Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 22:27
Static task
static1
Behavioral task
behavioral1
Sample
7f4514c892f09cd840e920b941dd00e728d5883a3f13f678b4f4ab8d6f91be3eN.exe
Resource
win7-20241010-en
General
-
Target
7f4514c892f09cd840e920b941dd00e728d5883a3f13f678b4f4ab8d6f91be3eN.exe
-
Size
455KB
-
MD5
d18c5c8b78b1edebea3c2e1fe088f120
-
SHA1
9722b5b502c1edb37c48b744d13fb3c42a6d7d18
-
SHA256
7f4514c892f09cd840e920b941dd00e728d5883a3f13f678b4f4ab8d6f91be3e
-
SHA512
695502bdf6960e0634b27a0f27f125cd6230a4e33565299505de950544dece1b53afc1442924daaf7f646d2d4561e9880774b1741ccde9f6e0492e5cfe16d468
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRk:q7Tc2NYHUrAwfMp3CDRk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3808-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-1046-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-1050-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-1369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-1475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
djjjp.exevjddd.exexrxrxrr.exehnhbbb.exedjpdj.exepjjvd.exelxxlllx.exebnhnnb.exerlllxfr.exenntthh.exeflrlrfl.exehhbbht.exejvjjj.exexrxrxff.exelxlrlrl.exehhbbnn.exejdpvv.exeflrlxxx.exejpvpj.exexflfrrl.exennhbhb.exetttnhh.exe5rlfxfx.exebhhhbb.exejdddd.exenbtttt.exepdjvv.exepvdvv.exerlllffx.exebntnhn.exebbhnhn.exevvddj.exefrllrfl.exebhhbbh.exejdjjj.exerfflrlr.exetthnnt.exejdddj.exefflxxxr.exehthhhn.exepjppp.exebbhnhh.exevjvpp.exexfrrxff.exefllrrxx.exebtbhhn.exeppjdd.exefflllll.exenhnhtn.exejdjjp.exerxlllll.exettbbnn.exejpddj.exeffllrrr.exelflllrr.exe7bhbhn.exejpjvj.exexrfxxxx.exetnhtnb.exejdvpv.exexlrrxfr.exerlrxxff.exennnntn.exedjjvp.exepid process 3584 djjjp.exe 3504 vjddd.exe 3600 xrxrxrr.exe 1700 hnhbbb.exe 2712 djpdj.exe 372 pjjvd.exe 3744 lxxlllx.exe 512 bnhnnb.exe 5064 rlllxfr.exe 4320 nntthh.exe 3012 flrlrfl.exe 3036 hhbbht.exe 4608 jvjjj.exe 3968 xrxrxff.exe 1196 lxlrlrl.exe 3572 hhbbnn.exe 4572 jdpvv.exe 4916 flrlxxx.exe 1004 jpvpj.exe 452 xflfrrl.exe 4064 nnhbhb.exe 2136 tttnhh.exe 1088 5rlfxfx.exe 4144 bhhhbb.exe 2484 jdddd.exe 1484 nbtttt.exe 3248 pdjvv.exe 2088 pvdvv.exe 3412 rlllffx.exe 3392 bntnhn.exe 2524 bbhnhn.exe 2820 vvddj.exe 2032 frllrfl.exe 2844 bhhbbh.exe 4044 jdjjj.exe 5008 rfflrlr.exe 2464 tthnnt.exe 4124 jdddj.exe 2256 fflxxxr.exe 1264 hthhhn.exe 2428 pjppp.exe 2664 bbhnhh.exe 4488 vjvpp.exe 4724 xfrrxff.exe 3584 fllrrxx.exe 928 btbhhn.exe 2340 ppjdd.exe 4268 fflllll.exe 4080 nhnhtn.exe 4884 jdjjp.exe 2040 rxlllll.exe 5116 ttbbnn.exe 372 jpddj.exe 3568 ffllrrr.exe 4500 lflllrr.exe 2192 7bhbhn.exe 4316 jpjvj.exe 800 xrfxxxx.exe 2984 tnhtnb.exe 3836 jdvpv.exe 1940 xlrrxfr.exe 4376 rlrxxff.exe 3968 nnnntn.exe 2284 djjvp.exe -
