Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 23:14
Behavioral task
behavioral1
Sample
9ec862870dccb8b142518eb09403075ef14afcd508c4047243e993d0a7ff7ed5N.exe
Resource
win7-20240903-en
General
-
Target
9ec862870dccb8b142518eb09403075ef14afcd508c4047243e993d0a7ff7ed5N.exe
-
Size
331KB
-
MD5
8a4226f8ae7784d97a38329d44113770
-
SHA1
7c8f1c48746e120a464d43e62df42e699caf36e7
-
SHA256
9ec862870dccb8b142518eb09403075ef14afcd508c4047243e993d0a7ff7ed5
-
SHA512
7d7a40498e9b4ac357030cebfc2144b50d9a325569526b81ac7b111af3e46a0f223696938a0766e5ccaabd9c777c44789bb963785d12eca37476fe819803324e
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tu:94wFHoStJdSjylh2b77BoTMA9gX59sT2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1896-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4220-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4228-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1272-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1712-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1276-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3348-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/628-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2196-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-660-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-700-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-707-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-722-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-816-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
tbnnhn.exejvjdv.exehnttbb.exentbnnh.exejjvvj.exexlrrlxx.exejddpv.exerrlxlrx.exerrrlrrx.exejvdvd.exelflfrrx.exevjjjd.exexrxlxll.exennhbnh.exehhtttt.exevvjjd.exejpppp.exerlrrlll.exe1hhbtt.exevvdvv.exebtbbtb.exe7nntnn.exe7xfxrxr.exethnhhh.exepddvp.exexlfllrr.exe7nnnnn.exe7vpjd.exejdjjp.exexrffrrf.exehnnhth.exettnnht.exepdjdv.exeppjjp.exexrxxfff.exe3nttnn.exehbbttt.exeddddd.exe7dpjp.exerllrrll.exebbntht.exeddpvp.exejpddv.exehbntnb.exejdvdj.exelfflxxx.exebtbhnn.exebntnnh.exevvpvd.exerlrlrrl.exebhbtbh.exenhhhhh.exevjppv.exellffxfx.exeffllfxr.exebntnnh.exepvppd.exexxxxxrl.exehhnnnb.exetbhhnn.exejjvjp.exefxlfxrx.exe7thbnn.exehtbnht.exepid process 1896 tbnnhn.exe 4800 jvjdv.exe 2172 hnttbb.exe 1820 ntbnnh.exe 3004 jjvvj.exe 2764 xlrrlxx.exe 4596 jddpv.exe 3184 rrlxlrx.exe 4484 rrrlrrx.exe 3808 jvdvd.exe 3248 lflfrrx.exe 1700 vjjjd.exe 4368 xrxlxll.exe 3296 nnhbnh.exe 4668 hhtttt.exe 4020 vvjjd.exe 668 jpppp.exe 4396 rlrrlll.exe 3528 1hhbtt.exe 1116 vvdvv.exe 1064 btbbtb.exe 4220 7nntnn.exe 1588 7xfxrxr.exe 1272 thnhhh.exe 2600 pddvp.exe 2116 xlfllrr.exe 1944 7nnnnn.exe 5072 7vpjd.exe 2948 jdjjp.exe 3476 xrffrrf.exe 4228 hnnhth.exe 4404 ttnnht.exe 3424 pdjdv.exe 1612 ppjjp.exe 1540 xrxxfff.exe 2740 3nttnn.exe 3384 hbbttt.exe 5032 ddddd.exe 4340 7dpjp.exe 4952 rllrrll.exe 2852 bbntht.exe 2916 ddpvp.exe 2824 jpddv.exe 3608 hbntnb.exe 2100 jdvdj.exe 4488 lfflxxx.exe 2172 btbhnn.exe 1924 bntnnh.exe 3632 vvpvd.exe 4816 rlrlrrl.exe 3004 bhbtbh.exe 1712 nhhhhh.exe 4308 vjppv.exe 4596 llffxfx.exe 3232 ffllfxr.exe 1900 bntnnh.exe 4496 pvppd.exe 3184 xxxxxrl.exe 4812 hhnnnb.exe 1564 tbhhnn.exe 3664 jjvjp.exe 2416 fxlfxrx.exe 2032 7thbnn.exe 1384 htbnht.exe -
