Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 23:10
Static task
static1
Behavioral task
behavioral1
Sample
8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe
Resource
win7-20240903-en
General
-
Target
8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe
-
Size
455KB
-
MD5
64f0950439188e0f675ce9bcb34cd0a0
-
SHA1
6cc13ea40df7ef104e08b367b74b325aa2a6a0a3
-
SHA256
8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35d
-
SHA512
f37f841a9fb9b4b515f27f604df3d1a62d600680aa72bddd3b11efdd1254f2ab98f752e6947e3e6476beeb912e538a23257fc47431dc8db0d326cd5352c26885
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRS:q7Tc2NYHUrAwfMp3CDRS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
Processes:
resource yara_rule behavioral2/memory/3152-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-846-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-932-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
djdjd.exenhtbbn.exennhhbt.exettnhtt.exexlrrrlx.exebtttnn.exevpvpj.exerlflllf.exetbttbn.exehnntth.exeffxrrll.exebnthtn.exejjdpv.exeddjpp.exerfrxlxr.exetnbhtt.exexlxlxrl.exevpjvp.exefxrxxxx.exebbtbhh.exepdpjd.exerxrlxxl.exehttbnb.exepvpdd.exebnthtn.exejpppv.exexfxflfr.exetnhbtt.exepvjdj.exelxxfxll.exebtthbt.exebnnhnn.exejjppp.exe5rxxxxf.exe9bnhhn.exepdppj.exellfxxxf.exexlllfll.exetnnttt.exevdvvv.exefrllllf.exebhnhhh.exepvvvv.exellrllrr.exebnbbtb.exejdjjv.exelrffrrf.exennnhhh.exennnhbb.exefffrlrl.exerrfflrr.exehbhbtb.exejjddd.exellxxflr.exerxrlrfr.exepjpjj.exevjdvp.exexffxrrl.exe3bhhnt.exeppdjj.exe7llffxx.exexfrrllf.exe1tnnhh.exepppjd.exepid process 3152 djdjd.exe 2440 nhtbbn.exe 4856 nnhhbt.exe 3396 ttnhtt.exe 4400 xlrrrlx.exe 4476 btttnn.exe 3600 vpvpj.exe 3516 rlflllf.exe 4544 tbttbn.exe 2872 hnntth.exe 2884 ffxrrll.exe 948 bnthtn.exe 5104 jjdpv.exe 2204 ddjpp.exe 3876 rfrxlxr.exe 4812 tnbhtt.exe 3904 xlxlxrl.exe 1408 vpjvp.exe 912 fxrxxxx.exe 2172 bbtbhh.exe 1748 pdpjd.exe 4512 rxrlxxl.exe 4276 httbnb.exe 4520 pvpdd.exe 696 bnthtn.exe 212 jpppv.exe 1000 xfxflfr.exe 1696 tnhbtt.exe 4016 pvjdj.exe 3256 lxxfxll.exe 664 btthbt.exe 3208 bnnhnn.exe 3248 jjppp.exe 1616 5rxxxxf.exe 2020 9bnhhn.exe 2752 pdppj.exe 1528 llfxxxf.exe 1284 xlllfll.exe 4180 tnnttt.exe 3116 vdvvv.exe 4448 frllllf.exe 1840 bhnhhh.exe 3136 pvvvv.exe 2264 llrllrr.exe 676 bnbbtb.exe 780 jdjjv.exe 4856 lrffrrf.exe 808 nnnhhh.exe 976 nnnhbb.exe 3936 fffrlrl.exe 4132 rrfflrr.exe 5084 hbhbtb.exe 3908 jjddd.exe 4888 llxxflr.exe 5048 rxrlrfr.exe 2704 pjpjj.exe 1544 vjdvp.exe 4192 xffxrrl.exe 4712 3bhhnt.exe 2644 ppdjj.exe 3260 7llffxx.exe 4784 xfrrllf.exe 3228 1tnnhh.exe 4896 pppjd.exe -