Processes:
resource yara_rule behavioral2/memory/3808-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-835-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
nntbbn.exerlxxxxf.exejddpv.exevvjjv.exennbbth.exe3vjjp.exejvjjp.exennhhhh.exettbbnt.exetntbht.exerffxrll.exepjpvv.exehntnnh.exerffrrxr.exeflxxfff.exepvvvv.exevvdjj.exexxfxxrf.exexlrffxf.exettbbtb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7f4514c892f09cd840e920b941dd00e728d5883a3f13f678b4f4ab8d6f91be3eN.exedjjjp.exevjddd.exexrxrxrr.exehnhbbb.exedjpdj.exepjjvd.exelxxlllx.exebnhnnb.exerlllxfr.exenntthh.exeflrlrfl.exehhbbht.exejvjjj.exexrxrxff.exelxlrlrl.exehhbbnn.exejdpvv.exeflrlxxx.exejpvpj.exexflfrrl.exennhbhb.exedescription pid process target process PID 3808 wrote to memory of 3584 3808 7f4514c892f09cd840e920b941dd00e728d5883a3f13f678b4f4ab8d6f91be3eN.exe djjjp.exe PID 3808 wrote to memory of 3584 3808 7f4514c892f09cd840e920b941dd00e728d5883a3f13f678b4f4ab8d6f91be3eN.exe djjjp.exe PID 3808 wrote to memory of 3584 3808 7f4514c892f09cd840e920b941dd00e728d5883a3f13f678b4f4ab8d6f91be3eN.exe djjjp.exe PID 3584 wrote to memory of 3504 3584 djjjp.exe vjddd.exe PID 3584 wrote to memory of 3504 3584 djjjp.exe vjddd.exe PID 3584 wrote to memory of 3504 3584 djjjp.exe vjddd.exe PID 3504 wrote to memory of 3600 3504 vjddd.exe xrxrxrr.exe PID 3504 wrote to memory of 3600 3504 vjddd.exe xrxrxrr.exe PID 3504 wrote to memory of 3600 3504 vjddd.exe xrxrxrr.exe PID 3600 wrote to memory of 1700 3600 xrxrxrr.exe hnhbbb.exe PID 3600 wrote to memory of 1700 3600 xrxrxrr.exe hnhbbb.exe PID 3600 wrote to memory of 1700 3600 xrxrxrr.exe hnhbbb.exe PID 1700 wrote to memory of 2712 1700 hnhbbb.exe djpdj.exe PID 1700 wrote to memory of 2712 1700 hnhbbb.exe djpdj.exe PID 1700 wrote to memory of 2712 1700 hnhbbb.exe djpdj.exe PID 2712 wrote to memory of 372 2712 djpdj.exe pjjvd.exe PID 2712 wrote to memory of 372 2712 djpdj.exe pjjvd.exe PID 2712 wrote to memory of 372 2712 djpdj.exe pjjvd.exe PID 372 wrote to memory of 3744 372 pjjvd.exe lxxlllx.exe PID 372 wrote to memory of 3744 372 pjjvd.exe lxxlllx.exe PID 372 wrote to memory of 3744 372 pjjvd.exe lxxlllx.exe PID 3744 wrote to memory of 512 3744 lxxlllx.exe bnhnnb.exe PID 3744 wrote to memory of 512 3744 lxxlllx.exe bnhnnb.exe PID 3744 wrote to memory of 512 3744 lxxlllx.exe bnhnnb.exe PID 512 