Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:59
Static task
static1
Behavioral task
behavioral1
Sample
9d1556116c0dfbc2e364b164b52d82c7ec2daa3613bdf1ced4c11693e5f0f398.exe
Resource
win7-20240903-en
General
-
Target
9d1556116c0dfbc2e364b164b52d82c7ec2daa3613bdf1ced4c11693e5f0f398.exe
-
Size
347KB
-
MD5
e769dbf0000e037af5aa053ab7a97606
-
SHA1
78d05c886eac0d3acd77fee8005ad23805ee5e14
-
SHA256
9d1556116c0dfbc2e364b164b52d82c7ec2daa3613bdf1ced4c11693e5f0f398
-
SHA512
d23a31ec4c7300b315fbc2cb96a2028fe63aadf614aebf862a6c0a720232498599ffb796302b8002f1185853104f7785eb379dfe740a1d0b04f1951f37b10c55
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAi:l7TcbWXZshJX2VGdi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
Processes:
resource yara_rule behavioral2/memory/3264-5-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5076-13-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/216-12-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1856-18-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3048-32-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1060-37-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3588-41-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1468-48-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2180-53-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2636-62-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4252-66-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3932-78-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3764-80-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4216-86-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1916-95-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3700-111-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4476-138-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2096-147-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3496-158-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2844-145-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2476-187-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4664-189-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/684-195-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1448-202-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3024-206-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4388-210-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/212-214-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/540-218-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3516-222-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4420-226-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3048-232-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4596-242-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3588-246-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3620-250-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1792-264-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4784-268-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4564-278-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4108-300-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1108-307-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3480-318-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/900-325-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1776-329-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/960-351-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2368-361-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