Processes:
resource yara_rule behavioral2/memory/5000-0-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\tbnnhn.exe upx behavioral2/memory/5000-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1896-6-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jvjdv.exe upx behavioral2/memory/4800-11-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hnttbb.exe upx behavioral2/memory/2172-16-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ntbnnh.exe upx C:\jjvvj.exe upx behavioral2/memory/1820-24-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xlrrlxx.exe upx behavioral2/memory/2764-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3004-30-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jddpv.exe upx behavioral2/memory/2764-36-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rrlxlrx.exe upx \??\c:\rrrlrrx.exe upx behavioral2/memory/3184-44-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jvdvd.exe upx behavioral2/memory/4484-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3808-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3248-56-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vjjjd.exe upx \??\c:\lflfrrx.exe upx C:\xrxlxll.exe upx behavioral2/memory/4368-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1700-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4368-70-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\hhtttt.exe upx behavioral2/memory/4668-77-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\vvjjd.exe upx \??\c:\rlrrlll.exe upx \??\c:\jpppp.exe upx \??\c:\1hhbtt.exe upx \??\c:\vvdvv.exe upx behavioral2/memory/1116-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4020-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3296-74-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\nnhbnh.exe upx \??\c:\btbbtb.exe upx C:\7nntnn.exe upx behavioral2/memory/1064-108-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\7xfxrxr.exe upx behavioral2/memory/4220-118-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\thnhhh.exe upx C:\pddvp.exe upx behavioral2/memory/2600-125-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\xlfllrr.exe upx \??\c:\7nnnnn.exe upx \??\c:\jdjjp.exe upx \??\c:\xrffrrf.exe upx behavioral2/memory/2740-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2916-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5032-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1540-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4404-157-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\ttnnht.exe upx behavioral2/memory/4228-153-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hnnhth.exe upx \??