wrote to memory of 5064 512 bnhnnb.exe rlllxfr.exe PID 512 wrote to memory of 5064 512 bnhnnb.exe rlllxfr.exe PID 512 wrote to memory of 5064 512 bnhnnb.exe rlllxfr.exe PID 5064 wrote to memory of 4320 5064 rlllxfr.exe nntthh.exe PID 5064 wrote to memory of 4320 5064 rlllxfr.exe nntthh.exe PID 5064 wrote to memory of 4320 5064 rlllxfr.exe nntthh.exe PID 4320 wrote to memory of 3012 4320 nntthh.exe flrlrfl.exe PID 4320 wrote to memory of 3012 4320 nntthh.exe flrlrfl.exe PID 4320 wrote to memory of 3012 4320 nntthh.exe flrlrfl.exe PID 3012 wrote to memory of 3036 3012 flrlrfl.exe hhbbht.exe PID 3012 wrote to memory of 3036 3012 flrlrfl.exe hhbbht.exe PID 3012 wrote to memory of 3036 3012 flrlrfl.exe hhbbht.exe PID 3036 wrote to memory of 4608 3036 hhbbht.exe jvjjj.exe PID 3036 wrote to memory of 4608 3036 hhbbht.exe jvjjj.exe PID 3036 wrote to memory of 4608 3036 hhbbht.exe jvjjj.exe PID 4608 wrote to memory of 3968 4608 jvjjj.exe xrxrxff.exe PID 4608 wrote to memory of 3968 4608 jvjjj.exe xrxrxff.exe PID 4608 wrote to memory of 3968 4608 jvjjj.exe xrxrxff.exe PID 3968 wrote to memory of 1196 3968 xrxrxff.exe lxlrlrl.exe PID 3968 wrote to memory of 1196 3968 xrxrxff.exe lxlrlrl.exe PID 3968 wrote to memory of 1196 3968 xrxrxff.exe lxlrlrl.exe PID 1196 wrote to memory of 3572 1196 lxlrlrl.exe hhbbnn.exe PID 1196 wrote to memory of 3572 1196 lxlrlrl.exe hhbbnn.exe PID 1196 wrote to memory of 3572 1196 lxlrlrl.exe hhbbnn.exe PID 3572 wrote to memory of 4572 3572 hhbbnn.exe jdpvv.exe PID 3572 wrote to memory of 4572 3572 hhbbnn.exe jdpvv.exe PID 3572 wrote to memory of 4572 3572 hhbbnn.exe jdpvv.exe PID 4572 wrote to memory of 4916 4572 jdpvv.exe flrlxxx.exe PID 4572 wrote to memory of 4916 4572 jdpvv.exe flrlxxx.exe PID 4572 wrote to memory of 4916 4572 jdpvv.exe flrlxxx.exe PID 4916 wrote to memory of 1004 4916 flrlxxx.exe jpvpj.exe PID 4916 wrote to memory of 1004 4916 flrlxxx.exe jpvpj.exe PID 4916 wrote to memory of 1004 4916 flrlxxx.exe jpvpj.exe PID 1004 wrote to memory of 452 1004 jpvpj.exe xflfrrl.exe PID 1004 wrote to memory of 452 1004 jpvpj.exe xflfrrl.exe PID 1004 wrote to memory of 452 1004 jpvpj.exe xflfrrl.exe PID 452 wrote to memory of 4064 452 xflfrrl.exe nnhbhb.exe PID 452 wrote to memory of 4064 452 xflfrrl.exe nnhbhb.exe PID 452 wrote to memory of 4064 452 xflfrrl.exe nnhbhb.exe PID 4064 wrote to memory of 2136 4064 nnhbhb.exe