2560-374-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3404-396-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3328-415-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1076-425-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4464-435-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5012-439-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1464-443-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3880-459-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2588-478-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3488-489-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3264-530-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1328-577-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1144-722-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3056-741-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4112-1027-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/436-1134-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3384-1334-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3920-1479-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
3ffrxxx.exejdjvp.exerflfxff.exellfrlfx.exeddppp.exelrxrfxf.exevjpjd.exethhbnh.exefxfxxrx.exefrrlfxx.exe1nnhbt.exedjdvp.exebbtthb.exetnnttn.exelfxrlxr.exe9jjdp.exefrllfff.exedjpdv.exejddvv.exefrllfrl.exetbbthb.exe1rrlllf.exerlrlrrr.exe1jddv.exedpppj.exe5lrfxrl.exehnnbnh.exevppjj.exe5lrlrrr.exerlrxrrf.exe3bhbtn.exedppdv.exefrlxrfx.exetntnbb.exentthtb.exedppdp.exefxxlxrf.exe3hnbhb.exe3jpdj.exerxfxlfx.exetnhtth.exedjvpj.exe3vpjv.exefxrfrlf.exentthtn.exepdvjv.exe1jdpd.exefflxrfx.exe9nnhbn.exepdvpj.exedpdvj.exefffrlfx.exehhbttt.exe3jjdv.exe9jjvj.exelflffxx.exethhbnh.exebnnbtb.exellrxxff.exelrlfxrl.exehhnhbt.exeddjdd.exepdjdp.exellrrrll.exepid process 216 3ffrxxx.exe 5076 jdjvp.exe 1856 rflfxff.exe 3048 llfrlfx.exe 1060 ddppp.exe 3588 lrxrfxf.exe 1468 vjpjd.exe 2180 thhbnh.exe 2636 fxfxxrx.exe 1648 frrlfxx.exe 4252 1nnhbt.exe 3932 djdvp.exe 3764 bbtthb.exe 4216 tnnttn.exe 1916 lfxrlxr.exe 3696 9jjdp.exe 3880 frllfff.exe 3700 djpdv.exe 1928 jddvv.exe 2736 frllfrl.exe 3692 tbbthb.exe 4568 1rrlllf.exe 4476 rlrlrrr.exe 2096 1jddv.exe 2844 dpppj.exe 2860 5lrfxrl.exe 3496 hnnbnh.exe 1176 vppjj.exe 5092 5lrlrrr.exe 3420 rlrxrrf.exe 1636 3bhbtn.exe 2476 dppdv.exe 4664 frlxrfx.exe 684 tntnbb.exe 448 ntthtb.exe 1448 dppdp.exe 3024 fxxlxrf.exe 4388 3hnbhb.exe 212 3jpdj.exe 540 rxfxlfx.exe 3516 tnhtth.exe 4420 djvpj.exe 1072 3vpjv.exe 3048 fxrfrlf.exe 3716 ntthtn.exe 5048 pdvjv.exe 4596 1jdpd.exe 3588 fflxrfx.exe 3620 9nnhbn.exe 2308 pdvpj.exe 1220 dpdvj.exe 2548 fffrlfx.exe 1792 hhbttt.exe 4784 3jjdv.exe 5012 9jjvj.exe 3932 lflffxx.exe 4564 thhbnh.exe 624 bnnbtb.exe 968 llrxxff.exe 1952 lrlfxrl.exe 4836 hhnhbt.exe 2896 ddjdd.exe 3880 pdjdp.exe 4108 llrrrll.exe -
Processes:
resource yara_rule behavioral2/memory/3264-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5076-13-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/216-12-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1856-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3048-24-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3048-32-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1060-37-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3588-41-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1468-48-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2180-53-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2636