Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:12
Static task
static1
Behavioral task
behavioral1
Sample
237084a5edecf8ea2b8bf28db9dc942ba2a225d7a8edbf7e8f4937e0266d8654N.exe
Resource
win7-20240708-en
General
-
Target
237084a5edecf8ea2b8bf28db9dc942ba2a225d7a8edbf7e8f4937e0266d8654N.exe
-
Size
346KB
-
MD5
f99b6c1de8990c09e14a539ba5fc66b0
-
SHA1
d0fddf645ababa22fd2dabf61ab919b10295fe10
-
SHA256
237084a5edecf8ea2b8bf28db9dc942ba2a225d7a8edbf7e8f4937e0266d8654
-
SHA512
28db60e9abf811542c61b72e6e50895be69b3b6e1a6ca71ed7c4c1032a75e2f8c506ad9891cd9c5f9c8bb948a4bd370de5652ca566a1b0e4b93ab3097068af58
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAw:l7TcbWXZshJX2VGdw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
Processes:
resource yara_rule behavioral2/memory/5112-5-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3264-13-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2196-12-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1236-23-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1484-29-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3652-34-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3728-40-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2296-46-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2400-53-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2952-58-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3800-74-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5052-72-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4076-67-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/100-79-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2520-85-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3896-92-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4968-96-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2416-110-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4796-130-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1540-131-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1356-137-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4544-142-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4776-153-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4888-169-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3356-174-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4648-183-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2900-188-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1544-193-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3932-206-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4528-210-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3528-215-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3552-218-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1928-229-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/400-233-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4728-237-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/216-244-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/100-254-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4912-264-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4592-283-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4964-287-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/412-291-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1572-296-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3400-299-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4408-312-