\c:\7vpjd.exe upx behavioral2/memory/2116-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1272-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1588-116-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tttbbb.exefffffff.exerxflfll.exevpddj.exebttnhh.exe1vvvv.exevpvpj.exeflrxxfx.exejpvvv.exe3pddd.exe1fffxrl.exevvjvd.exejjpjd.exethttnn.exetnnnnb.exe3nnnnb.exevjvvj.exevjjdv.exetthnhb.exexxllrrr.exetbhntb.exejvvpp.exe7lxrlff.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fffxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9ec862870dccb8b142518eb09403075ef14afcd508c4047243e993d0a7ff7ed5N.exetbnnhn.exejvjdv.exehnttbb.exentbnnh.exejjvvj.exexlrrlxx.exejddpv.exerrlxlrx.exerrrlrrx.exejvdvd.exelflfrrx.exevjjjd.exexrxlxll.exennhbnh.exehhtttt.exevvjjd.exejpppp.exerlrrlll.exe1hhbtt.exevvdvv.exebtbbtb.exedescription pid process target process PID 5000 wrote to memory of 1896 5000 9ec862870dccb8b142518eb09403075ef14afcd508c4047243e993d0a7ff7ed5N.exe tbnnhn.exe PID 5000 wrote to memory of 1896 5000 9ec862870dccb8b142518eb09403075ef14afcd508c4047243e993d0a7ff7ed5N.exe tbnnhn.exe PID 5000 wrote to memory of 1896 5000 9ec862870dccb8b142518eb09403075ef14afcd508c4047243e993d0a7ff7ed5N.exe tbnnhn.exe PID 1896 wrote to memory of 4800 1896 tbnnhn.exe jvjdv.exe PID 1896 wrote to memory of 4800 1896 tbnnhn.exe jvjdv.exe PID 1896 wrote to memory of 4800 1896 tbnnhn.exe jvjdv.exe PID 4800 wrote to memory of 2172 4800 jvjdv.exe hnttbb.exe PID 4800 wrote to memory of 2172 4800 jvjdv.exe hnttbb.exe PID 4800 wrote to memory of 2172 4800 jvjdv.exe hnttbb.exe PID 2172 wrote to memory of 1820 2172 hnttbb.exe ntbnnh.exe PID 2172 wrote to memory of 1820 2172 hnttbb.exe ntbnnh.exe PID 2172 wrote to memory of 1820 2172 hnttbb.exe ntbnnh.exe PID 1820 wrote to memory of 3004 1820 ntbnnh.exe jjvvj.exe PID 1820 wrote to memory of 3004 1820 ntbnnh.exe jjvvj.exe PID 1820 wrote to memory of 3004 1820 ntbnnh.exe jjvvj.exe PID 3004 wrote to memory of 2764 3004 jjvvj.exe xlrrlxx.exe PID 3004 wrote to memory of 2764 3004 jjvvj.exe xlrrlxx.exe PID 3004 wrote to memory of 2764 3004 jjvvj.exe xlrrlxx.exe PID 2764 wrote to memory of 4596 2764 xlrrlxx.exe jddpv.exe PID 2764 wrote to memory of 4596 2764 xlrrlxx.exe jddpv.exe PID 2764 wrote to memory of 4596 2764 xlrrlxx.exe jddpv.exe PID 4596 wrote to memory of 3184 4596 jddpv.exe rrlxlrx.exe PID 4596 wrote to memory of 3184 4596 jddpv.exe rrlxlrx.exe PID 4596 wrote to memory of 3184 4596 jddpv.exe rrlxlrx.exe PID 3184 wrote to memory of 4484 3184 rrlxlrx.exe rrrlrrx.exe PID 3184 wrote to memory of 4484 3184 rrlxlrx.exe rrrlrrx.exe PID 3184 wrote to memory of 4484 3184 rrlxlrx.exe rrrlrrx.exe PID 4484 wrote to memory of 3808 4484 rrrlrrx.exe jvdvd.exe PID 4484 wrote to memory of 3808 4484 rrrlrrx.exe jvdvd.exe PID 4484 wrote to memory of 3808 4484 rrrlrrx.exe jvdvd.exe PID 3808 wrote to memory of 3248 3808 jvdvd.exe lflfrrx.exe PID 3808 wrote to memory of 3248 3808 jvdvd.exe lflfrrx.exe PID 