tttnhh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f4514c892f09cd840e920b941dd00e728d5883a3f13f678b4f4ab8d6f91be3eN.exe"C:\Users\Admin\AppData\Local\Temp\7f4514c892f09cd840e920b941dd00e728d5883a3f13f678b4f4ab8d6f91be3eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\djjjp.exec:\djjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\vjddd.exec:\vjddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\xrxrxrr.exec:\xrxrxrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\hnhbbb.exec:\hnhbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\djpdj.exec:\djpdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\pjjvd.exec:\pjjvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\lxxlllx.exec:\lxxlllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\bnhnnb.exec:\bnhnnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\rlllxfr.exec:\rlllxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\nntthh.exec:\nntthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\flrlrfl.exec:\flrlrfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\hhbbht.exec:\hhbbht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\jvjjj.exec:\jvjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\xrxrxff.exec:\xrxrxff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\lxlrlrl.exec:\lxlrlrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\hhbbnn.exec:\hhbbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\jdpvv.exec:\jdpvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\flrlxxx.exec:\flrlxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\jpvpj.exec:\jpvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\xflfrrl.exec:\xflfrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\nnhbhb.exec:\nnhbhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\tttnhh.exec:\tttnhh.exe23⤵
- Executes dropped EXE
PID:2136 -
\??\c:\5rlfxfx.exec:\5rlfxfx.exe24⤵
- Executes dropped EXE
PID:1088 -
\??\c:\bhhhbb.exec:\bhhhbb.exe25⤵
- Executes dropped EXE
PID:4144 -
\??\c:\jdddd.exec:\jdddd.exe26⤵
- Executes dropped EXE
PID:2484 -
\??\c:\nbtttt.exec:\nbtttt.exe27⤵
- Executes dropped EXE
PID:1484 -
\??\c:\pdjvv.exec:\pdjvv.exe28⤵
- Executes dropped EXE
PID:3248 -
\??\c:\pvdvv.exec:\pvdvv.exe29⤵
- Executes dropped EXE
PID:2088 -
\??\c:\rlllffx.exec:\rlllffx.exe30⤵
- Executes dropped EXE
PID:3412 -
\??\c:\bntnhn.exec:\bntnhn.exe31⤵
- Executes dropped EXE
PID:3392 -
\??\c:\bbhnhn.exec:\bbhnhn.exe32⤵
- Executes dropped EXE
PID:2524 -
\??\c:\vvddj.exec:\vvddj.exe33⤵
- Executes dropped EXE
PID:2820 -
\??\c:\frllrfl.exec:\frllrfl.exe34⤵
- Executes dropped EXE
PID:2032 -
\??\c:\bhhbbh.exec:\bhhbbh.exe35⤵
- Executes dropped EXE