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3724-319-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3780-338-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3248-349-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1544-353-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1384-360-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3552-376-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3692-395-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3824-411-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4752-424-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5048-473-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1496-477-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4124-481-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3592-498-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4552-553-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4052-608-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2292-633-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3480-709-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3896-743-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3676-921-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
3hbhth.exelllffrl.exebtbbbb.exe7ttntb.exe1htnnn.exelrrrlll.exepjvdj.exebtbhhh.exe5dppj.exetbtttt.exethhbnh.exe3pdpd.exefxfxfrr.exexlfrllf.exe1bbthh.exebtbntn.exexxxxrrf.exefxxrxfx.exehbhbbb.exe7dvdv.exevvvvp.exerflrrll.exe1bhbtt.exe9hbtnn.exevpddv.exenhbbtt.exe5pddj.exe5rlfxxr.exebnhhhh.exedpjvp.exefxlfrrx.exexlrlffx.exehhnhbb.exe5ntnhb.exevdvvp.exeffxxlrx.exennbbtt.exetbntnn.exejjvvv.exexffxrlf.exe3nhbtb.exepdjvp.exevpjjd.exe9hnhbh.exebnbhtt.exeddjjd.exeffllrrx.exebtttnn.exenhntnn.exe1vvdd.exeflllrrx.exenntnnn.exevjppp.exe5djdp.exe1frlffx.exe3hnnhn.exehnnnhn.exejjpjp.exelfxxrrr.exerflffll.exebhbbtt.exepvjvv.exevvdjp.exefxrrfff.exepid process 2196 3hbhth.exe 3264 lllffrl.exe 1236 btbbbb.exe 1484 7ttntb.exe 3652 1htnnn.exe 3728 lrrrlll.exe 2296 pjvdj.exe 2400 btbhhh.exe 2952 5dppj.exe 4076 tbtttt.exe 5052 thhbnh.exe 3800 3pdpd.exe 100 fxfxfrr.exe 2520 xlfrllf.exe 3896 1bbthh.exe 4968 btbntn.exe 2416 xxxxrrf.exe 1692 fxxrxfx.exe 1324 hbhbbb.exe 860 7dvdv.exe 4796 vvvvp.exe 1540 rflrrll.exe 1356 1bhbtt.exe 4544 9hbtnn.exe 4776 vpddv.exe 772 nhbbtt.exe 1028 5pddj.exe 4888 5rlfxxr.exe 3356 bnhhhh.exe 4648 dpjvp.exe 2900 fxlfrrx.exe 1544 xlrlffx.exe 380 hhnhbb.exe 1384 5ntnhb.exe 4944 vdvvp.exe 3932 ffxxlrx.exe 4528 nnbbtt.exe 3528 tbntnn.exe 3552 jjvvv.exe 1236 xffxrlf.exe 4216 3nhbtb.exe 1928 pdjvp.exe 400 vpjjd.exe 4728 9hnhbh.exe 3004 bnbhtt.exe 216 ddjjd.exe 4496 ffllrrx.exe 1984 btttnn.exe 100 nhntnn.exe 468 1vvdd.exe 4512 flllrrx.exe 4912 nntnnn.exe 3112 vjppp.exe 4876 5djdp.exe 4336 1frlffx.exe 5032 3hnnhn.exe 1692 hnnnhn.exe 4592 jjpjp.exe 4964 lfxxrrr.exe 412 rflffll.exe 1572 bhbbtt.exe 3400 pvjvv.exe 396 vvdjp.exe 1756 fxrrfff.exe -
Processes:
resource yara_rule behavioral2/memory/5112-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3264-13-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2196-12-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1236-23-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1484-29-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3652-34-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3728-40-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2296-46-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2400-53-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