3808 wrote to memory of 3248 3808 jvdvd.exe lflfrrx.exe PID 3248 wrote to memory of 1700 3248 lflfrrx.exe vjjjd.exe PID 3248 wrote to memory of 1700 3248 lflfrrx.exe vjjjd.exe PID 3248 wrote to memory of 1700 3248 lflfrrx.exe vjjjd.exe PID 1700 wrote to memory of 4368 1700 vjjjd.exe xrxlxll.exe PID 1700 wrote to memory of 4368 1700 vjjjd.exe xrxlxll.exe PID 1700 wrote to memory of 4368 1700 vjjjd.exe xrxlxll.exe PID 4368 wrote to memory of 3296 4368 xrxlxll.exe nnhbnh.exe PID 4368 wrote to memory of 3296 4368 xrxlxll.exe nnhbnh.exe PID 4368 wrote to memory of 3296 4368 xrxlxll.exe nnhbnh.exe PID 3296 wrote to memory of 4668 3296 nnhbnh.exe hhtttt.exe PID 3296 wrote to memory of 4668 3296 nnhbnh.exe hhtttt.exe PID 3296 wrote to memory of 4668 3296 nnhbnh.exe hhtttt.exe PID 4668 wrote to memory of 4020 4668 hhtttt.exe vvjjd.exe PID 4668 wrote to memory of 4020 4668 hhtttt.exe vvjjd.exe PID 4668 wrote to memory of 4020 4668 hhtttt.exe vvjjd.exe PID 4020 wrote to memory of 668 4020 vvjjd.exe jpppp.exe PID 4020 wrote to memory of 668 4020 vvjjd.exe jpppp.exe PID 4020 wrote to memory of 668 4020 vvjjd.exe jpppp.exe PID 668 wrote to memory of 4396 668 jpppp.exe rlrrlll.exe PID 668 wrote to memory of 4396 668 jpppp.exe rlrrlll.exe PID 668 wrote to memory of 4396 668 jpppp.exe rlrrlll.exe PID 4396 wrote to memory of 3528 4396 rlrrlll.exe 1hhbtt.exe PID 4396 wrote to memory of 3528 4396 rlrrlll.exe 1hhbtt.exe PID 4396 wrote to memory of 3528 4396 rlrrlll.exe 1hhbtt.exe PID 3528 wrote to memory of 1116 3528 1hhbtt.exe vvdvv.exe PID 3528 wrote to memory of 1116 3528 1hhbtt.exe vvdvv.exe PID 3528 wrote to memory of 1116 3528 1hhbtt.exe vvdvv.exe PID 1116 wrote to memory of 1064 1116 vvdvv.exe btbbtb.exe PID 1116 wrote to memory of 1064 1116 vvdvv.exe btbbtb.exe PID 1116 wrote to memory of 1064 1116 vvdvv.exe btbbtb.exe PID 1064 wrote to memory of 4220 1064 btbbtb.exe 7nntnn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ec862870dccb8b142518eb09403075ef14afcd508c4047243e993d0a7ff7ed5N.exe"C:\Users\Admin\AppData\Local\Temp\9ec862870dccb8b142518eb09403075ef14afcd508c4047243e993d0a7ff7ed5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\tbnnhn.exec:\tbnnhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\jvjdv.exec:\jvjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\hnttbb.exec:\hnttbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\ntbnnh.exec:\ntbnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\jjvvj.exec:\jjvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\xlrrlxx.exec:\xlrrlxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\jddpv.exec:\jddpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\rrlxlrx.exec:\rrlxlrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\rrrlrrx.exec:\rrrlrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\jvdvd.exec:\jvdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\lflfrrx.exec:\lflfrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