Processes:
resource yara_rule behavioral2/memory/3152-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-714-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
btthtn.exejpjdv.exelflxrrf.exelrrlxxl.exejdjdp.exerlxlfrf.exejvpdv.exe9ffxllf.exe3rxrffx.exedvvpd.exepdpvj.exexffrfrf.exenhnnhh.exepvjjp.exentbnhh.exethnhbt.exetthbbh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exedjdjd.exenhtbbn.exennhhbt.exettnhtt.exexlrrrlx.exebtttnn.exevpvpj.exerlflllf.exetbttbn.exehnntth.exeffxrrll.exebnthtn.exejjdpv.exeddjpp.exerfrxlxr.exetnbhtt.exexlxlxrl.exevpjvp.exefxrxxxx.exebbtbhh.exepdpjd.exedescription pid process target process PID 3456 wrote to memory of 3152 3456 8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe djdjd.exe PID 3456 wrote to memory of 3152 3456 8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe djdjd.exe PID 3456 wrote to memory of 3152 3456 8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe djdjd.exe PID 3152 wrote to memory of 2440 3152 djdjd.exe nhtbbn.exe PID 3152 wrote to memory of 2440 3152 djdjd.exe nhtbbn.exe PID 3152 wrote to memory of 2440 3152 djdjd.exe nhtbbn.exe PID 2440 wrote to memory of 4856 2440 nhtbbn.exe nnhhbt.exe PID 2440 wrote to memory of 4856 2440 nhtbbn.exe nnhhbt.exe PID 2440 wrote to memory of 4856 2440 nhtbbn.exe nnhhbt.exe PID 4856 wrote to memory of 3396 4856 nnhhbt.exe ttnhtt.exe PID 4856 wrote to memory of 3396 4856 nnhhbt.exe ttnhtt.exe PID 4856 wrote to memory of 3396 4856 nnhhbt.exe ttnhtt.exe PID 3396 wrote to memory of 4400 3396 ttnhtt.exe xlrrrlx.exe PID 3396 wrote to memory of 4400 3396 ttnhtt.exe xlrrrlx.exe PID 3396 wrote to memory of 4400 3396 ttnhtt.exe xlrrrlx.exe PID 4400 wrote to memory of 4476 4400 xlrrrlx.exe btttnn.exe PID 4400 wrote to memory of 4476 4400 xlrrrlx.exe btttnn.exe PID 4400 wrote to memory of 4476 4400 xlrrrlx.exe btttnn.exe PID 4476 wrote to memory of 3600 4476 btttnn.exe vpvpj.exe PID 4476 wrote to memory of 3600 4476 btttnn.exe vpvpj.exe PID 4476 wrote to memory of 3600 4476 btttnn.exe vpvpj.exe PID 3600 wrote to memory of 3516 3600 vpvpj.exe rlflllf.exe PID 3600 wrote to memory of 3516 3600 vpvpj.exe rlflllf.exe PID 3600 wrote to memory of 3516 3600 vpvpj.exe rlflllf.exe PID 3516 wrote to memory of 4544 3516 rlflllf.exe tbttbn.exe PID 3516 wrote to memory of 4544 3516 rlflllf.exe tbttbn.exe PID 3516 wrote to memory of 4544 3516 rlflllf.exe tbttbn.exe PID 4544 wrote to memory of 2872 4544 