-62-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4252-66-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3932-78-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3764-80-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4216-86-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1916-95-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3700-111-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2736-118-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4476-138-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2096-147-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3496-158-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2476-182-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2844-145-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2476-187-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4664-189-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/684-195-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1448-202-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3024-206-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4388-210-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/212-214-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/540-218-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3516-222-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4420-226-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3048-232-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4596-242-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3588-246-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3620-250-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1792-264-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4784-268-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4564-278-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4108-300-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1108-307-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3480-318-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1952-317-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/900-325-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1776-329-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/960-351-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2368-361-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2560-374-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3404-396-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3328-415-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1076-425-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4464-435-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5012-439-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1464-443-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3880-459-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2592-479-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2588-478-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3488-489-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4084-514-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3264-530-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1328-577-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1144-722-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3056-741-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fflxrfx.exejvdpd.exelxxxrrr.exedjvpj.exebttttn.exennbnhb.exejppjv.exerlrfrrr.exe9jjvj.exepvddv.exerrllfxx.exebbnhhn.exefrxrrlr.exexrxlxrf.exexrrlffx.exellrfxxl.exehtnbnb.exevddpd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9d1556116c0dfbc2e364b164b52d82c7ec2daa3613bdf1ced4c11693e5f0f398.exe3ffrxxx.exejdjvp.exerflfxff.exellfrlfx.exeddppp.exelrxrfxf.exevjpjd.exethhbnh.exefxfxxrx.exefrrlfxx.exe1nnhbt.exedjdvp.exebbtthb.exetnnttn.exelfxrlxr.exe9jjdp.exefrllfff.exedjpdv.exejddvv.exefrllfrl.exetbbthb.exedescription