\vjjjd.exec:\vjjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\xrxlxll.exec:\xrxlxll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\nnhbnh.exec:\nnhbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\hhtttt.exec:\hhtttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\vvjjd.exec:\vvjjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\jpppp.exec:\jpppp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\rlrrlll.exec:\rlrrlll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\1hhbtt.exec:\1hhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\vvdvv.exec:\vvdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\btbbtb.exec:\btbbtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\7nntnn.exec:\7nntnn.exe23⤵
- Executes dropped EXE
PID:4220 -
\??\c:\7xfxrxr.exec:\7xfxrxr.exe24⤵
- Executes dropped EXE
PID:1588 -
\??\c:\thnhhh.exec:\thnhhh.exe25⤵
- Executes dropped EXE
PID:1272 -
\??\c:\pddvp.exec:\pddvp.exe26⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xlfllrr.exec:\xlfllrr.exe27⤵
- Executes dropped EXE
PID:2116 -
\??\c:\7nnnnn.exec:\7nnnnn.exe28⤵
- Executes dropped EXE
PID:1944 -
\??\c:\7vpjd.exec:\7vpjd.exe29⤵
- Executes dropped EXE
PID:5072 -
\??\c:\jdjjp.exec:\jdjjp.exe30⤵
- Executes dropped EXE
PID:2948 -
\??\c:\xrffrrf.exec:\xrffrrf.exe31⤵
- Executes dropped EXE
PID:3476 -
\??\c:\hnnhth.exec:\hnnhth.exe32⤵
- Executes dropped EXE
PID:4228 -
\??\c:\ttnnht.exec:\ttnnht.exe33⤵
- Executes dropped EXE
PID:4404 -
\??\c:\pdjdv.exec:\pdjdv.exe34⤵
- Executes dropped EXE
PID:3424 -
\??\c:\ppjjp.exec:\ppjjp.exe35⤵
- Executes dropped EXE
PID:1612 -
\??\c:\xrxxfff.exec:\xrxxfff.exe36⤵
- Executes dropped EXE
PID:1540 -
\??\c:\3nttnn.exec:\3nttnn.exe37⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hbbttt.exec:\hbbttt.exe38⤵
- Executes dropped EXE
PID:3384 -
\??\c:\ddddd.exec:\ddddd.exe39⤵
- Executes dropped EXE
PID:5032 -
\??\c:\7dpjp.exec:\7dpjp.exe40⤵
- Executes dropped EXE
PID:4340 -
\??\c:\rllrrll.exec:\rllrrll.exe41⤵
- Executes dropped EXE
PID:4952 -
\??\c:\bbntht.exec:\bbntht.exe42⤵
- Executes dropped EXE
PID:2852 -
\??\c:\ddpvp.exec:\ddpvp.exe43⤵
- Executes dropped EXE
PID:2916 -
\??\c:\jpddv.exec:\jpddv.exe44⤵
- Executes dropped EXE
PID:2824 -
\??\c:\hbntnb.exec:\hbntnb.exe45⤵
- Executes dropped EXE
PID:3608 -
\??\c:\jdvdj.exec:\jdvdj.exe46⤵
- Executes dropped EXE
PID:2100 -
\??\c:\lfflxxx.exec:\lfflxxx.exe47⤵
- Executes dropped EXE
PID:4488 -
\??\c:\btbhnn.exec:\btbhnn.exe48⤵
- Executes dropped EXE
PID:2172 -
\??\c:\bntnnh.exec:\bntnnh.exe49⤵
- Executes dropped EXE
PID:1924 -
\??\c:\vvpvd.exec:\vvpvd.exe50⤵
- Executes dropped EXE
PID:3632 -
\??\c:\rlrlrrl.exec:\rlrlrrl.exe51⤵
- Executes dropped EXE
PID:4816 -
\??\c:\bhbtbh.exec:\bhbtbh.exe52⤵
- Executes dropped EXE
PID:3004 -
\??\c:\nhhhhh.exec:\nhhhhh.exe53⤵
- Executes dropped EXE
PID:1712 -
\??\c:\vjppv.exec:\vjppv.exe54⤵
- Executes dropped EXE
PID:4308 -
\??\c:\llffxfx.exec:\llffxfx.exe55⤵