2952-58-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5052-64-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3800-74-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5052-72-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4076-67-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/100-79-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2520-85-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3896-92-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4968-96-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2416-110-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4796-130-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1540-131-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1356-137-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4544-142-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4776-147-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4776-153-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4888-169-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3356-174-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4648-183-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2900-181-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2900-188-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1544-193-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3932-206-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4528-210-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3552-213-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3528-215-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3552-218-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1928-229-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/400-227-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/400-233-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4728-237-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/216-244-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/100-254-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4912-264-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4592-283-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4964-287-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/412-291-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1572-296-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3400-299-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4408-312-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3724-319-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3780-338-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3248-349-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1544-353-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1384-360-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3552-376-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3692-395-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3824-411-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4752-424-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5048-473-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1496-477-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4124-481-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3592-498-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4552-553-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4052-608-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vvdvv.exenhnhbt.exe7llfxfx.exejjjdv.exevjpjp.exejpdvd.exenttnbh.exebnbthn.exethbthh.exeppjvp.exe7bbtnn.exe1vjdd.exerrrlffx.exe7jjjd.exe9hhhbb.exerrllxxr.exe3hbhth.exetttnnb.exehttntn.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
237084a5edecf8ea2b8bf28db9dc942ba2a225d7a8edbf7e8f4937e0266d8654N.exe3hbhth.exelllffrl.exebtbbbb.exe7ttntb.exe1htnnn.exelrrrlll.exepjvdj.exebtbhhh.exe5dppj.exetbtttt.exethhbnh.exe3pdpd.exefxfxfrr.exexlfrllf.exe1bbthh.exebtbntn.exexxxxrrf.exefxxrxfx.exehbhbbb.exe7dvdv.exevvvvp.exedescription pid process target process PID 5112 wrote to memory of 2196 5112 237084a5edecf8ea2b8bf28db9dc942ba2a225d7a8edbf7e8f4937e0266d8654N.exe 3hbhth.exe PID 5112 wrote to memory of 2196 5112 237084a5edecf8ea2b8bf28db9dc942ba2a225d7a8edbf7e8f4937e0266d8654N.exe 3hbhth.exe PID 5112 wrote to memory of 2196 5112 237084a5edecf8ea2b8bf28db9dc942ba2a225d7a8edbf7e8f4937e0266d8654N.exe 3hbhth.exe PID 2196 wrote to memory of 3264 2196 3hbhth.exe lllffrl.exe PID 2196 wrote to memory of 3264 2196 3hbhth.exe lllffrl.exe PID 2196 wrote to memory of 3264 2196 3hbhth.exe lllffrl.exe PID 3264 wrote to memory of 1236 3264 lllffrl.exe btbbbb.exe PID 3264 wrote to memory of 1236 3264 lllffrl.exe btbbbb.exe PID 3264 wrote to memory of 1236 3264 lllffrl.exe btbbbb.exe PID 1236 wrote to memory of 1484 1236 btbbbb.exe 7ttntb.exe PID 1236 wrote to memory of 1484 1236 btbbbb.exe 7ttntb.exe PID 1236 wrote to memory of 1484 1236 btbbbb.exe 7ttntb.exe PID 1484 wrote to memory of 3652 1484 7ttntb.exe 1htnnn.exe PID 1484 wrote to memory of 3652 1484 7ttntb.exe 1htnnn.exe PID 1484 wrote to memory of 3652 1484 7ttntb.exe 1htnnn.exe PID 3652 wrote to memory of 3728 3652 1htnnn.exe lrrrlll.exe PID 3652 wrote to memory of 3728 3652 1htnnn.exe lrrrlll.exe PID 3652 wrote to memory of 3728 3652 1htnnn.exe lrrrlll.exe PID 3728 wrote to memory of 2296 3728 lrrrlll.exe pjvdj.exe PID 3728 wrote to memory of 2296 3728 lrrrlll.exe pjvdj.exe PID 3728 wrote to memory of 2296 3728 lrrrlll.exe pjvdj.exe PID 2296 wrote to memory of 2400 2296 pjvdj.exe btbhhh.exe PID 2296 wrote to memory of 2400 2296 pjvdj.exe btbhhh.exe PID 2296 wrote to memory of 2400 2296 pjvdj.exe btbhhh.exe PID 2400 wrote to memory of 2952 2400 btbhhh.exe 5dppj.exe PID 2400 wrote to memory of 2952 2400 btbhhh.exe 5dppj.exe PID 2400 wrote to memory of 2952 2400 btbhhh.exe 5dppj.exe PID 2952 wrote to memory of 4076 2952 5dppj.exe tbtttt.exe PID 2952 wrote to memory of 4076 2952 5dppj.exe tbtttt.exe PID 2952 wrote to memory of 4076 2952 5dppj.exe tbtttt.exe PID 4076 wrote to memory of 5052 4076 tbtttt.exe thhbnh.exe PID 4076 wrote to memory of 5052 4076 tbtttt.exe thhbnh.exe PID 4076 wrote to memory of 5052 4076 tbtttt.exe thhbnh.exe PID 5052 wrote to memory of 3800 5052 thhbnh.exe 3pdpd.exe PID 5052 wrote to memory of 3800 5052 thhbnh.exe 3pdpd.exe PID 5052 wrote to memory of 3800 5052 thhbnh.exe 3pdpd.exe PID 3800 wrote to memory of 100 3800 3pdpd.exe fxfxfrr.exe PID 3800 wrote to memory of 100 3800 3pdpd.exe fxfxfrr.exe PID 3800 wrote to memory of 100 3800 3pdpd.exe fxfxfrr.exe PID 100 wrote to memory of 2520 100 fxfxfrr.exe xlfrllf.exe PID 100 wrote to memory of 2520 100 fxfxfrr.exe xlfrllf.exe PID 100 wrote to memory of 2520 100 fxfxfrr.exe xlfrllf.exe PID 2520 wrote to memory of 3896 2520 xlfrllf.exe 1bbthh.exe PID 2520 wrote to memory of 3896 2520 xlfrllf.exe 1bbthh.exe PID 2520 wrote to memory of 3896 2520 xlfrllf.exe 1bbthh.exe PID 3896 wrote to memory of 4968 3896 1bbthh.exe btbntn.exe PID 3896 wrote to memory of 4968 3896 