pid process target process PID 3264 wrote to memory of 216 3264 9d1556116c0dfbc2e364b164b52d82c7ec2daa3613bdf1ced4c11693e5f0f398.exe 3ffrxxx.exe PID 3264 wrote to memory of 216 3264 9d1556116c0dfbc2e364b164b52d82c7ec2daa3613bdf1ced4c11693e5f0f398.exe 3ffrxxx.exe PID 3264 wrote to memory of 216 3264 9d1556116c0dfbc2e364b164b52d82c7ec2daa3613bdf1ced4c11693e5f0f398.exe 3ffrxxx.exe PID 216 wrote to memory of 5076 216 3ffrxxx.exe jdjvp.exe PID 216 wrote to memory of 5076 216 3ffrxxx.exe jdjvp.exe PID 216 wrote to memory of 5076 216 3ffrxxx.exe jdjvp.exe PID 5076 wrote to memory of 1856 5076 jdjvp.exe rflfxff.exe PID 5076 wrote to memory of 1856 5076 jdjvp.exe rflfxff.exe PID 5076 wrote to memory of 1856 5076 jdjvp.exe rflfxff.exe PID 1856 wrote to memory of 3048 1856 rflfxff.exe llfrlfx.exe PID 1856 wrote to memory of 3048 1856 rflfxff.exe llfrlfx.exe PID 1856 wrote to memory of 3048 1856 rflfxff.exe llfrlfx.exe PID 3048 wrote to memory of 1060 3048 llfrlfx.exe ddppp.exe PID 3048 wrote to memory of 1060 3048 llfrlfx.exe ddppp.exe PID 3048 wrote to memory of 1060 3048 llfrlfx.exe ddppp.exe PID 1060 wrote to memory of 3588 1060 ddppp.exe lrxrfxf.exe PID 1060 wrote to memory of 3588 1060 ddppp.exe lrxrfxf.exe PID 1060 wrote to memory of 3588 1060 ddppp.exe lrxrfxf.exe PID 3588 wrote to memory of 1468 3588 lrxrfxf.exe vjpjd.exe PID 3588 wrote to memory of 1468 3588 lrxrfxf.exe vjpjd.exe PID 3588 wrote to memory of 1468 3588 lrxrfxf.exe vjpjd.exe PID 1468 wrote to memory of 2180 1468 vjpjd.exe thhbnh.exe PID 1468 wrote to memory of 2180 1468 vjpjd.exe thhbnh.exe PID 1468 wrote to memory of 2180 1468 vjpjd.exe thhbnh.exe PID 2180 wrote to memory of 2636 2180 thhbnh.exe fxfxxrx.exe PID 2180 wrote to memory of 2636 2180 thhbnh.exe fxfxxrx.exe PID 2180 wrote to memory of 2636 2180 thhbnh.exe fxfxxrx.exe PID 2636 wrote to memory of 1648 2636 fxfxxrx.exe frrlfxx.exe PID 2636 wrote to memory of 1648 2636 fxfxxrx.exe frrlfxx.exe PID 2636 wrote to memory of 1648 2636 fxfxxrx.exe frrlfxx.exe PID 1648 wrote to memory of 4252 1648 frrlfxx.exe 1nnhbt.exe PID 1648 wrote to memory of 4252 1648 frrlfxx.exe 1nnhbt.exe PID 1648 wrote to memory of 4252 1648 frrlfxx.exe 1nnhbt.exe PID 4252 wrote to memory of 3932 4252 1nnhbt.exe djdvp.exe PID 4252 wrote to memory of 3932 4252 1nnhbt.exe djdvp.exe PID 4252 wrote to memory of 3932 4252 1nnhbt.exe djdvp.exe PID 3932 wrote to memory of 3764 3932 djdvp.exe bbtthb.exe PID 3932 wrote to memory of 3764 3932 djdvp.exe bbtthb.exe PID 3932 wrote to memory of 3764 3932 djdvp.exe bbtthb.exe PID 3764 wrote to memory of 4216 3764 bbtthb.exe tnnttn.exe PID 3764 wrote to memory of 4216 3764 bbtthb.exe tnnttn.exe PID 3764 wrote to memory of 4216 3764 bbtthb.exe tnnttn.exe PID 4216 wrote to memory of 1916 4216 tnnttn.exe lfxrlxr.exe PID 4216 wrote to memory of 1916 4216 tnnttn.exe lfxrlxr.exe PID 4216 wrote to memory of 1916 4216 tnnttn.exe lfxrlxr.exe PID 1916 wrote to memory of 3696 1916 lfxrlxr.exe 9jjdp.exe PID 1916 wrote to memory of 3696 1916 lfxrlxr.exe 9jjdp.exe PID 1916 wrote to memory of 3696 1916 lfxrlxr.exe 