- Executes dropped EXE
PID:4596 -
\??\c:\ffllfxr.exec:\ffllfxr.exe56⤵
- Executes dropped EXE
PID:3232 -
\??\c:\bntnnh.exec:\bntnnh.exe57⤵
- Executes dropped EXE
PID:1900 -
\??\c:\pvppd.exec:\pvppd.exe58⤵
- Executes dropped EXE
PID:4496 -
\??\c:\xxxxxrl.exec:\xxxxxrl.exe59⤵
- Executes dropped EXE
PID:3184 -
\??\c:\hhnnnb.exec:\hhnnnb.exe60⤵
- Executes dropped EXE
PID:4812 -
\??\c:\tbhhnn.exec:\tbhhnn.exe61⤵
- Executes dropped EXE
PID:1564 -
\??\c:\jjvjp.exec:\jjvjp.exe62⤵
- Executes dropped EXE
PID:3664 -
\??\c:\fxlfxrx.exec:\fxlfxrx.exe63⤵
- Executes dropped EXE
PID:2416 -
\??\c:\7thbnn.exec:\7thbnn.exe64⤵
- Executes dropped EXE
PID:2032 -
\??\c:\htbnht.exec:\htbnht.exe65⤵
- Executes dropped EXE
PID:1384 -
\??\c:\jjpjp.exec:\jjpjp.exe66⤵PID:3932
-
\??\c:\7vddv.exec:\7vddv.exe67⤵PID:4460
-
\??\c:\hthtbt.exec:\hthtbt.exe68⤵PID:468
-
\??\c:\1dpvj.exec:\1dpvj.exe69⤵PID:2704
-
\??\c:\vdjjd.exec:\vdjjd.exe70⤵PID:5004
-
\??\c:\lflfrll.exec:\lflfrll.exe71⤵PID:3224
-
\??\c:\1hbttn.exec:\1hbttn.exe72⤵PID:2160
-
\??\c:\tnhntt.exec:\tnhntt.exe73⤵PID:3076
-
\??\c:\9vdvv.exec:\9vdvv.exe74⤵PID:3580
-
\??\c:\hbnnhb.exec:\hbnnhb.exe75⤵PID:4764
-
\??\c:\dvpjv.exec:\dvpjv.exe76⤵PID:2976
-
\??\c:\pdvpj.exec:\pdvpj.exe77⤵PID:1276
-
\??\c:\rfrlfff.exec:\rfrlfff.exe78⤵PID:4568
-
\??\c:\tbbnnn.exec:\tbbnnn.exe79⤵PID:3952
-
\??\c:\jdvpp.exec:\jdvpp.exe80⤵PID:4708
-
\??\c:\5lllflf.exec:\5lllflf.exe81⤵PID:5112
-
\??\c:\llffxll.exec:\llffxll.exe82⤵PID:3604
-
\??\c:\tttnhh.exec:\tttnhh.exe83⤵PID:2840
-
\??\c:\pjjvp.exec:\pjjvp.exe84⤵PID:5100
-
\??\c:\5tnttt.exec:\5tnttt.exe85⤵PID:2572
-
\??\c:\5jvdj.exec:\5jvdj.exe86⤵PID:2116
-
\??\c:\dpvdp.exec:\dpvdp.exe87⤵PID:3912
-
\??\c:\xrfxfrf.exec:\xrfxfrf.exe88⤵PID:3536
-
\??\c:\thbtnb.exec:\thbtnb.exe89⤵PID:4380
-
\??\c:\3hhhhh.exec:\3hhhhh.exe90⤵PID:392
-
\??\c:\vjvpd.exec:\vjvpd.exe91⤵PID:4696
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe92⤵PID:732
-
\??\c:\xlrlffx.exec:\xlrlffx.exe93⤵PID:1612
-
\??\c:\tbhbbh.exec:\tbhbbh.exe94⤵PID:3060
-
\??\c:\pppjv.exec:\pppjv.exe95⤵PID:4492
-
\??\c:\vppjv.exec:\vppjv.exe96⤵PID:1404
-
\??\c:\fxxrflf.exec:\fxxrflf.exe97⤵PID:4784
-
\??\c:\bbhhbt.exec:\bbhhbt.exe98⤵PID:4400
-
\??\c:\nhhnbn.exec:\nhhnbn.exe99⤵PID:748
-
\??\c:\jdpjj.exec:\jdpjj.exe100⤵PID:3228
-
\??\c:\flxfxfx.exec:\flxfxfx.exe101⤵PID:3212
-
\??\c:\flfrrrl.exec:\flfrrrl.exe102⤵PID:4952
-
\??\c:\tbhhbb.exec:\tbhhbb.exe103⤵PID:3348
-
\??\c:\jpdpv.exec:\jpdpv.exe104⤵PID:2852
-
\??\c:\rfllxff.exec:\rfllxff.exe105⤵PID:4652
-
\??\c:\5hhbtn.exec:\5hhbtn.exe106⤵PID:3000
-
\??\c:\vvvjd.exec:\vvvjd.exe107⤵PID:2824
-
\??\c:\vjdvp.exec:\vjdvp.exe108⤵PID:3608
-
\??\c:\xxlxlfr.exec:\xxlxlfr.exe109⤵PID:3624
-
\??\c:\bbtnhb.exec:\bbtnhb.exe110⤵PID:4472
-
\??\c:\thhhhn.exec:\thhhhn.exe111⤵PID:1820
-
\??\c:\jdddd.exec:\jdddd.exe112⤵PID:1828
-
\??\c:\jppjd.exec:\jppjd.exe113⤵PID:4816
-
\??\c:\bntnnn.exec:\bntnnn.exe114⤵PID:4936
-
\??\c:\tthbnh.exec:\tthbnh.exe115⤵PID:2836
-