PID:2844 -
\??\c:\jdjjj.exec:\jdjjj.exe36⤵
- Executes dropped EXE
PID:4044 -
\??\c:\rfflrlr.exec:\rfflrlr.exe37⤵
- Executes dropped EXE
PID:5008 -
\??\c:\tthnnt.exec:\tthnnt.exe38⤵
- Executes dropped EXE
PID:2464 -
\??\c:\jdddj.exec:\jdddj.exe39⤵
- Executes dropped EXE
PID:4124 -
\??\c:\fflxxxr.exec:\fflxxxr.exe40⤵
- Executes dropped EXE
PID:2256 -
\??\c:\hthhhn.exec:\hthhhn.exe41⤵
- Executes dropped EXE
PID:1264 -
\??\c:\pjppp.exec:\pjppp.exe42⤵
- Executes dropped EXE
PID:2428 -
\??\c:\bbhnhh.exec:\bbhnhh.exe43⤵
- Executes dropped EXE
PID:2664 -
\??\c:\vjvpp.exec:\vjvpp.exe44⤵
- Executes dropped EXE
PID:4488 -
\??\c:\xfrrxff.exec:\xfrrxff.exe45⤵
- Executes dropped EXE
PID:4724 -
\??\c:\fllrrxx.exec:\fllrrxx.exe46⤵
- Executes dropped EXE
PID:3584 -
\??\c:\btbhhn.exec:\btbhhn.exe47⤵
- Executes dropped EXE
PID:928 -
\??\c:\ppjdd.exec:\ppjdd.exe48⤵
- Executes dropped EXE
PID:2340 -
\??\c:\fflllll.exec:\fflllll.exe49⤵
- Executes dropped EXE
PID:4268 -
\??\c:\nhnhtn.exec:\nhnhtn.exe50⤵
- Executes dropped EXE
PID:4080 -
\??\c:\jdjjp.exec:\jdjjp.exe51⤵
- Executes dropped EXE
PID:4884 -
\??\c:\rxlllll.exec:\rxlllll.exe52⤵
- Executes dropped EXE
PID:2040 -
\??\c:\ttbbnn.exec:\ttbbnn.exe53⤵
- Executes dropped EXE
PID:5116 -
\??\c:\jpddj.exec:\jpddj.exe54⤵
- Executes dropped EXE
PID:372 -
\??\c:\ffllrrr.exec:\ffllrrr.exe55⤵
- Executes dropped EXE
PID:3568 -
\??\c:\lflllrr.exec:\lflllrr.exe56⤵
- Executes dropped EXE
PID:4500 -
\??\c:\7bhbhn.exec:\7bhbhn.exe57⤵
- Executes dropped EXE
PID:2192 -
\??\c:\jpjvj.exec:\jpjvj.exe58⤵
- Executes dropped EXE
PID:4316 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe59⤵
- Executes dropped EXE
PID:800 -
\??\c:\tnhtnb.exec:\tnhtnb.exe60⤵
- Executes dropped EXE
PID:2984 -
\??\c:\jdvpv.exec:\jdvpv.exe61⤵
- Executes dropped EXE
PID:3836 -
\??\c:\xlrrxfr.exec:\xlrrxfr.exe62⤵
- Executes dropped EXE
PID:1940 -
\??\c:\rlrxxff.exec:\rlrxxff.exe63⤵
- Executes dropped EXE
PID:4376 -
\??\c:\nnnntn.exec:\nnnntn.exe64⤵
- Executes dropped EXE
PID:3968 -
\??\c:\djjvp.exec:\djjvp.exe65⤵
- Executes dropped EXE
PID:2284 -
\??\c:\lfxlxxl.exec:\lfxlxxl.exe66⤵PID:4300
-
\??\c:\ddvjv.exec:\ddvjv.exe67⤵PID:4132
-
\??\c:\rxfffff.exec:\rxfffff.exe68⤵PID:3064
-
\??\c:\tnbnnh.exec:\tnbnnh.exe69⤵PID:1004
-
\??\c:\dpvvv.exec:\dpvvv.exe70⤵PID:4928
-
\??\c:\rrrrrll.exec:\rrrrrll.exe71⤵PID:2416
-
\??\c:\bnbbhh.exec:\bnbbhh.exe72⤵PID:3576
-
\??\c:\jdjjd.exec:\jdjjd.exe73⤵PID:1932
-
\??\c:\vvpvv.exec:\vvpvv.exe74⤵PID:764
-
\??\c:\rlllxff.exec:\rlllxff.exe75⤵PID:60
-