1bbthh.exe btbntn.exe PID 3896 wrote to memory of 4968 3896 1bbthh.exe btbntn.exe PID 4968 wrote to memory of 2416 4968 btbntn.exe xxxxrrf.exe PID 4968 wrote to memory of 2416 4968 btbntn.exe xxxxrrf.exe PID 4968 wrote to memory of 2416 4968 btbntn.exe xxxxrrf.exe PID 2416 wrote to memory of 1692 2416 xxxxrrf.exe fxxrxfx.exe PID 2416 wrote to memory of 1692 2416 xxxxrrf.exe fxxrxfx.exe PID 2416 wrote to memory of 1692 2416 xxxxrrf.exe fxxrxfx.exe PID 1692 wrote to memory of 1324 1692 fxxrxfx.exe hbhbbb.exe PID 1692 wrote to memory of 1324 1692 fxxrxfx.exe hbhbbb.exe PID 1692 wrote to memory of 1324 1692 fxxrxfx.exe hbhbbb.exe PID 1324 wrote to memory of 860 1324 hbhbbb.exe 7dvdv.exe PID 1324 wrote to memory of 860 1324 hbhbbb.exe 7dvdv.exe PID 1324 wrote to memory of 860 1324 hbhbbb.exe 7dvdv.exe PID 860 wrote to memory of 4796 860 7dvdv.exe vvvvp.exe PID 860 wrote to memory of 4796 860 7dvdv.exe vvvvp.exe PID 860 wrote to memory of 4796 860 7dvdv.exe vvvvp.exe PID 4796 wrote to memory of 1540 4796 vvvvp.exe rflrrll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\237084a5edecf8ea2b8bf28db9dc942ba2a225d7a8edbf7e8f4937e0266d8654N.exe"C:\Users\Admin\AppData\Local\Temp\237084a5edecf8ea2b8bf28db9dc942ba2a225d7a8edbf7e8f4937e0266d8654N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\3hbhth.exec:\3hbhth.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\lllffrl.exec:\lllffrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\btbbbb.exec:\btbbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\7ttntb.exec:\7ttntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\1htnnn.exec:\1htnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\lrrrlll.exec:\lrrrlll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\pjvdj.exec:\pjvdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\btbhhh.exec:\btbhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\5dppj.exec:\5dppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\tbtttt.exec:\tbtttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\thhbnh.exec:\thhbnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\3pdpd.exec:\3pdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\fxfxfrr.exec:\fxfxfrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\xlfrllf.exec:\xlfrllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\1bbthh.exec:\1bbthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\btbntn.exec:\btbntn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\xxxxrrf.exec:\xxxxrrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\fxxrxfx.exec:\fxxrxfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\hbhbbb.exec:\hbhbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\7dvdv.exec:\7dvdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\vvvvp.exec:\vvvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\rflrrll.exec:\rflrrll.exe23⤵
- Executes dropped EXE
PID:1540 -
\??\c:\1bhbtt.exec:\1bhbtt.exe24⤵
- Executes dropped EXE
PID:1356 -
\??\c:\9hbtnn.exec:\9hbtnn.exe25⤵
- Executes dropped EXE
PID:4544 -
\??\c:\vpddv.exec:\vpddv.exe26⤵
- Executes dropped EXE
PID:4776 -
\??\c:\nhbbtt.exec:\nhbbtt.exe27⤵
- Executes dropped EXE
PID:772 -
\??\c:\5pddj.exec:\5pddj.exe28⤵
- Executes dropped EXE
PID:1028 -
\??\c:\5rlfxxr.exec:\5rlfxxr.exe29⤵
- Executes dropped EXE
PID:4888 -
\??\c:\bnhhhh.exec:\bnhhhh.exe30⤵
- Executes dropped EXE
PID:3356 -
\??\c:\dpjvp.exec:\dpjvp.exe31⤵
- Executes dropped EXE
PID:4648 -
\??\c:\fxlfrrx.exec:\fxlfrrx.exe32⤵