\??\c:\pdppd.exec:\pdppd.exe116⤵PID:4596
-
\??\c:\7jpjj.exec:\7jpjj.exe117⤵PID:2604
-
\??\c:\9flfrxr.exec:\9flfrxr.exe118⤵PID:3140
-
\??\c:\tnhhhh.exec:\tnhhhh.exe119⤵PID:1032
-
\??\c:\bbnnhh.exec:\bbnnhh.exe120⤵PID:1408
-
\??\c:\rlfxfxr.exec:\rlfxfxr.exe121⤵PID:3808
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe122⤵PID:5016
-
\??\c:\bhnnnh.exec:\bhnnnh.exe123⤵PID:1096
-
\??\c:\bhnhhb.exec:\bhnhhb.exe124⤵PID:2028
-
\??\c:\vjdvp.exec:\vjdvp.exe125⤵PID:4664
-
\??\c:\rrlfxxx.exec:\rrlfxxx.exe126⤵PID:316
-
\??\c:\1tttnt.exec:\1tttnt.exe127⤵PID:3980
-
\??\c:\nhtnhh.exec:\nhtnhh.exe128⤵PID:2576
-
\??\c:\3jdvp.exec:\3jdvp.exe129⤵PID:4668
-
\??\c:\fflfxrl.exec:\fflfxrl.exe130⤵PID:1780
-
\??\c:\flrllll.exec:\flrllll.exe131⤵PID:544
-
\??\c:\thhnnt.exec:\thhnnt.exe132⤵PID:4852
-
\??\c:\jddjd.exec:\jddjd.exe133⤵PID:2772
-
\??\c:\xllrlrr.exec:\xllrlrr.exe134⤵PID:4016
-
\??\c:\xllfxrl.exec:\xllfxrl.exe135⤵PID:536
-
\??\c:\hbnhtn.exec:\hbnhtn.exe136⤵PID:2072
-
\??\c:\vvvpj.exec:\vvvpj.exe137⤵PID:4968
-
\??\c:\xllrlll.exec:\xllrlll.exe138⤵PID:3864
-
\??\c:\xxllfff.exec:\xxllfff.exe139⤵PID:2276
-
\??\c:\5hhbbt.exec:\5hhbbt.exe140⤵PID:2896
-
\??\c:\dvvvp.exec:\dvvvp.exe141⤵PID:1588
-
\??\c:\rxrflfl.exec:\rxrflfl.exe142⤵PID:3616
-
\??\c:\bbnttb.exec:\bbnttb.exe143⤵PID:3972
-
\??\c:\bttnhh.exec:\bttnhh.exe144⤵PID:3292
-
\??\c:\lrlfrrr.exec:\lrlfrrr.exe145⤵PID:3920
-
\??\c:\frrlxxf.exec:\frrlxxf.exe146⤵PID:5072
-
\??\c:\tttnhh.exec:\tttnhh.exe147⤵PID:2424
-
\??\c:\tnhbtn.exec:\tnhbtn.exe148⤵PID:4808
-
\??\c:\5jpjp.exec:\5jpjp.exe149⤵PID:2936
-
\??\c:\fflxllr.exec:\fflxllr.exe150⤵PID:2780
-
\??\c:\fxrlfxx.exec:\fxrlfxx.exe151⤵PID:4112
-
\??\c:\httnnn.exec:\httnnn.exe152⤵PID:3600
-
\??\c:\frxrllx.exec:\frxrllx.exe153⤵PID:780
-
\??\c:\thttnh.exec:\thttnh.exe154⤵PID:4352
-
\??\c:\pdpjd.exec:\pdpjd.exe155⤵PID:2516
-
\??\c:\xfffxfx.exec:\xfffxfx.exe156⤵PID:4752
-
\??\c:\nbhbtt.exec:\nbhbtt.exe157⤵PID:3508
-
\??\c:\1jdvp.exec:\1jdvp.exe158⤵PID:4124
-
\??\c:\dvpjv.exec:\dvpjv.exe159⤵PID:1524
-
\??\c:\rrllrrf.exec:\rrllrrf.exe160⤵PID:4944
-
\??\c:\nbthnh.exec:\nbthnh.exe161⤵PID:1496
-
\??\c:\vvvvd.exec:\vvvvd.exe162⤵PID:628
-
\??\c:\frxxrrr.exec:\frxxrrr.exe163⤵PID:3336
-
\??\c:\bnbthb.exec:\bnbthb.exe164⤵PID:3100
-
\??\c:\nthbtt.exec:\nthbtt.exe165⤵PID:4300
-
\??\c:\9jpdv.exec:\9jpdv.exe166⤵PID:852
-
\??\c:\5lrlfxx.exec:\5lrlfxx.exe167⤵PID:2256
-
\??\c:\tthnhb.exec:\tthnhb.exe168⤵
- System Location Discovery: System Language Discovery
PID:1016 -
\??\c:\flllxxx.exec:\flllxxx.exe169⤵PID:3632
-
\??\c:\lfxrlff.exec:\lfxrlff.exe170⤵PID:4024
-
\??\c:\bthtnh.exec:\bthtnh.exe171⤵PID:5012
-
\??\c:\jjvpd.exec:\jjvpd.exe172⤵PID:1584
-
\??\c:\lxlfxrl.exec:\lxlfxrl.exe173⤵PID:4292
-
\??\c:\lrxxxrr.exec:\lrxxxrr.exe174⤵PID:2680
-
\??\c:\tbnnnt.exec:\tbnnnt.exe175⤵PID:2196
-
\??\c:\9vvdp.exec:\9vvdp.exe176⤵PID:516
-
\??\c:\dvvpj.exec:\dvvpj.exe177⤵PID:3768
-
\??\c:\xlffxxr.exec:\xlffxxr.exe178⤵PID:4484
-
\??\c:\bbbbbb.exec:\bbbbbb.exe179⤵PID:4080