9jjdp.exe PID 3696 wrote to memory of 3880 3696 9jjdp.exe frllfff.exe PID 3696 wrote to memory of 3880 3696 9jjdp.exe frllfff.exe PID 3696 wrote to memory of 3880 3696 9jjdp.exe frllfff.exe PID 3880 wrote to memory of 3700 3880 frllfff.exe djpdv.exe PID 3880 wrote to memory of 3700 3880 frllfff.exe djpdv.exe PID 3880 wrote to memory of 3700 3880 frllfff.exe djpdv.exe PID 3700 wrote to memory of 1928 3700 djpdv.exe jddvv.exe PID 3700 wrote to memory of 1928 3700 djpdv.exe jddvv.exe PID 3700 wrote to memory of 1928 3700 djpdv.exe jddvv.exe PID 1928 wrote to memory of 2736 1928 jddvv.exe frllfrl.exe PID 1928 wrote to memory of 2736 1928 jddvv.exe frllfrl.exe PID 1928 wrote to memory of 2736 1928 jddvv.exe frllfrl.exe PID 2736 wrote to memory of 3692 2736 frllfrl.exe tbbthb.exe PID 2736 wrote to memory of 3692 2736 frllfrl.exe tbbthb.exe PID 2736 wrote to memory of 3692 2736 frllfrl.exe tbbthb.exe PID 3692 wrote to memory of 4568 3692 tbbthb.exe 1rrlllf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d1556116c0dfbc2e364b164b52d82c7ec2daa3613bdf1ced4c11693e5f0f398.exe"C:\Users\Admin\AppData\Local\Temp\9d1556116c0dfbc2e364b164b52d82c7ec2daa3613bdf1ced4c11693e5f0f398.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\3ffrxxx.exec:\3ffrxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\jdjvp.exec:\jdjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\rflfxff.exec:\rflfxff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\llfrlfx.exec:\llfrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\ddppp.exec:\ddppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\lrxrfxf.exec:\lrxrfxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\vjpjd.exec:\vjpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\thhbnh.exec:\thhbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\fxfxxrx.exec:\fxfxxrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\frrlfxx.exec:\frrlfxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\1nnhbt.exec:\1nnhbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\djdvp.exec:\djdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\bbtthb.exec:\bbtthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\tnnttn.exec:\tnnttn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\lfxrlxr.exec:\lfxrlxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\9jjdp.exec:\9jjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\frllfff.exec:\frllfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\djpdv.exec:\djpdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\jddvv.exec:\jddvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\frllfrl.exec:\frllfrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\tbbthb.exec:\tbbthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\1rrlllf.exec:\1rrlllf.exe23⤵
- Executes dropped EXE
PID:4568 -
\??\c:\rlrlrrr.exec:\rlrlrrr.exe24⤵
- Executes dropped EXE
PID:4476 -
\??\c:\1jddv.exec:\1jddv.exe25⤵
- Executes dropped EXE
PID:2096 -
\??\c:\dpppj.exec:\dpppj.exe26⤵
- Executes dropped EXE
PID:2844 -
\??\c:\5lrfxrl.exec:\5lrfxrl.exe27⤵
- Executes dropped EXE
PID:2860 -
\??\c:\hnnbnh.exec:\hnnbnh.exe28⤵
- Executes dropped EXE
PID:3496 -
\??\c:\vppjj.exec:\vppjj.exe29⤵
- Executes dropped EXE
PID:1176 -
\??\c:\5lrlrrr.exec:\5lrlrrr.exe30⤵
- Executes dropped EXE
PID:5092 -
\??\c:\rlrxrrf.exec:\rlrxrrf.exe31⤵
- Executes dropped EXE
PID:3420 -
\??\c:\3bhbtn.exec:\3bhbtn.exe32⤵
- Executes dropped EXE
PID:1636 -
\??\c:\dppdv.exec:\dppdv.exe33⤵
- Executes dropped EXE