- Executes dropped EXE
PID:2900 -
\??\c:\xlrlffx.exec:\xlrlffx.exe33⤵
- Executes dropped EXE
PID:1544 -
\??\c:\hhnhbb.exec:\hhnhbb.exe34⤵
- Executes dropped EXE
PID:380 -
\??\c:\5ntnhb.exec:\5ntnhb.exe35⤵
- Executes dropped EXE
PID:1384 -
\??\c:\vdvvp.exec:\vdvvp.exe36⤵
- Executes dropped EXE
PID:4944 -
\??\c:\ffxxlrx.exec:\ffxxlrx.exe37⤵
- Executes dropped EXE
PID:3932 -
\??\c:\nnbbtt.exec:\nnbbtt.exe38⤵
- Executes dropped EXE
PID:4528 -
\??\c:\tbntnn.exec:\tbntnn.exe39⤵
- Executes dropped EXE
PID:3528 -
\??\c:\jjvvv.exec:\jjvvv.exe40⤵
- Executes dropped EXE
PID:3552 -
\??\c:\xffxrlf.exec:\xffxrlf.exe41⤵
- Executes dropped EXE
PID:1236 -
\??\c:\3nhbtb.exec:\3nhbtb.exe42⤵
- Executes dropped EXE
PID:4216 -
\??\c:\pdjvp.exec:\pdjvp.exe43⤵
- Executes dropped EXE
PID:1928 -
\??\c:\vpjjd.exec:\vpjjd.exe44⤵
- Executes dropped EXE
PID:400 -
\??\c:\9hnhbh.exec:\9hnhbh.exe45⤵
- Executes dropped EXE
PID:4728 -
\??\c:\bnbhtt.exec:\bnbhtt.exe46⤵
- Executes dropped EXE
PID:3004 -
\??\c:\ddjjd.exec:\ddjjd.exe47⤵
- Executes dropped EXE
PID:216 -
\??\c:\ffllrrx.exec:\ffllrrx.exe48⤵
- Executes dropped EXE
PID:4496 -
\??\c:\btttnn.exec:\btttnn.exe49⤵
- Executes dropped EXE
PID:1984 -
\??\c:\nhntnn.exec:\nhntnn.exe50⤵
- Executes dropped EXE
PID:100 -
\??\c:\1vvdd.exec:\1vvdd.exe51⤵
- Executes dropped EXE
PID:468 -
\??\c:\flllrrx.exec:\flllrrx.exe52⤵
- Executes dropped EXE
PID:4512 -
\??\c:\nntnnn.exec:\nntnnn.exe53⤵
- Executes dropped EXE
PID:4912 -
\??\c:\vjppp.exec:\vjppp.exe54⤵
- Executes dropped EXE
PID:3112 -
\??\c:\5djdp.exec:\5djdp.exe55⤵
- Executes dropped EXE
PID:4876 -
\??\c:\1frlffx.exec:\1frlffx.exe56⤵
- Executes dropped EXE
PID:4336 -
\??\c:\3hnnhn.exec:\3hnnhn.exe57⤵
- Executes dropped EXE
PID:5032 -
\??\c:\hnnnhn.exec:\hnnnhn.exe58⤵
- Executes dropped EXE
PID:1692 -
\??\c:\jjpjp.exec:\jjpjp.exe59⤵
- Executes dropped EXE
PID:4592 -
\??\c:\lfxxrrr.exec:\lfxxrrr.exe60⤵
- Executes dropped EXE
PID:4964 -
\??\c:\rflffll.exec:\rflffll.exe61⤵
- Executes dropped EXE
PID:412 -
\??\c:\bhbbtt.exec:\bhbbtt.exe62⤵
- Executes dropped EXE
PID:1572 -
\??\c:\pvjvv.exec:\pvjvv.exe63⤵
- Executes dropped EXE
PID:3400 -
\??\c:\vvdjp.exec:\vvdjp.exe64⤵
- Executes dropped EXE
PID:396 -
\??\c:\fxrrfff.exec:\fxrrfff.exe65⤵
- Executes dropped EXE
PID:1756 -
\??\c:\bttbnh.exec:\bttbnh.exe66⤵PID:432
-
\??\c:\ttbbtb.exec:\ttbbtb.exe67⤵PID:4408
-
\??\c:\1dvpj.exec:\1dvpj.exe68⤵PID:3420
-
\??\c:\3lxxxfl.exec:\3lxxxfl.exe69⤵PID:3724
-
\??\c:\lfllffx.exec:\lfllffx.exe70⤵PID:1232
-
\??\c:\5nnnnn.exec:\5nnnnn.exe71⤵PID:1760
-
\??\c:\bhnnht.exec:\bhnnht.exe72⤵PID:4080
-
\??\c:\jjpjj.exec:\jjpjj.exe73⤵PID:4784
-
\??\c:\7dppv.exec:\7dppv.exe74⤵PID:4692
-
\??\c:\fxxrllf.exec:\fxxrllf.exe75⤵PID:3780
-
\??\c:\nnnhtt.exec:\nnnhtt.exe76⤵PID:720
-
\??\c:\3bhhnn.exec:\3bhhnn.exe77⤵PID:1524
-
\??\c:\ddjdv.exec:\ddjdv.exe78⤵PID:3248
-
\??\c:\ddjjv.exec:\ddjjv.exe79⤵PID:1544
-
\??\c:\xffxxxr.exec:\xffxxxr.exe80⤵PID:4288
-
\??\c:\3rrlllf.exec:\3rrlllf.exe81⤵PID:1384
-
\??\c:\jvjvv.exec:\jvjvv.exe82⤵PID:4944
-
\??\c:\xfffxxr.exec:\xfffxxr.exe83⤵PID:1388
-
\??\c:\ttbtnn.exec:\ttbtnn.exe84⤵PID:1168
-
\??\c:\fffxrrr.exec:\fffxrrr.exe85⤵PID:3988
-
\??\c:\rrllfff.exec:\rrllfff.exe86⤵PID:3552
-
\??\c:\bbtnhh.exec:\bbtnhh.exe87⤵PID:3224
-
\??\c:\bbtthb.exec:\bbtthb.exe88⤵PID:388
-
\??\c:\vvjdv.exec:\vvjdv.exe89⤵PID:1708
-
\??\c:\dddvv.exec:\dddvv.exe90⤵PID:400
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe91⤵PID:3080
-
\??\c:\7nhbtt.exec:\7nhbtt.exe92⤵PID:3692
-