\??\c:\hntntn.exec:\hntntn.exe76⤵PID:1416
-
\??\c:\jjdjj.exec:\jjdjj.exe77⤵PID:3176
-
\??\c:\rrflxrf.exec:\rrflxrf.exe78⤵PID:1576
-
\??\c:\hhnttt.exec:\hhnttt.exe79⤵PID:876
-
\??\c:\btbbbb.exec:\btbbbb.exe80⤵PID:1348
-
\??\c:\jdpvd.exec:\jdpvd.exe81⤵PID:3392
-
\??\c:\xxxlllf.exec:\xxxlllf.exe82⤵PID:712
-
\??\c:\bthhtt.exec:\bthhtt.exe83⤵PID:3380
-
\??\c:\ppjjj.exec:\ppjjj.exe84⤵PID:3936
-
\??\c:\nnttnn.exec:\nnttnn.exe85⤵PID:4728
-
\??\c:\dvvpp.exec:\dvvpp.exe86⤵PID:2248
-
\??\c:\3rfrxrx.exec:\3rfrxrx.exe87⤵PID:4044
-
\??\c:\ttnbhh.exec:\ttnbhh.exe88⤵PID:4956
-
\??\c:\xxrlrrx.exec:\xxrlrrx.exe89⤵PID:5084
-
\??\c:\htnnnb.exec:\htnnnb.exe90⤵PID:1968
-
\??\c:\vdppp.exec:\vdppp.exe91⤵PID:2256
-
\??\c:\nhtnhh.exec:\nhtnhh.exe92⤵PID:2164
-
\??\c:\jjdpj.exec:\jjdpj.exe93⤵PID:4440
-
\??\c:\lrrfflx.exec:\lrrfflx.exe94⤵PID:2664
-
\??\c:\pdddp.exec:\pdddp.exe95⤵PID:4488
-
\??\c:\hhnnnt.exec:\hhnnnt.exe96⤵PID:3796
-
\??\c:\jvvjd.exec:\jvvjd.exe97⤵PID:3584
-
\??\c:\hbhhht.exec:\hbhhht.exe98⤵PID:928
-
\??\c:\9flllxx.exec:\9flllxx.exe99⤵PID:3172
-
\??\c:\nhnhhh.exec:\nhnhhh.exe100⤵PID:4764
-
\??\c:\jdvvd.exec:\jdvvd.exe101⤵PID:1772
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe102⤵PID:4884
-
\??\c:\nntnnn.exec:\nntnnn.exe103⤵PID:2040
-
\??\c:\jjjjj.exec:\jjjjj.exe104⤵PID:5116
-
\??\c:\ffrrrxx.exec:\ffrrrxx.exe105⤵PID:3224
-
\??\c:\tthbbh.exec:\tthbbh.exe106⤵PID:2680
-
\??\c:\pjvpj.exec:\pjvpj.exe107⤵PID:1656
-
\??\c:\flllfxx.exec:\flllfxx.exe108⤵PID:2912
-
\??\c:\hbbbbh.exec:\hbbbbh.exe109⤵PID:5064
-
\??\c:\ddjjj.exec:\ddjjj.exe110⤵PID:4264
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe111⤵PID:400
-
\??\c:\xrflxxf.exec:\xrflxxf.exe112⤵PID:1128
-
\??\c:\tbnttb.exec:\tbnttb.exe113⤵PID:4892
-
\??\c:\jdppp.exec:\jdppp.exe114⤵PID:4092
-
\??\c:\rlrffll.exec:\rlrffll.exe115⤵PID:2864
-
\??\c:\ddddd.exec:\ddddd.exe116⤵PID:3516
-
\??\c:\jdppp.exec:\jdppp.exe117⤵PID:2536
-
\??\c:\fxlffff.exec:\fxlffff.exe118⤵PID:4976
-
\??\c:\bthhhb.exec:\bthhhb.exe119⤵PID:1032
-
\??\c:\jjppv.exec:\jjppv.exe120⤵PID:2068
-
\??\c:\rlrxxff.exec:\rlrxxff.exe121⤵PID:3920
-
\??\c:\tbhbtt.exec:\tbhbtt.exe122⤵PID:2148
-
\??\c:\5pjjj.exec:\5pjjj.exe123⤵PID:3088
-
\??\c:\ffllrxx.exec:\ffllrxx.exe124⤵PID:1508
-
\??\c:\hhhhhn.exec:\hhhhhn.exe125⤵PID:4144
-
\??\c:\vdddd.exec:\vdddd.exe126⤵PID:1924
-
\??\c:\9rffxll.exec:\9rffxll.exe127⤵PID:4776
-
\??\c:\btbbtb.exec:\btbbtb.exe128⤵PID:1796
-
\??\c:\ddjpp.exec:\ddjpp.exe129⤵PID:4940
-
\??\c:\frxrrrr.exec:\frxrrrr.exe130⤵PID:4672
-
\??\c:\rrffrxf.exec:\rrffrxf.exe131⤵PID:1348
-