PID:2476 -
\??\c:\frlxrfx.exec:\frlxrfx.exe34⤵
- Executes dropped EXE
PID:4664 -
\??\c:\tntnbb.exec:\tntnbb.exe35⤵
- Executes dropped EXE
PID:684 -
\??\c:\ntthtb.exec:\ntthtb.exe36⤵
- Executes dropped EXE
PID:448 -
\??\c:\dppdp.exec:\dppdp.exe37⤵
- Executes dropped EXE
PID:1448 -
\??\c:\fxxlxrf.exec:\fxxlxrf.exe38⤵
- Executes dropped EXE
PID:3024 -
\??\c:\3hnbhb.exec:\3hnbhb.exe39⤵
- Executes dropped EXE
PID:4388 -
\??\c:\3jpdj.exec:\3jpdj.exe40⤵
- Executes dropped EXE
PID:212 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe41⤵
- Executes dropped EXE
PID:540 -
\??\c:\tnhtth.exec:\tnhtth.exe42⤵
- Executes dropped EXE
PID:3516 -
\??\c:\djvpj.exec:\djvpj.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
\??\c:\3vpjv.exec:\3vpjv.exe44⤵
- Executes dropped EXE
PID:1072 -
\??\c:\fxrfrlf.exec:\fxrfrlf.exe45⤵
- Executes dropped EXE
PID:3048 -
\??\c:\ntthtn.exec:\ntthtn.exe46⤵
- Executes dropped EXE
PID:3716 -
\??\c:\pdvjv.exec:\pdvjv.exe47⤵
- Executes dropped EXE
PID:5048 -
\??\c:\1jdpd.exec:\1jdpd.exe48⤵
- Executes dropped EXE
PID:4596 -
\??\c:\fflxrfx.exec:\fflxrfx.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588 -
\??\c:\9nnhbn.exec:\9nnhbn.exe50⤵
- Executes dropped EXE
PID:3620 -
\??\c:\pdvpj.exec:\pdvpj.exe51⤵
- Executes dropped EXE
PID:2308 -
\??\c:\dpdvj.exec:\dpdvj.exe52⤵
- Executes dropped EXE
PID:1220 -
\??\c:\fffrlfx.exec:\fffrlfx.exe53⤵
- Executes dropped EXE
PID:2548 -
\??\c:\hhbttt.exec:\hhbttt.exe54⤵
- Executes dropped EXE
PID:1792 -
\??\c:\3jjdv.exec:\3jjdv.exe55⤵
- Executes dropped EXE
PID:4784 -
\??\c:\9jjvj.exec:\9jjvj.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5012 -
\??\c:\lflffxx.exec:\lflffxx.exe57⤵
- Executes dropped EXE
PID:3932 -
\??\c:\thhbnh.exec:\thhbnh.exe58⤵
- Executes dropped EXE
PID:4564 -
\??\c:\bnnbtb.exec:\bnnbtb.exe59⤵
- Executes dropped EXE
PID:624 -
\??\c:\llrxxff.exec:\llrxxff.exe60⤵
- Executes dropped EXE
PID:968 -
\??\c:\lrlfxrl.exec:\lrlfxrl.exe61⤵
- Executes dropped EXE
PID:1952 -
\??\c:\hhnhbt.exec:\hhnhbt.exe62⤵
- Executes dropped EXE
PID:4836 -
\??\c:\ddjdd.exec:\ddjdd.exe63⤵
- Executes dropped EXE
PID:2896 -
\??\c:\pdjdp.exec:\pdjdp.exe64⤵
- Executes dropped EXE
PID:3880 -
\??\c:\llrrrll.exec:\llrrrll.exe65⤵
- Executes dropped EXE
PID:4108 -
\??\c:\tnbhbh.exec:\tnbhbh.exe66⤵PID:2796
-
\??\c:\nhntnt.exec:\nhntnt.exe67⤵PID:1108
-
\??\c:\jddvp.exec:\jddvp.exe68⤵PID:4872
-
\??\c:\frxxrll.exec:\frxxrll.exe69⤵PID:3692
-
\??\c:\xllffxr.exec:\xllffxr.exe70⤵PID:3480
-
\??\c:\hhnhnn.exec:\hhnhnn.exe71⤵PID:4320
-
\??\c:\nhhbnn.exec:\nhhbnn.exe72⤵PID:900
-
\??\c:\jpdvp.exec:\jpdvp.exe73⤵PID:1776
-
\??\c:\xffxrll.exec:\xffxrll.exe74⤵PID:1772
-
\??\c:\rfxrllf.exec:\rfxrllf.exe75⤵PID:3308
-
\??\c:\ttnnhn.exec:\ttnnhn.exe76⤵PID:3488
-
\??\c:\dvjdj.exec:\dvjdj.exe77⤵PID:4756
-
\??\c:\rlfxllx.exec:\rlfxllx.exe78⤵PID:3012
-
\??\c:\nbbttb.exec:\nbbttb.exe79⤵PID:380
-
\??\c:\dvdvv.exec:\dvdvv.exe80⤵PID:960
-
\??\c:\xllfffx.exec:\xllfffx.exe81⤵PID:3420
-
\??\c:\rlffxxr.exec:\rlffxxr.exe82⤵PID:1028
-
\??\c:\1tthtb.exec:\1tthtb.exe83⤵PID:2368
-
\??\c:\1jvvp.exec:\1jvvp.exe84⤵PID:8
-
\??\c:\1lrlxxf.exec:\1lrlxxf.exe85⤵PID:4084
-
\??\c:\5btnnn.exec:\5btnnn.exe86⤵PID:2376
-
\??\c:\7hhbbb.exec:\7hhbbb.exe87⤵PID:2560
-
\??\c:\dvdvp.exec:\dvdvp.exe88⤵PID:4352
-
\??\c:\xrrflfr.exec:\xrrflfr.exe89⤵PID:4448
-
\??\c:\fxlfxrr.exec:\fxlfxrr.exe90⤵PID:3280
-
\??\c:\bbnhbb.exec:\bbnhbb.exe91⤵PID:3452
-
\??\c:\pjvpv.exec:\pjvpv.exe92⤵PID:3844
-
\??\c:\9pdvj.exec:\9pdvj.exe93⤵PID:2756