tbttbn.exe hnntth.exe PID 4544 wrote to memory of 2872 4544 tbttbn.exe hnntth.exe PID 4544 wrote to memory of 2872 4544 tbttbn.exe hnntth.exe PID 2872 wrote to memory of 2884 2872 hnntth.exe ffxrrll.exe PID 2872 wrote to memory of 2884 2872 hnntth.exe ffxrrll.exe PID 2872 wrote to memory of 2884 2872 hnntth.exe ffxrrll.exe PID 2884 wrote to memory of 948 2884 ffxrrll.exe bnthtn.exe PID 2884 wrote to memory of 948 2884 ffxrrll.exe bnthtn.exe PID 2884 wrote to memory of 948 2884 ffxrrll.exe bnthtn.exe PID 948 wrote to memory of 5104 948 bnthtn.exe jjdpv.exe PID 948 wrote to memory of 5104 948 bnthtn.exe jjdpv.exe PID 948 wrote to memory of 5104 948 bnthtn.exe jjdpv.exe PID 5104 wrote to memory of 2204 5104 jjdpv.exe ddjpp.exe PID 5104 wrote to memory of 2204 5104 jjdpv.exe ddjpp.exe PID 5104 wrote to memory of 2204 5104 jjdpv.exe ddjpp.exe PID 2204 wrote to memory of 3876 2204 ddjpp.exe rfrxlxr.exe PID 2204 wrote to memory of 3876 2204 ddjpp.exe rfrxlxr.exe PID 2204 wrote to memory of 3876 2204 ddjpp.exe rfrxlxr.exe PID 3876 wrote to memory of 4812 3876 rfrxlxr.exe tnbhtt.exe PID 3876 wrote to memory of 4812 3876 rfrxlxr.exe tnbhtt.exe PID 3876 wrote to memory of 4812 3876 rfrxlxr.exe tnbhtt.exe PID 4812 wrote to memory of 3904 4812 tnbhtt.exe xlxlxrl.exe PID 4812 wrote to memory of 3904 4812 tnbhtt.exe xlxlxrl.exe PID 4812 wrote to memory of 3904 4812 tnbhtt.exe xlxlxrl.exe PID 3904 wrote to memory of 1408 3904 xlxlxrl.exe vpjvp.exe PID 3904 wrote to memory of 1408 3904 xlxlxrl.exe vpjvp.exe PID 3904 wrote to memory of 1408 3904 xlxlxrl.exe vpjvp.exe PID 1408 wrote to memory of 912 1408 vpjvp.exe fxrxxxx.exe PID 1408 wrote to memory of 912 1408 vpjvp.exe fxrxxxx.exe PID 1408 wrote to memory of 912 1408 vpjvp.exe fxrxxxx.exe PID 912 wrote to memory of 2172 912 fxrxxxx.exe bbtbhh.exe PID 912 wrote to memory of 2172 912 fxrxxxx.exe bbtbhh.exe PID 912 wrote to memory of 2172 912 fxrxxxx.exe bbtbhh.exe PID 2172 wrote to memory of 1748 2172 bbtbhh.exe pdpjd.exe PID 2172 wrote to memory of 1748 2172 bbtbhh.exe pdpjd.exe PID 2172 wrote to memory of 1748 2172 bbtbhh.exe pdpjd.exe PID 1748 wrote to memory of 4512 1748 pdpjd.exe