\??\c:\hbnttb.exec:\hbnttb.exe132⤵PID:1476
-
\??\c:\pdvvp.exec:\pdvvp.exe133⤵PID:224
-
\??\c:\lfllfff.exec:\lfllfff.exe134⤵PID:3684
-
\??\c:\bnnhhn.exec:\bnnhhn.exe135⤵PID:5088
-
\??\c:\ppvvj.exec:\ppvvj.exe136⤵PID:4196
-
\??\c:\llrrrff.exec:\llrrrff.exe137⤵PID:5008
-
\??\c:\ttbtnn.exec:\ttbtnn.exe138⤵PID:968
-
\??\c:\jvjjp.exec:\jvjjp.exe139⤵PID:3164
-
\??\c:\jvjjv.exec:\jvjjv.exe140⤵PID:1968
-
\??\c:\fxllllr.exec:\fxllllr.exe141⤵PID:4028
-
\??\c:\thbbbh.exec:\thbbbh.exe142⤵PID:3808
-
\??\c:\dvvvv.exec:\dvvvv.exe143⤵PID:4348
-
\??\c:\fflrxlr.exec:\fflrxlr.exe144⤵PID:2564
-
\??\c:\rfllflf.exec:\rfllflf.exe145⤵PID:1472
-
\??\c:\hhnttb.exec:\hhnttb.exe146⤵PID:1064
-
\??\c:\vdvvv.exec:\vdvvv.exe147⤵PID:4156
-
\??\c:\rfrxxrx.exec:\rfrxxrx.exe148⤵PID:2772
-
\??\c:\hbthnn.exec:\hbthnn.exe149⤵PID:4860
-
\??\c:\jjjpp.exec:\jjjpp.exe150⤵PID:228
-
\??\c:\llxlfff.exec:\llxlfff.exe151⤵PID:2252
-
\??\c:\thttnt.exec:\thttnt.exe152⤵PID:2540
-
\??\c:\jjvdd.exec:\jjvdd.exe153⤵PID:2456
-
\??\c:\vjjdp.exec:\vjjdp.exe154⤵PID:1684
-
\??\c:\xlfrxlr.exec:\xlfrxlr.exe155⤵PID:3744
-
\??\c:\bthbhh.exec:\bthbhh.exe156⤵PID:3924
-
\??\c:\jjppv.exec:\jjppv.exe157⤵PID:2680
-
\??\c:\xxlxxxx.exec:\xxlxxxx.exe158⤵PID:5072
-
\??\c:\nhtnhh.exec:\nhtnhh.exe159⤵PID:3152
-
\??\c:\jdvpd.exec:\jdvpd.exe160⤵PID:32
-
\??\c:\jdppp.exec:\jdppp.exe161⤵PID:3012
-
\??\c:\llxrrxx.exec:\llxrrxx.exe162⤵PID:336
-
\??\c:\nbnbtt.exec:\nbnbtt.exe163⤵PID:2932
-
\??\c:\vvdpp.exec:\vvdpp.exe164⤵PID:1304
-
\??\c:\vddjd.exec:\vddjd.exe165⤵PID:3520
-
\??\c:\nbtbbt.exec:\nbtbbt.exe166⤵PID:4092
-
\??\c:\htbbhh.exec:\htbbhh.exe167⤵PID:412
-
\??\c:\pjvpp.exec:\pjvpp.exe168⤵PID:1100
-
\??\c:\fflllll.exec:\fflllll.exe169⤵PID:3516
-
\??\c:\hnnhnt.exec:\hnnhnt.exe170⤵PID:2536
-
\??\c:\rlllffx.exec:\rlllffx.exe171⤵PID:4172
-
\??\c:\hnhbnh.exec:\hnhbnh.exe172⤵PID:4924
-
\??\c:\jjjjj.exec:\jjjjj.exe173⤵PID:2068
-
\??\c:\jddjj.exec:\jddjj.exe174⤵PID:3920
-
\??\c:\rffflrx.exec:\rffflrx.exe175⤵PID:2148
-
\??\c:\hhtnnn.exec:\hhtnnn.exe176⤵PID:2644
-
\??\c:\dvdjp.exec:\dvdjp.exe177⤵PID:1508
-
\??\c:\llxrxxx.exec:\llxrxxx.exe178⤵PID:1392
-
\??\c:\tnnnnn.exec:\tnnnnn.exe179⤵PID:3176
-
\??\c:\pvvvp.exec:\pvvvp.exe180⤵PID:4776
-
\??\c:\ffrllll.exec:\ffrllll.exe181⤵PID:4020
-
\??\c:\bhhtnt.exec:\bhhtnt.exe182⤵PID:4940
-
\??\c:\pjpjj.exec:\pjpjj.exe183⤵PID:1860
-
\??\c:\lrfffxf.exec:\lrfffxf.exe184⤵PID:3392
-
\??\c:\rxxrfxl.exec:\rxxrfxl.exe185⤵PID:2820
-
\??\c:\bnttnt.exec:\bnttnt.exe186⤵PID:1612
-
\??\c:\djjvj.exec:\djjvj.exe187⤵PID:1844
-