\??\c:\nnhbbb.exec:\nnhbbb.exe93⤵PID:3388
-
\??\c:\pddjp.exec:\pddjp.exe94⤵PID:3960
-
\??\c:\xfxlffx.exec:\xfxlffx.exe95⤵PID:696
-
\??\c:\flllrxf.exec:\flllrxf.exe96⤵PID:4712
-
\??\c:\bbhhbb.exec:\bbhhbb.exe97⤵PID:3824
-
\??\c:\ppddv.exec:\ppddv.exe98⤵PID:1552
-
\??\c:\vvpjj.exec:\vvpjj.exe99⤵PID:1828
-
\??\c:\5xrrrrl.exec:\5xrrrrl.exe100⤵PID:468
-
\??\c:\vvpjp.exec:\vvpjp.exe101⤵PID:4752
-
\??\c:\hbttbh.exec:\hbttbh.exe102⤵PID:2280
-
\??\c:\vdddd.exec:\vdddd.exe103⤵PID:4968
-
\??\c:\xxxrllr.exec:\xxxrllr.exe104⤵PID:1240
-
\??\c:\xxxrfff.exec:\xxxrfff.exe105⤵PID:2884
-
\??\c:\tbbhbb.exec:\tbbhbb.exe106⤵PID:4084
-
\??\c:\9jpjd.exec:\9jpjd.exe107⤵PID:2104
-
\??\c:\rfxxrrx.exec:\rfxxrrx.exe108⤵PID:4704
-
\??\c:\hbntbb.exec:\hbntbb.exe109⤵PID:2756
-
\??\c:\3jjdv.exec:\3jjdv.exe110⤵PID:2680
-
\??\c:\rllllll.exec:\rllllll.exe111⤵PID:3524
-
\??\c:\hnnnhh.exec:\hnnnhh.exe112⤵PID:1072
-
\??\c:\hbbbhn.exec:\hbbbhn.exe113⤵PID:3464
-
\??\c:\pppjd.exec:\pppjd.exe114⤵PID:396
-
\??\c:\lrrlfff.exec:\lrrlfff.exe115⤵PID:2168
-
\??\c:\rrffxfr.exec:\rrffxfr.exe116⤵PID:516
-
\??\c:\nbbbbb.exec:\nbbbbb.exe117⤵PID:5048
-
\??\c:\5vvpj.exec:\5vvpj.exe118⤵PID:1496
-
\??\c:\rxxrllx.exec:\rxxrllx.exe119⤵PID:4124
-
\??\c:\bbbtbb.exec:\bbbtbb.exe120⤵PID:408
-
\??\c:\5hhbtb.exec:\5hhbtb.exe121⤵PID:4988
-
\??\c:\pvdjd.exec:\pvdjd.exe122⤵PID:3608
-
\??\c:\vdddj.exec:\vdddj.exe123⤵PID:4784
-
\??\c:\lrffxxr.exec:\lrffxxr.exe124⤵PID:4692
-
\??\c:\bnthth.exec:\bnthth.exe125⤵PID:3592
-
\??\c:\pdjdd.exec:\pdjdd.exe126⤵PID:1628
-
\??\c:\djppj.exec:\djppj.exe127⤵PID:2720
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe128⤵PID:5080
-
\??\c:\tbthhh.exec:\tbthhh.exe129⤵PID:5104
-
\??\c:\nnnbtt.exec:\nnnbtt.exe130⤵PID:4220
-
\??\c:\vdvpj.exec:\vdvpj.exe131⤵PID:4808
-
\??\c:\lfllflx.exec:\lfllflx.exe132⤵PID:1988
-
\??\c:\rxllfll.exec:\rxllfll.exe133⤵PID:3804
-
\??\c:\tbthbb.exec:\tbthbb.exe134⤵PID:1452
-
\??\c:\bttnnn.exec:\bttnnn.exe135⤵PID:3648
-
\??\c:\djppv.exec:\djppv.exe136⤵PID:1996
-
\??\c:\xxrfxrl.exec:\xxrfxrl.exe137⤵PID:3552
-
\??\c:\flrlrrl.exec:\flrlrrl.exe138⤵PID:3668
-
\??\c:\tbnhhh.exec:\tbnhhh.exe139⤵PID:2180
-
\??\c:\ppdjd.exec:\ppdjd.exe140⤵PID:64
-
\??\c:\jjpjd.exec:\jjpjd.exe141⤵PID:3728
-
\??\c:\xxxrllf.exec:\xxxrllf.exe142⤵PID:1100
-
\??\c:\hntttt.exec:\hntttt.exe143⤵PID:4552
-
\??\c:\nntttn.exec:\nntttn.exe144⤵PID:3732
-
\??\c:\vvddd.exec:\vvddd.exe145⤵PID:4524
-
\??\c:\3llfrrl.exec:\3llfrrl.exe146⤵PID:696
-
\??\c:\xxfxrrr.exec:\xxfxrrr.exe147⤵PID:2964
-
\??\c:\bntbnt.exec:\bntbnt.exe148⤵PID:3824
-
\??\c:\pjdvj.exec:\pjdvj.exe149⤵PID:1408
-
\??\c:\9dvjd.exec:\9dvjd.exe150⤵PID:2984
-
\??\c:\xrrrlll.exec:\xrrrlll.exe151⤵PID:4512
-
\??\c:\bntbbt.exec:\bntbbt.exe152⤵PID:4912
-
\??\c:\7ppjv.exec:\7ppjv.exe153⤵PID:1052
-
\??\c:\lxlffff.exec:\lxlffff.exe154⤵PID:1940
-
\??\c:\xxlxrrl.exec:\xxlxrrl.exe155⤵PID:2344
-
\??\c:\5nbtnn.exec:\5nbtnn.exe156⤵PID:2704
-
\??\c:\ppvdv.exec:\ppvdv.exe157⤵PID:4736
-
\??\c:\dvdjd.exec:\dvdjd.exe158⤵PID:4372
-
\??\c:\llrlfff.exec:\llrlfff.exe159⤵PID:2176
-
\??\c:\lrrlrrr.exec:\lrrlrrr.exe160⤵PID:5068
-
\??\c:\nhnhbt.exec:\nhnhbt.exe161⤵
- System Location Discovery: System Language Discovery
PID:4052 -
\??\c:\ppjdv.exec:\ppjdv.exe162⤵PID:2680
-
\??\c:\1rrrlll.exec:\1rrrlll.exe163⤵PID:2908
-
\??\c:\bbbtnh.exec:\bbbtnh.exe164⤵PID:4428
-
\??\c:\hhnnth.exec:\hhnnth.exe165⤵PID:3580
-
\??\c:\1ddvp.exec:\1ddvp.exe166⤵PID:5004
-
\??\c:\ffrlfff.exec:\ffrlfff.exe167⤵PID:2168
-
\??\c:\rffrlfx.exec:\rffrlfx.exe168⤵PID:516