rxrlxxl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe"C:\Users\Admin\AppData\Local\Temp\8a9a68d4164c903f41486c2b3dc595bd8eec162dae30fc3372917dfe9086c35dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\djdjd.exec:\djdjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\nhtbbn.exec:\nhtbbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\nnhhbt.exec:\nnhhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\ttnhtt.exec:\ttnhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\xlrrrlx.exec:\xlrrrlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\btttnn.exec:\btttnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\vpvpj.exec:\vpvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\rlflllf.exec:\rlflllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\tbttbn.exec:\tbttbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\hnntth.exec:\hnntth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\ffxrrll.exec:\ffxrrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\bnthtn.exec:\bnthtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\jjdpv.exec:\jjdpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\ddjpp.exec:\ddjpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\rfrxlxr.exec:\rfrxlxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\tnbhtt.exec:\tnbhtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\xlxlxrl.exec:\xlxlxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\vpjvp.exec:\vpjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\fxrxxxx.exec:\fxrxxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\bbtbhh.exec:\bbtbhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\pdpjd.exec:\pdpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\rxrlxxl.exec:\rxrlxxl.exe23⤵
- Executes dropped EXE
PID:4512 -
\??\c:\httbnb.exec:\httbnb.exe24⤵
- Executes dropped EXE
PID:4276 -
\??\c:\pvpdd.exec:\pvpdd.exe25⤵
- Executes dropped EXE
PID:4520 -
\??\c:\bnthtn.exec:\bnthtn.exe26⤵
- Executes dropped EXE
PID:696 -
\??\c:\jpppv.exec:\jpppv.exe27⤵
- Executes dropped EXE
PID:212 -
\??\c:\xfxflfr.exec:\xfxflfr.exe28⤵
- Executes dropped EXE
PID:1000 -
\??\c:\tnhbtt.exec:\tnhbtt.exe29⤵
- Executes dropped EXE
PID:1696 -
\??\c:\pvjdj.exec:\pvjdj.exe30⤵
- Executes dropped EXE
PID:4016 -
\??\c:\lxxfxll.exec:\lxxfxll.exe31⤵
- Executes dropped EXE
PID:3256 -
\??\c:\btthbt.exec:\btthbt.exe32⤵
- Executes dropped EXE
PID:664 -
\??\c:\bnnhnn.exec:\bnnhnn.exe33⤵
- Executes dropped EXE
PID:3208 -
\??\c:\jjppp.exec:\jjppp.exe34⤵
- Executes dropped EXE
PID:3248 -
\??\c:\5rxxxxf.exec:\5rxxxxf.exe35⤵
- Executes dropped EXE
PID:1616 -
\??\c:\9bnhhn.exec:\9bnhhn.exe36⤵
- Executes dropped EXE
PID:2020 -
\??\c:\pdppj.exec:\pdppj.exe37⤵
- Executes dropped EXE
PID:2752 -
\??\c:\llfxxxf.exec:\llfxxxf.exe38⤵
- Executes dropped EXE
PID:1528 -
\??\c:\xlllfll.exec:\xlllfll.exe39⤵
- Executes dropped EXE
PID:1284 -