-
\??\c:\frxrffr.exec:\frxrffr.exe94⤵PID:3404
-
\??\c:\dpvpj.exec:\dpvpj.exe95⤵PID:3032
-
\??\c:\lxfrrrl.exec:\lxfrrrl.exe96⤵PID:1624
-
\??\c:\lxlfffl.exec:\lxlfffl.exe97⤵PID:3716
-
\??\c:\tbhbbb.exec:\tbhbbb.exe98⤵PID:5048
-
\??\c:\bnhnhh.exec:\bnhnhh.exe99⤵PID:1644
-
\??\c:\pppdv.exec:\pppdv.exe100⤵PID:3328
-
\??\c:\xffxllf.exec:\xffxllf.exe101⤵PID:1468
-
\??\c:\3ffxffx.exec:\3ffxffx.exe102⤵PID:1540
-
\??\c:\htbtnn.exec:\htbtnn.exe103⤵PID:1076
-
\??\c:\bnnhbt.exec:\bnnhbt.exe104⤵PID:1648
-
\??\c:\pjvpp.exec:\pjvpp.exe105⤵PID:3940
-
\??\c:\1rxrxrx.exec:\1rxrxrx.exe106⤵PID:4464
-
\??\c:\dpppj.exec:\dpppj.exe107⤵PID:5012
-
\??\c:\vppjv.exec:\vppjv.exe108⤵PID:1464
-
\??\c:\xllxlff.exec:\xllxlff.exe109⤵PID:4264
-
\??\c:\bnhbnh.exec:\bnhbnh.exe110⤵PID:3348
-
\??\c:\1hhthb.exec:\1hhthb.exe111⤵PID:1120
-
\??\c:\jvdpv.exec:\jvdpv.exe112⤵PID:4412
-
\??\c:\jvvjv.exec:\jvvjv.exe113⤵PID:3880
-
\??\c:\9lfxlfr.exec:\9lfxlfr.exe114⤵PID:1928
-
\??\c:\xlrfrfr.exec:\xlrfrfr.exe115⤵PID:3944
-
\??\c:\1nnhhb.exec:\1nnhhb.exe116⤵PID:1616
-
\??\c:\ddvjd.exec:\ddvjd.exe117⤵PID:4856
-
\??\c:\1vpvj.exec:\1vpvj.exe118⤵PID:376
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe119⤵PID:2588
-
\??\c:\3llxlfx.exec:\3llxlfx.exe120⤵PID:2592
-
\??\c:\ttthbt.exec:\ttthbt.exe121⤵PID:2824
-
\??\c:\vjvjd.exec:\vjvjd.exe122⤵PID:3488
-
\??\c:\pjjvj.exec:\pjjvj.exe123⤵PID:4756
-
\??\c:\lrxxlfr.exec:\lrxxlfr.exe124⤵PID:1964
-
\??\c:\thbthb.exec:\thbthb.exe125⤵PID:1700
-
\??\c:\3vdvv.exec:\3vdvv.exe126⤵PID:960
-
\??\c:\9djjp.exec:\9djjp.exe127⤵PID:3420
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe128⤵PID:4516
-
\??\c:\xrfrfxr.exec:\xrfrfxr.exe129⤵PID:3312
-
\??\c:\3bthtn.exec:\3bthtn.exe130⤵PID:2432
-
\??\c:\vvjdv.exec:\vvjdv.exe131⤵PID:4084
-
\??\c:\jvvpd.exec:\jvvpd.exe132⤵PID:4488
-
\??\c:\frfxrfr.exec:\frfxrfr.exe133⤵PID:3116
-
\??\c:\bnthth.exec:\bnthth.exe134⤵PID:316
-
\??\c:\dpvpd.exec:\dpvpd.exe135⤵PID:3264
-
\??\c:\5lffxxr.exec:\5lffxxr.exe136⤵PID:3540
-
\??\c:\htthnt.exec:\htthnt.exe137⤵PID:3100
-
\??\c:\jjpdp.exec:\jjpdp.exe138⤵PID:4200
-
\??\c:\7fxlxrf.exec:\7fxlxrf.exe139⤵PID:404
-
\??\c:\xrlflrl.exec:\xrlflrl.exe140⤵PID:1060
-
\??\c:\3hhthh.exec:\3hhthh.exe141⤵PID:4604
-
\??\c:\btthtn.exec:\btthtn.exe142⤵PID:2328
-
\??\c:\jppjv.exec:\jppjv.exe143⤵PID:1708
-
\??\c:\xffrlfx.exec:\xffrlfx.exe144⤵PID:1860
-
\??\c:\5lrffrr.exec:\5lrffrr.exe145⤵PID:764
-
\??\c:\hnhthb.exec:\hnhthb.exe146⤵PID:3620
-
\??\c:\jvdpd.exec:\jvdpd.exe147⤵PID:1468
-
\??\c:\lflfxxf.exec:\lflfxxf.exe148⤵PID:1220
-
\??\c:\xlrfrfx.exec:\xlrfrfx.exe149⤵PID:2548
-
\??\c:\thhbtt.exec:\thhbtt.exe150⤵PID:1328
-
\??\c:\ddjvj.exec:\ddjvj.exe151⤵PID:2388
-
\??\c:\jppdp.exec:\jppdp.exe152⤵PID:800
-
\??\c:\frllrlx.exec:\frllrlx.exe153⤵PID:5012
-
\??\c:\hhnthh.exec:\hhnthh.exe154⤵PID:3064
-
\??\c:\bhhtnh.exec:\bhhtnh.exe155⤵PID:968
-
\??\c:\dpppp.exec:\dpppp.exe156⤵PID:2884
-
\??\c:\xffrfxl.exec:\xffrfxl.exe157⤵PID:5064
-
\??\c:\rflfxrr.exec:\rflfxrr.exe158⤵PID:3688
-
\??\c:\tbhbbh.exec:\tbhbbh.exe159⤵PID:724
-
\??\c:\vpjdv.exec:\vpjdv.exe160⤵PID:4260
-
\??\c:\rffxrlf.exec:\rffxrlf.exe161⤵PID:2988
-
\??\c:\rxfrlfr.exec:\rxfrlfr.exe162⤵PID:668
-
\??\c:\bnhbth.exec:\bnhbth.exe163⤵PID:2908
-
\??\c:\tbthbt.exec:\tbthbt.exe164⤵PID:904
-
\??\c:\dddpv.exec:\dddpv.exe165⤵PID:2844
-
\??\c:\xflfrrf.exec:\xflfrrf.exe166⤵PID:1392
-
\??\c:\bttnhb.exec:\bttnhb.exe167⤵PID:3496
-
\??\c:\jjpjd.exec:\jjpjd.exe168⤵PID:4452
-
\??\c:\vddvj.exec:\vddvj.exe169⤵PID:5092
-