-
\??\c:\bhntnt.exec:\bhntnt.exe169⤵PID:2292
-
\??\c:\1vpjd.exec:\1vpjd.exe170⤵PID:1588
-
\??\c:\fxrrrlf.exec:\fxrrrlf.exe171⤵PID:4124
-
\??\c:\llllfff.exec:\llllfff.exe172⤵PID:4296
-
\??\c:\nntnhb.exec:\nntnhb.exe173⤵PID:5044
-
\??\c:\jjjjj.exec:\jjjjj.exe174⤵PID:3056
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe175⤵PID:1136
-
\??\c:\fxllfff.exec:\fxllfff.exe176⤵PID:4452
-
\??\c:\thnhhh.exec:\thnhhh.exe177⤵PID:4352
-
\??\c:\9hhhbb.exec:\9hhhbb.exe178⤵PID:1628
-
\??\c:\jvpjd.exec:\jvpjd.exe179⤵PID:4532
-
\??\c:\xlrlfff.exec:\xlrlfff.exe180⤵PID:5080
-
\??\c:\flffffx.exec:\flffffx.exe181⤵PID:4288
-
\??\c:\nhnnhn.exec:\nhnnhn.exe182⤵PID:1528
-
\??\c:\vdddp.exec:\vdddp.exe183⤵PID:4868
-
\??\c:\ddpjd.exec:\ddpjd.exe184⤵PID:3440
-
\??\c:\rllxxrl.exec:\rllxxrl.exe185⤵PID:1236
-
\??\c:\dvjdv.exec:\dvjdv.exe186⤵PID:1016
-
\??\c:\ddvdv.exec:\ddvdv.exe187⤵PID:1200
-
\??\c:\7rllxxl.exec:\7rllxxl.exe188⤵PID:3904
-
\??\c:\bnttnh.exec:\bnttnh.exe189⤵PID:4728
-
\??\c:\nhhbtb.exec:\nhhbtb.exe190⤵PID:1960
-
\??\c:\3pjdp.exec:\3pjdp.exe191⤵PID:4248
-
\??\c:\fxxxllf.exec:\fxxxllf.exe192⤵PID:3728
-
\??\c:\tbbbhh.exec:\tbbbhh.exe193⤵PID:3080
-
\??\c:\1hhhtn.exec:\1hhhtn.exe194⤵PID:3480
-
\??\c:\pjjjp.exec:\pjjjp.exe195⤵PID:3140
-
\??\c:\fffxffx.exec:\fffxffx.exe196⤵PID:4416
-
\??\c:\3bnhbb.exec:\3bnhbb.exe197⤵PID:3680
-
\??\c:\bbthbb.exec:\bbthbb.exe198⤵PID:4712
-
\??\c:\7pdpj.exec:\7pdpj.exe199⤵PID:3136
-
\??\c:\fxlrffx.exec:\fxlrffx.exe200⤵PID:224
-
\??\c:\1nnnnt.exec:\1nnnnt.exe201⤵PID:3180
-
\??\c:\nhnnnn.exec:\nhnnnn.exe202⤵PID:3572
-
\??\c:\jjjjp.exec:\jjjjp.exe203⤵PID:2520
-
\??\c:\frffffx.exec:\frffffx.exe204⤵PID:2284
-
\??\c:\ttbbhb.exec:\ttbbhb.exe205⤵PID:3896
-
\??\c:\nthtbh.exec:\nthtbh.exe206⤵PID:2436
-
\??\c:\1jdpj.exec:\1jdpj.exe207⤵PID:2672
-
\??\c:\rflfxxf.exec:\rflfxxf.exe208⤵PID:3296
-
\??\c:\bttntt.exec:\bttntt.exe209⤵PID:5000
-
\??\c:\vvddd.exec:\vvddd.exe210⤵PID:2324
-
\??\c:\vvvvp.exec:\vvvvp.exe211⤵PID:2492
-
\??\c:\frflxxr.exec:\frflxxr.exe212⤵PID:4116
-
\??\c:\hhnnnh.exec:\hhnnnh.exe213⤵PID:2580
-
\??\c:\jjjjd.exec:\jjjjd.exe214⤵PID:1072
-
\??\c:\5lrlfxr.exec:\5lrlfxr.exe215⤵PID:3464
-
\??\c:\9tbtbt.exec:\9tbtbt.exe216⤵PID:396
-
\??\c:\9hhhbb.exec:\9hhhbb.exe217⤵
- System Location Discovery: System Language Discovery
PID:4880 -
\??\c:\dddvj.exec:\dddvj.exe218⤵PID:5004
-
\??\c:\xxxrlrf.exec:\xxxrlrf.exe219⤵PID:2168
-
\??\c:\rxxxxxx.exec:\rxxxxxx.exe220⤵PID:516
-
\??\c:\9nbthb.exec:\9nbthb.exe221⤵PID:2292
-
\??\c:\vpppj.exec:\vpppj.exe222⤵PID:1044
-
\??\c:\7pvpv.exec:\7pvpv.exe223⤵PID:4432
-
\??\c:\7llfxfx.exec:\7llfxfx.exe224⤵
- System Location Discovery: System Language Discovery
PID:3024 -
\??\c:\hhhbbb.exec:\hhhbbb.exe225⤵PID:5044
-
\??\c:\3nnntt.exec:\3nnntt.exe226⤵PID:3056
-
\??\c:\jjpjd.exec:\jjpjd.exe227⤵PID:4364
-
\??\c:\vdjdj.exec:\vdjdj.exe228⤵PID:4348
-
\??\c:\flrrrrl.exec:\flrrrrl.exe229⤵PID:4352
-
\??\c:\1hhbbt.exec:\1hhbbt.exe230⤵PID:4928
-
\??\c:\tntnnb.exec:\tntnnb.exe231⤵PID:1668
-
\??\c:\pppdv.exec:\pppdv.exe232⤵PID:2196
-
\??\c:\lllrrlx.exec:\lllrrlx.exe233⤵PID:2016
-
\??\c:\nhnnbt.exec:\nhnnbt.exe234⤵PID:1528
-
\??\c:\9jpjd.exec:\9jpjd.exe235⤵PID:2280
-
\??\c:\3jddp.exec:\3jddp.exe236⤵PID:1800
-
\??\c:\7flfllx.exec:\7flfllx.exe237⤵PID:1388
-
\??\c:\bbtnhh.exec:\bbtnhh.exe238⤵PID:3648
-
\??\c:\tbbbtb.exec:\tbbbtb.exe239⤵PID:3668
-
\??\c:\jdvpv.exec:\jdvpv.exe240⤵PID:388
-
\??\c:\7rxlxxf.exec:\7rxlxxf.exe241⤵PID:1792
-
\??\c:\3rlfrrf.exec:\3rlfrrf.exe242⤵PID:4720