\??\c:\tnnttt.exec:\tnnttt.exe40⤵
- Executes dropped EXE
PID:4180 -
\??\c:\vdvvv.exec:\vdvvv.exe41⤵
- Executes dropped EXE
PID:3116 -
\??\c:\frllllf.exec:\frllllf.exe42⤵
- Executes dropped EXE
PID:4448 -
\??\c:\bhnhhh.exec:\bhnhhh.exe43⤵
- Executes dropped EXE
PID:1840 -
\??\c:\pvvvv.exec:\pvvvv.exe44⤵
- Executes dropped EXE
PID:3136 -
\??\c:\llrllrr.exec:\llrllrr.exe45⤵
- Executes dropped EXE
PID:2264 -
\??\c:\bnbbtb.exec:\bnbbtb.exe46⤵
- Executes dropped EXE
PID:676 -
\??\c:\jdjjv.exec:\jdjjv.exe47⤵
- Executes dropped EXE
PID:780 -
\??\c:\lrffrrf.exec:\lrffrrf.exe48⤵
- Executes dropped EXE
PID:4856 -
\??\c:\nnnhhh.exec:\nnnhhh.exe49⤵
- Executes dropped EXE
PID:808 -
\??\c:\nnnhbb.exec:\nnnhbb.exe50⤵
- Executes dropped EXE
PID:976 -
\??\c:\fffrlrl.exec:\fffrlrl.exe51⤵
- Executes dropped EXE
PID:3936 -
\??\c:\rrfflrr.exec:\rrfflrr.exe52⤵
- Executes dropped EXE
PID:4132 -
\??\c:\hbhbtb.exec:\hbhbtb.exe53⤵
- Executes dropped EXE
PID:5084 -
\??\c:\jjddd.exec:\jjddd.exe54⤵
- Executes dropped EXE
PID:3908 -
\??\c:\llxxflr.exec:\llxxflr.exe55⤵
- Executes dropped EXE
PID:4888 -
\??\c:\rxrlrfr.exec:\rxrlrfr.exe56⤵
- Executes dropped EXE
PID:5048 -
\??\c:\pjpjj.exec:\pjpjj.exe57⤵
- Executes dropped EXE
PID:2704 -
\??\c:\vjdvp.exec:\vjdvp.exe58⤵
- Executes dropped EXE
PID:1544 -
\??\c:\xffxrrl.exec:\xffxrrl.exe59⤵
- Executes dropped EXE
PID:4192 -
\??\c:\3bhhnt.exec:\3bhhnt.exe60⤵
- Executes dropped EXE
PID:4712 -
\??\c:\ppdjj.exec:\ppdjj.exe61⤵
- Executes dropped EXE
PID:2644 -
\??\c:\7llffxx.exec:\7llffxx.exe62⤵
- Executes dropped EXE
PID:3260 -
\??\c:\xfrrllf.exec:\xfrrllf.exe63⤵
- Executes dropped EXE
PID:4784 -
\??\c:\1tnnhh.exec:\1tnnhh.exe64⤵
- Executes dropped EXE
PID:3228 -
\??\c:\pppjd.exec:\pppjd.exe65⤵
- Executes dropped EXE
PID:4896 -
\??\c:\rfxxllx.exec:\rfxxllx.exe66⤵PID:3488
-
\??\c:\hhbnth.exec:\hhbnth.exe67⤵PID:2044
-
\??\c:\dpvvv.exec:\dpvvv.exe68⤵PID:4292
-
\??\c:\lxxfrrf.exec:\lxxfrrf.exe69⤵PID:3796
-
\??\c:\lxffffx.exec:\lxffffx.exe70⤵PID:3028
-
\??\c:\btbtnh.exec:\btbtnh.exe71⤵PID:3164
-
\??\c:\vvvpp.exec:\vvvpp.exe72⤵PID:4236
-
\??\c:\1jddv.exec:\1jddv.exe73⤵PID:2708
-
\??\c:\rrlfxxf.exec:\rrlfxxf.exe74⤵PID:4936
-
\??\c:\nbbbbn.exec:\nbbbbn.exe75⤵PID:2848
-
\??\c:\9vdvv.exec:\9vdvv.exe76⤵PID:4276
-
\??\c:\7fxxrxr.exec:\7fxxrxr.exe77⤵PID:788
-
\??\c:\nbhbhb.exec:\nbhbhb.exe78⤵PID:2444
-
\??\c:\ppdvj.exec:\ppdvj.exe79⤵PID:696
-
\??\c:\9xxrlll.exec:\9xxrlll.exe80⤵PID:2592
-
\??\c:\fxrrlll.exec:\fxrrlll.exe81⤵PID:4196
-
\??\c:\hbthhn.exec:\hbthhn.exe82⤵PID:1472
-