\??\c:\lxxlxfr.exec:\lxxlxfr.exe170⤵PID:4756
-
\??\c:\tbhhhb.exec:\tbhhhb.exe171⤵PID:1964
-
\??\c:\nhtntt.exec:\nhtntt.exe172⤵PID:1700
-
\??\c:\jdvpj.exec:\jdvpj.exe173⤵PID:960
-
\??\c:\3jjdv.exec:\3jjdv.exe174⤵PID:3420
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe175⤵PID:4516
-
\??\c:\nnbnhb.exec:\nnbnhb.exe176⤵
- System Location Discovery: System Language Discovery
PID:3312 -
\??\c:\tbthbt.exec:\tbthbt.exe177⤵PID:4884
-
\??\c:\jdvjd.exec:\jdvjd.exe178⤵PID:4084
-
\??\c:\lrrfrlx.exec:\lrrfrlx.exe179⤵PID:4488
-
\??\c:\rffxxrf.exec:\rffxxrf.exe180⤵PID:4352
-
\??\c:\tntnbt.exec:\tntnbt.exe181⤵PID:4448
-
\??\c:\hhnbbt.exec:\hhnbbt.exe182⤵PID:3280
-
\??\c:\3vddv.exec:\3vddv.exe183⤵PID:3452
-
\??\c:\xlrllfl.exec:\xlrllfl.exe184⤵PID:3028
-
\??\c:\thhtbt.exec:\thhtbt.exe185⤵PID:4888
-
\??\c:\vvddd.exec:\vvddd.exe186⤵PID:3048
-
\??\c:\jpvpj.exec:\jpvpj.exe187⤵PID:1060
-
\??\c:\frxlxxr.exec:\frxlxxr.exe188⤵PID:1400
-
\??\c:\bnnnnn.exec:\bnnnnn.exe189⤵PID:1892
-
\??\c:\1hhbhh.exec:\1hhbhh.exe190⤵PID:4596
-
\??\c:\jvvpj.exec:\jvvpj.exe191⤵PID:4752
-
\??\c:\lffxrlr.exec:\lffxrlr.exe192⤵PID:1196
-
\??\c:\rffxllx.exec:\rffxllx.exe193⤵PID:3976
-
\??\c:\7hbthh.exec:\7hbthh.exe194⤵PID:844
-
\??\c:\jvjvj.exec:\jvjvj.exe195⤵PID:3300
-
\??\c:\xllfxxl.exec:\xllfxxl.exe196⤵PID:5108
-
\??\c:\hhtnnn.exec:\hhtnnn.exe197⤵PID:3628
-
\??\c:\vvjdd.exec:\vvjdd.exe198⤵PID:1144
-
\??\c:\pjjvp.exec:\pjjvp.exe199⤵PID:228
-
\??\c:\xxxlrrr.exec:\xxxlrrr.exe200⤵PID:1464
-
\??\c:\bnnbnh.exec:\bnnbnh.exe201⤵PID:3660
-
\??\c:\tbhtht.exec:\tbhtht.exe202⤵PID:4760
-
\??\c:\3vpdp.exec:\3vpdp.exe203⤵PID:2440
-
\??\c:\9llfxxx.exec:\9llfxxx.exe204⤵PID:3056
-
\??\c:\3fxfxrf.exec:\3fxfxrf.exe205⤵PID:4744
-
\??\c:\bnbtnh.exec:\bnbtnh.exe206⤵PID:1412
-
\??\c:\3jdpj.exec:\3jdpj.exe207⤵PID:1520
-
\??\c:\3flflff.exec:\3flflff.exe208⤵PID:3512
-
\??\c:\3hnhbb.exec:\3hnhbb.exe209⤵PID:2908
-
\??\c:\nhbbtt.exec:\nhbbtt.exe210⤵PID:1820
-
\??\c:\vjjdv.exec:\vjjdv.exe211⤵PID:2844
-
\??\c:\jvvjv.exec:\jvvjv.exe212⤵PID:1392
-
\??\c:\1ffxxxf.exec:\1ffxxxf.exe213⤵PID:3496
-
\??\c:\ntbbtt.exec:\ntbbtt.exe214⤵PID:1172
-
\??\c:\5vpdp.exec:\5vpdp.exe215⤵PID:5092
-
\??\c:\dpvpd.exec:\dpvpd.exe216⤵PID:1972
-
\??\c:\9ffxlfx.exec:\9ffxlfx.exe217⤵PID:3988
-
\??\c:\lffrfxr.exec:\lffrfxr.exe218⤵PID:1700
-
\??\c:\hbbthb.exec:\hbbthb.exe219⤵PID:960
-
\??\c:\3vpdv.exec:\3vpdv.exe220⤵PID:4560
-
\??\c:\vpjvp.exec:\vpjvp.exe221⤵PID:4932
-
\??\c:\9xfrlfl.exec:\9xfrlfl.exe222⤵PID:4044
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe223⤵PID:2560
-
\??\c:\nbhbnh.exec:\nbhbnh.exe224⤵PID:3448
-
\??\c:\pvdvp.exec:\pvdvp.exe225⤵PID:4488
-
\??\c:\dppjv.exec:\dppjv.exe226⤵PID:4820
-
\??\c:\rfrrxxl.exec:\rfrrxxl.exe227⤵PID:4848
-
\??\c:\ntnhbb.exec:\ntnhbb.exe228⤵PID:3280
-
\??\c:\btbtbt.exec:\btbtbt.exe229⤵PID:1044
-
\??\c:\ppjvp.exec:\ppjvp.exe230⤵PID:3028
-
\??\c:\7llffff.exec:\7llffff.exe231⤵PID:4888
-
\??\c:\3nhbnh.exec:\3nhbnh.exe232⤵PID:3048
-
\??\c:\tnthbt.exec:\tnthbt.exe233⤵PID:1060
-
\??\c:\3jvjj.exec:\3jvjj.exe234⤵PID:1400
-
\??\c:\rlfxlfl.exec:\rlfxlfl.exe235⤵PID:2752
-
\??\c:\fflxrrf.exec:\fflxrrf.exe236⤵PID:4284
-
\??\c:\nbbbnn.exec:\nbbbnn.exe237⤵PID:1644
-
\??\c:\pvddv.exec:\pvddv.exe238⤵
- System Location Discovery: System Language Discovery
PID:3620 -
\??\c:\vppdd.exec:\vppdd.exe239⤵PID:2052
-
\??\c:\rrllfxx.exec:\rrllfxx.exe240⤵
- System Location Discovery: System Language Discovery
PID:2028 -
\??\c:\bnnhbh.exec:\bnnhbh.exe241⤵PID:5112
-
\??\c:\jdjjp.exec:\jdjjp.exe242⤵PID:844