\??\c:\7lffrxx.exec:\7lffrxx.exe188⤵PID:4164
-
\??\c:\bnbbbh.exec:\bnbbbh.exe189⤵PID:3900
-
\??\c:\pdjjj.exec:\pdjjj.exe190⤵PID:2132
-
\??\c:\dvdpp.exec:\dvdpp.exe191⤵PID:3752
-
\??\c:\nnbtnt.exec:\nnbtnt.exe192⤵PID:4528
-
\??\c:\jjppv.exec:\jjppv.exe193⤵PID:1264
-
\??\c:\xxxffxx.exec:\xxxffxx.exe194⤵PID:2428
-
\??\c:\tnhntt.exec:\tnhntt.exe195⤵PID:4452
-
\??\c:\vpjjv.exec:\vpjjv.exe196⤵PID:4560
-
\??\c:\llxlxfr.exec:\llxlxfr.exe197⤵PID:2664
-
\??\c:\tnttbh.exec:\tnttbh.exe198⤵PID:4480
-
\??\c:\jppvp.exec:\jppvp.exe199⤵PID:4508
-
\??\c:\7xlllxf.exec:\7xlllxf.exe200⤵PID:3584
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe201⤵PID:4308
-
\??\c:\btnntt.exec:\btnntt.exe202⤵PID:3172
-
\??\c:\pjpjv.exec:\pjpjv.exe203⤵PID:436
-
\??\c:\fflllrr.exec:\fflllrr.exe204⤵PID:2780
-
\??\c:\htbbhn.exec:\htbbhn.exe205⤵PID:4884
-
\??\c:\jdddv.exec:\jdddv.exe206⤵PID:532
-
\??\c:\rlxxrrx.exec:\rlxxrrx.exe207⤵PID:1108
-
\??\c:\nnbbht.exec:\nnbbht.exe208⤵PID:1212
-
\??\c:\jjvpj.exec:\jjvpj.exe209⤵PID:5000
-
\??\c:\xrlfxfx.exec:\xrlfxfx.exe210⤵PID:2192
-
\??\c:\tbhhtt.exec:\tbhhtt.exe211⤵PID:3132
-
\??\c:\pdvjj.exec:\pdvjj.exe212⤵PID:32
-
\??\c:\jjpdp.exec:\jjpdp.exe213⤵PID:2324
-
\??\c:\xfrxxll.exec:\xfrxxll.exe214⤵PID:1564
-
\??\c:\tbbttt.exec:\tbbttt.exe215⤵PID:1920
-
\??\c:\jddvp.exec:\jddvp.exe216⤵PID:2776
-
\??\c:\frfxfrl.exec:\frfxfrl.exe217⤵PID:2284
-
\??\c:\jvvpp.exec:\jvvpp.exe218⤵PID:4844
-
\??\c:\llxxxff.exec:\llxxxff.exe219⤵PID:3064
-
\??\c:\tnnttt.exec:\tnnttt.exe220⤵PID:3408
-
\??\c:\pjddp.exec:\pjddp.exe221⤵PID:2288
-
\??\c:\llllfff.exec:\llllfff.exe222⤵PID:3340
-
\??\c:\ttbttn.exec:\ttbttn.exe223⤵PID:3576
-
\??\c:\bhhhnh.exec:\bhhhnh.exe224⤵PID:116
-
\??\c:\pdpvv.exec:\pdpvv.exe225⤵PID:2644
-
\??\c:\llxxllx.exec:\llxxllx.exe226⤵PID:3996
-
\??\c:\thtbhn.exec:\thtbhn.exe227⤵PID:1688
-
\??\c:\ddddj.exec:\ddddj.exe228⤵PID:4336
-
\??\c:\xxfxxrf.exec:\xxfxxrf.exe229⤵
- System Location Discovery: System Language Discovery
PID:876 -
\??\c:\hhhhhh.exec:\hhhhhh.exe230⤵PID:2140
-
\??\c:\pjvvp.exec:\pjvvp.exe231⤵PID:4416
-
\??\c:\jvjdd.exec:\jvjdd.exe232⤵PID:3388
-
\??\c:\frlflfr.exec:\frlflfr.exe233⤵PID:1476
-
\??\c:\nnhhtt.exec:\nnhhtt.exe234⤵PID:3380
-
\??\c:\dvpjv.exec:\dvpjv.exe235⤵PID:4728
-
\??\c:\xrrxrxr.exec:\xrrxrxr.exe236⤵PID:5088
-
\??\c:\nnhhhn.exec:\nnhhhn.exe237⤵PID:2464
-
\??\c:\djpjj.exec:\djpjj.exe238⤵PID:5008
-
\??\c:\xrfflxx.exec:\xrfflxx.exe239⤵PID:1464
-
\??\c:\bnhttt.exec:\bnhttt.exe240⤵PID:3636
-
\??\c:\dvdpd.exec:\dvdpd.exe241⤵PID:392
-
\??\c:\nnbttb.exec:\nnbttb.exe242⤵PID:1264