\??\c:\3vddd.exec:\3vddd.exe83⤵PID:700
-
\??\c:\xxrrlll.exec:\xxrrlll.exe84⤵PID:4464
-
\??\c:\ffrrllr.exec:\ffrrllr.exe85⤵PID:2464
-
\??\c:\nbbnht.exec:\nbbnht.exe86⤵PID:4228
-
\??\c:\ddjjp.exec:\ddjjp.exe87⤵PID:4624
-
\??\c:\rlxrxxl.exec:\rlxrxxl.exe88⤵PID:4616
-
\??\c:\fflfffx.exec:\fflfffx.exe89⤵PID:3448
-
\??\c:\1nhhbh.exec:\1nhhbh.exe90⤵PID:3968
-
\??\c:\nhbbbb.exec:\nhbbbb.exe91⤵PID:1616
-
\??\c:\dvvvj.exec:\dvvvj.exe92⤵PID:2344
-
\??\c:\xlfxxxx.exec:\xlfxxxx.exe93⤵PID:1184
-
\??\c:\hnnhbt.exec:\hnnhbt.exe94⤵PID:5108
-
\??\c:\vjpdv.exec:\vjpdv.exe95⤵PID:4848
-
\??\c:\rlxlfrf.exec:\rlxlfrf.exe96⤵
- System Location Discovery: System Language Discovery
PID:1844 -
\??\c:\frrlrrl.exec:\frrlrrl.exe97⤵PID:1924
-
\??\c:\hnthbn.exec:\hnthbn.exe98⤵PID:3176
-
\??\c:\vvdpd.exec:\vvdpd.exe99⤵PID:4008
-
\??\c:\7jddp.exec:\7jddp.exe100⤵PID:2420
-
\??\c:\lxxflfx.exec:\lxxflfx.exe101⤵PID:4476
-
\??\c:\bnbnbn.exec:\bnbnbn.exe102⤵PID:3196
-
\??\c:\pjppp.exec:\pjppp.exe103⤵PID:2820
-
\??\c:\lrfrllf.exec:\lrfrllf.exe104⤵PID:2436
-
\??\c:\bhnhtn.exec:\bhnhtn.exe105⤵PID:4212
-
\??\c:\ddpvp.exec:\ddpvp.exe106⤵PID:964
-
\??\c:\xrfrlfx.exec:\xrfrlfx.exe107⤵PID:3596
-
\??\c:\nbnhhh.exec:\nbnhhh.exe108⤵PID:1424
-
\??\c:\7hnbnh.exec:\7hnbnh.exe109⤵PID:2152
-
\??\c:\djvjv.exec:\djvjv.exe110⤵PID:2428
-
\??\c:\3fxxrrr.exec:\3fxxrrr.exe111⤵PID:2956
-
\??\c:\thbbth.exec:\thbbth.exe112⤵PID:4676
-
\??\c:\9ddvj.exec:\9ddvj.exe113⤵PID:4820
-
\??\c:\frrlfxx.exec:\frrlfxx.exe114⤵PID:2656
-
\??\c:\ntnhhb.exec:\ntnhhb.exe115⤵PID:3992
-
\??\c:\jddjj.exec:\jddjj.exe116⤵PID:1224
-
\??\c:\lfflrlf.exec:\lfflrlf.exe117⤵PID:3904
-
\??\c:\hhhbnh.exec:\hhhbnh.exe118⤵PID:4660
-
\??\c:\9pvpp.exec:\9pvpp.exe119⤵PID:4392
-
\??\c:\7lrlfff.exec:\7lrlfff.exe120⤵PID:4536
-
\??\c:\nhbbbt.exec:\nhbbbt.exe121⤵PID:1908
-
\??\c:\htntbt.exec:\htntbt.exe122⤵PID:4236
-
\??\c:\7vjpj.exec:\7vjpj.exe123⤵PID:2708
-
\??\c:\rrllxrf.exec:\rrllxrf.exe124⤵PID:4916
-
\??\c:\xflxrlx.exec:\xflxrlx.exe125⤵PID:2848
-
\??\c:\1hbtnh.exec:\1hbtnh.exe126⤵PID:1436
-
\??\c:\pvvjv.exec:\pvvjv.exe127⤵PID:4520
-
\??\c:\xxffrlx.exec:\xxffrlx.exe128⤵PID:2876
-
\??\c:\hhtnbn.exec:\hhtnbn.exe129⤵PID:696
-
\??\c:\vpvvd.exec:\vpvvd.exe130⤵PID:4540
-
\??\c:\lrrlllf.exec:\lrrlllf.exe131⤵PID:4196
-
\??\c:\hthbnh.exec:\hthbnh.exe132⤵PID:940
-
\??\c:\vvvdp.exec:\vvvdp.exe133⤵PID:2500
-
\??\c:\rllrfrf.exec:\rllrfrf.exe134⤵PID:1620
-
\??\c:\9lxxrxf.exec:\9lxxrxf.exe135⤵PID:2716
-
\??\c:\bbnthn.exec:\bbnthn.exe136⤵PID:664
-
\??\c:\dpvpp.exec:\dpvpp.exe137⤵PID:3988
-