-
\??\c:\pjjvp.exec:\pjjvp.exe180⤵PID:2032
-
\??\c:\rxfrlfr.exec:\rxfrlfr.exe181⤵PID:5028
-
\??\c:\frffxxr.exec:\frffxxr.exe182⤵PID:4960
-
\??\c:\nhnhnh.exec:\nhnhnh.exe183⤵PID:1548
-
\??\c:\ddjvp.exec:\ddjvp.exe184⤵PID:4028
-
\??\c:\jvvvp.exec:\jvvvp.exe185⤵PID:5004
-
\??\c:\bnbbtb.exec:\bnbbtb.exe186⤵PID:3224
-
\??\c:\vjjdv.exec:\vjjdv.exe187⤵PID:2460
-
\??\c:\djvdd.exec:\djvdd.exe188⤵PID:764
-
\??\c:\7frlllf.exec:\7frlllf.exe189⤵PID:2544
-
\??\c:\9bbnhh.exec:\9bbnhh.exe190⤵PID:4264
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe191⤵PID:3640
-
\??\c:\hnbbnb.exec:\hnbbnb.exe192⤵PID:1888
-
\??\c:\dvvjd.exec:\dvvjd.exe193⤵PID:4568
-
\??\c:\lrffrff.exec:\lrffrff.exe194⤵PID:1116
-
\??\c:\nhhbbt.exec:\nhhbbt.exe195⤵PID:724
-
\??\c:\jjjpj.exec:\jjjpj.exe196⤵PID:1880
-
\??\c:\llxrlll.exec:\llxrlll.exe197⤵PID:4576
-
\??\c:\djjjd.exec:\djjjd.exe198⤵PID:1588
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe199⤵PID:2164
-
\??\c:\bnhhbh.exec:\bnhhbh.exe200⤵PID:4392
-
\??\c:\ppvvp.exec:\ppvvp.exe201⤵PID:2572
-
\??\c:\pdvvd.exec:\pdvvd.exe202⤵PID:4376
-
\??\c:\5rrrllf.exec:\5rrrllf.exe203⤵PID:3852
-
\??\c:\nbhttt.exec:\nbhttt.exe204⤵PID:3536
-
\??\c:\rrxrrll.exec:\rrxrrll.exe205⤵PID:4228
-
\??\c:\ntnbnn.exec:\ntnbnn.exe206⤵PID:2936
-
\??\c:\vvvpv.exec:\vvvpv.exe207⤵PID:2780
-
\??\c:\1llfxrl.exec:\1llfxrl.exe208⤵PID:4544
-
\??\c:\jvvpj.exec:\jvvpj.exe209⤵PID:612
-
\??\c:\xllffff.exec:\xllffff.exe210⤵PID:4992
-
\??\c:\fxfrfxr.exec:\fxfrfxr.exe211⤵PID:1652
-
\??\c:\thhhhn.exec:\thhhhn.exe212⤵PID:3628
-
\??\c:\ppjjj.exec:\ppjjj.exe213⤵PID:4752
-
\??\c:\frxrrrr.exec:\frxrrrr.exe214⤵PID:4344
-
\??\c:\nnhttb.exec:\nnhttb.exe215⤵PID:4124
-
\??\c:\djpjj.exec:\djpjj.exe216⤵PID:3256
-
\??\c:\lrxffff.exec:\lrxffff.exe217⤵PID:4944
-
\??\c:\rflffll.exec:\rflffll.exe218⤵PID:1496
-
\??\c:\ttnthb.exec:\ttnthb.exe219⤵PID:628
-
\??\c:\jpvpv.exec:\jpvpv.exe220⤵PID:1092
-
\??\c:\dvdpp.exec:\dvdpp.exe221⤵PID:3000
-
\??\c:\xrxrrll.exec:\xrxrrll.exe222⤵PID:2824
-
\??\c:\nhhntt.exec:\nhhntt.exe223⤵PID:3608
-
\??\c:\tnbthh.exec:\tnbthh.exe224⤵PID:3624
-
\??\c:\3vddp.exec:\3vddp.exe225⤵PID:4528
-
\??\c:\rxxrffx.exec:\rxxrffx.exe226⤵PID:216
-
\??\c:\hbnnhh.exec:\hbnnhh.exe227⤵PID:1924
-
\??\c:\jdpjp.exec:\jdpjp.exe228⤵PID:4816
-
\??\c:\vpdvd.exec:\vpdvd.exe229⤵PID:456
-
\??\c:\flxxrrl.exec:\flxxrrl.exe230⤵PID:3680
-
\??\c:\hthhhh.exec:\hthhhh.exe231⤵PID:2836
-
\??\c:\jjpjd.exec:\jjpjd.exe232⤵
- System Location Discovery: System Language Discovery
PID:2288 -
\??\c:\vpddd.exec:\vpddd.exe233⤵PID:3284
-
\??\c:\xlxffff.exec:\xlxffff.exe234⤵PID:3500
-
\??\c:\hbnhtt.exec:\hbnhtt.exe235⤵PID:1184
-
\??\c:\3ntnnt.exec:\3ntnnt.exe236⤵PID:3956
-
\??\c:\5jvvd.exec:\5jvvd.exe237⤵PID:3932
-
\??\c:\7flllxx.exec:\7flllxx.exe238⤵PID:4460
-
\??\c:\bhtnnt.exec:\bhtnnt.exe239⤵PID:2592
-
\??\c:\djddj.exec:\djddj.exe240⤵PID:4664
-
\??\c:\flrrlfx.exec:\flrrlfx.exe241⤵PID:4988
-
\??\c:\5fxrrxr.exec:\5fxrrxr.exe242⤵PID:2444