤵PID:1768
-
\??\c:\hhbbnh.exec:\hhbbnh.exe241⤵PID:436
-
\??\c:\7nhbbb.exec:\7nhbbb.exe242⤵PID:548