\??\c:\rlfffff.exec:\rlfffff.exe138⤵PID:3624
-
\??\c:\nnbthh.exec:\nnbthh.exe139⤵PID:5016
-
\??\c:\jvdvj.exec:\jvdvj.exe140⤵PID:2572
-
\??\c:\frxlrrr.exec:\frxlrrr.exe141⤵PID:800
-
\??\c:\bhhhhn.exec:\bhhhhn.exe142⤵PID:4040
-
\??\c:\nbtnbb.exec:\nbtnbb.exe143⤵PID:3412
-
\??\c:\vpdvv.exec:\vpdvv.exe144⤵PID:208
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe145⤵PID:3456
-
\??\c:\hnthnh.exec:\hnthnh.exe146⤵PID:1444
-
\??\c:\ddjvj.exec:\ddjvj.exe147⤵PID:4548
-
\??\c:\rrxllrf.exec:\rrxllrf.exe148⤵PID:808
-
\??\c:\nnbnbh.exec:\nnbnbh.exe149⤵PID:4008
-
\??\c:\vjjvv.exec:\vjjvv.exe150⤵PID:1936
-
\??\c:\5rxxllf.exec:\5rxxllf.exe151⤵PID:3928
-
\??\c:\hnbntt.exec:\hnbntt.exe152⤵PID:1172
-
\??\c:\hhnbbb.exec:\hhnbbb.exe153⤵PID:3132
-
\??\c:\9ppdp.exec:\9ppdp.exe154⤵PID:1244
-
\??\c:\lrrlxxl.exec:\lrrlxxl.exe155⤵
- System Location Discovery: System Language Discovery
PID:1944 -
\??\c:\3llffff.exec:\3llffff.exe156⤵PID:1980
-
\??\c:\vddvp.exec:\vddvp.exe157⤵PID:2872
-
\??\c:\xlxrffr.exec:\xlxrffr.exe158⤵PID:692
-
\??\c:\9bnhbt.exec:\9bnhbt.exe159⤵PID:1692
-
\??\c:\9vddj.exec:\9vddj.exe160⤵PID:948
-
\??\c:\pdvpv.exec:\pdvpv.exe161⤵PID:4656
-
\??\c:\lxfrrfx.exec:\lxfrrfx.exe162⤵PID:5104
-
\??\c:\bbhhtt.exec:\bbhhtt.exe163⤵PID:1356
-
\??\c:\9ddvd.exec:\9ddvd.exe164⤵PID:2512
-
\??\c:\rffxxxr.exec:\rffxxxr.exe165⤵PID:4584
-
\??\c:\fllxlfx.exec:\fllxlfx.exe166⤵PID:1876
-
\??\c:\hhbtnn.exec:\hhbtnn.exe167⤵PID:2636
-
\??\c:\vpjvp.exec:\vpjvp.exe168⤵PID:4972
-
\??\c:\rflxrlf.exec:\rflxrlf.exe169⤵PID:4516
-
\??\c:\tttnhb.exec:\tttnhb.exe170⤵PID:3668
-
\??\c:\bnnbth.exec:\bnnbth.exe171⤵PID:3364
-
\??\c:\3vvpj.exec:\3vvpj.exe172⤵PID:1956
-
\??\c:\9xxlxxx.exec:\9xxlxxx.exe173⤵PID:1456
-
\??\c:\htthtn.exec:\htthtn.exe174⤵PID:1612
-
\??\c:\pjdvp.exec:\pjdvp.exe175⤵PID:788
-
\??\c:\xffrfrf.exec:\xffrfrf.exe176⤵
- System Location Discovery: System Language Discovery
PID:4348 -
\??\c:\rfxrxlr.exec:\rfxrxlr.exe177⤵PID:5000
-
\??\c:\hhbttt.exec:\hhbttt.exe178⤵PID:2088
-
\??\c:\djpjj.exec:\djpjj.exe179⤵PID:3560
-
\??\c:\ffrrfrl.exec:\ffrrfrl.exe180⤵PID:3548
-
\??\c:\bnnhbb.exec:\bnnhbb.exe181⤵PID:4724
-
\??\c:\ppvpp.exec:\ppvpp.exe182⤵PID:400
-
\??\c:\xxxrllf.exec:\xxxrllf.exe183⤵PID:940
-
\??\c:\nhtnhh.exec:\nhtnhh.exe184⤵PID:2464
-
\??\c:\1nnhbt.exec:\1nnhbt.exe185⤵PID:1620
-
\??\c:\1pvpj.exec:\1pvpj.exe186⤵PID:4624
-
\??\c:\7rxrlll.exec:\7rxrlll.exe187⤵PID:664
-
\??\c:\nntnhb.exec:\nntnhb.exe188⤵PID:4716
-
\??\c:\bttnbb.exec:\bttnbb.exe189⤵PID:1984
-
\??\c:\9ddvv.exec:\9ddvv.exe190⤵PID:5016
-
\??\c:\xrrlflx.exec:\xrrlflx.exe191⤵PID:2752
-
\??\c:\3nnnhh.exec:\3nnnhh.exe192⤵PID:4148
-
\??\c:\pjjjj.exec:\pjjjj.exe193⤵PID:4112
-
\??\c:\rxlrfll.exec:\rxlrfll.exe194⤵PID:1396
-
\??\c:\5bhbtn.exec:\5bhbtn.exe195⤵PID:4448
-
\??\c:\vpjdd.exec:\vpjdd.exe196⤵PID:4108
-
\??\c:\rlfxxrl.exec:\rlfxxrl.exe197⤵PID:1476
-
\??\c:\xxxxrlf.exec:\xxxxrlf.exe198⤵PID:4548
-
\??\c:\tttnhh.exec:\tttnhh.exe199⤵PID:3636
-
\??\c:\vpppj.exec:\vpppj.exe200⤵PID:3476
-
\??\c:\xlrfrlx.exec:\xlrfrlx.exe201⤵PID:3960
-
\??\c:\nhtnhh.exec:\nhtnhh.exe202⤵PID:1312
-
\??\c:\ddvpd.exec:\ddvpd.exe203⤵PID:4552
-
\??\c:\fxrrlrx.exec:\fxrrlrx.exe204⤵PID:3908
-
\??\c:\xllfxrl.exec:\xllfxrl.exe205⤵PID:2040
-
\??\c:\tntnhb.exec:\tntnhb.exe206⤵PID:4864
-
\??\c:\dvppv.exec:\dvppv.exe207⤵PID:2168
-
\??\c:\vvvpj.exec:\vvvpj.exe208⤵PID:4020
-
\??\c:\lflffrr.exec:\lflffrr.exe209⤵PID:4680
-
\??\c:\hbbttn.exec:\hbbttn.exe210⤵PID:1316
-
\??\c:\bbnthb.exec:\bbnthb.exe211⤵PID:2244
-
\??\c:\jddvp.exec:\jddvp.exe212⤵PID:4380
-
\??\c:\3rxrffx.exec:\3rxrffx.exe213⤵
- System Location Discovery: System Language Discovery
PID:5104 -
\??\c:\thnhbt.exec:\thnhbt.exe214⤵
- System Location Discovery: System Language Discovery
PID:4896 -
\??\c:\bnnbtn.exec:\bnnbtn.exe215⤵PID:4168
-
\??\c:\jdvdv.exec:\jdvdv.exe216⤵PID:4584
-
\??\c:\7lxlrrl.exec:\7lxlrrl.exe217⤵PID:3904
-
\??\c:\tbhbtt.exec:\tbhbtt.exe218⤵PID:4660
-
\??\c:\btbnhb.exec:\btbnhb.exe219⤵PID:4972
-
\??\c:\dvddv.exec:\dvddv.exe220⤵PID:4536
-
\??\c:\rffxrll.exec:\rffxrll.exe221⤵PID:1908
-
\??\c:\nnhbnh.exec:\nnhbnh.exe222⤵PID:3364
-
\??\c:\jjvpj.exec:\jjvpj.exe223⤵PID:2888
-
\??\c:\jpvjd.exec:\jpvjd.exe224⤵PID:4276
-
\??\c:\xfrllfl.exec:\xfrllfl.exe225⤵PID:2972
-
\??\c:\httnhb.exec:\httnhb.exe226⤵PID:3656
-
\??\c:\5dvjv.exec:\5dvjv.exe227⤵PID:2112
-
\??\c:\jvdpj.exec:\jvdpj.exe228⤵PID:212
-
\??\c:\rlrlffx.exec:\rlrlffx.exe229⤵PID:1712
-
\??\c:\7nntnb.exec:\7nntnb.exe230⤵PID:3532
-
\??\c:\pvjjp.exec:\pvjjp.exe231⤵
- System Location Discovery: System Language Discovery
PID:3972 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe232⤵PID:1524
-
\??\c:\lrxrllf.exec:\lrxrllf.exe233⤵PID:1472
-
\??\c:\bbbnhb.exec:\bbbnhb.exe234⤵PID:3256
-
\??\c:\jvjvj.exec:\jvjvj.exe235⤵PID:4736
-
\??\c:\rrxlxlx.exec:\rrxlxlx.exe236⤵PID:3188
-
\??\c:\lflfrlf.exec:\lflfrlf.exe237⤵PID:4988
-
\??\c:\tbbnbn.exec:\tbbnbn.exe238⤵PID:4200
-
\??\c:\vjdjv.exec:\vjdjv.exe239⤵PID:3988
-
\??\c:\rfxrlfr.exec:\rfxrlfr.exe240⤵PID:2900
-
\??\c:\9xrfxxl.exec:\9xrfxxl.exe241⤵PID:3624
-
\??\c:\5nhtnh.exec:\5nhtnh.exe242⤵PID:1616