Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 01:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
General
-
Target
056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe
-
Size
89KB
-
MD5
056c1886355c4e5d394af32cfc9b243a
-
SHA1
dc3e69b6907927ddf08653e01d0d5978e477dee1
-
SHA256
ccc3954dbdc991134eb8f352687f15f74fd088ebfa7050fe4abbca5fccdce009
-
SHA512
338d30d722ba67a8a30e25593e77bcec02bf9602fa50a34643b817c73e03e5bf06e7e4c3ddf39f9a9b8390c91cf7ad74e46ad9f88271aef29c72598e3c53c416
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73XH/YP1HFrJximAAxEPOfdK4M:ymb3NkkiQ3mdBjFo73PYP1lri3KuOlK7
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/1596-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3008-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2856-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2120-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/492-235-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2484-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2692-298-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2228-280-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2472-271-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2072-244-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2148-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2176-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/792-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2768-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1372-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1388-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2140-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2712-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2936-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2552-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2756-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 djvpv.exe 2756 rxllffr.exe 2552 5nhnth.exe 2936 3tnhhn.exe 2712 jdppp.exe 2576 lrrlrlf.exe 2140 tbbnhb.exe 1388 3nhnbt.exe 1372 pjdpd.exe 3008 xfxlrlr.exe 2644 lrlxxlr.exe 1544 hthhnh.exe 2796 pjdpv.exe 2768 lllfrrx.exe 2640 ntbhtn.exe 2856 djjdd.exe 792 ddvjj.exe 2348 lfxflrf.exe 2176 btntbn.exe 2148 5ntntn.exe 2120 ppdpv.exe 1872 xlfflrf.exe 2436 nttthn.exe 492 3nhtnb.exe 2072 vvpdp.exe 2484 9xxrllx.exe 3044 hhhthn.exe 2472 btnthn.exe 2228 jjvpj.exe 464 xxrlrfr.exe 2692 hnnnbt.exe 1496 ntbbhb.exe 2736 vvdvp.exe 2756 vdpjp.exe 2504 xxrfrrf.exe 2600 lfrlxlf.exe 2544 btbbhh.exe 2264 hnhtbn.exe 2572 5dvjv.exe 2068 dvddd.exe 2764 7rxlxxl.exe 2812 tbhtth.exe 1924 jjdvp.exe 3008 lllxrxl.exe 1112 hhbhbn.exe 2900 btnbtb.exe 1072 ddpvj.exe 2648 ffrfrxl.exe 2108 5xxrlxf.exe 2612 bnhhnn.exe 2320 pddvv.exe 544 xrrxlrf.exe 1932 tttnth.exe 1756 nhbnbb.exe 2112 pvpjd.exe 1452 nnnhtn.exe 2096 hnttnh.exe 1600 flxffxl.exe 1392 5xfrrfr.exe 932 ttbhnh.exe 1640 5dvpv.exe 1852 1frffrf.exe 2024 xxxllxf.exe 2484 ntbbth.exe -
resource yara_rule behavioral1/memory/1596-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3008-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2120-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/492-235-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2484-254-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-298-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2228-280-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2472-271-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2072-244-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2148-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2176-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/792-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2768-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1372-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1388-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2140-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2576-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2936-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2552-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-23-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2184 1596 056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe 30 PID 1596 wrote to memory of 2184 1596 056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe 30 PID 1596 wrote to memory of 2184 1596 056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe 30 PID 1596 wrote to memory of 2184 1596 056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe 30 PID 2184 wrote to memory of 2756 2184 djvpv.exe 63 PID 2184 wrote to memory of 2756 2184 djvpv.exe 63 PID 2184 wrote to memory of 2756 2184 djvpv.exe 63 PID 2184 wrote to memory of 2756 2184 djvpv.exe 63 PID 2756 wrote to memory of 2552 2756 rxllffr.exe 32 PID 2756 wrote to memory of 2552 2756 rxllffr.exe 32 PID 2756 wrote to memory of 2552 2756 rxllffr.exe 32 PID 2756 wrote to memory of 2552 2756 rxllffr.exe 32 PID 2552 wrote to memory of 2936 2552 5nhnth.exe 33 PID 2552 wrote to memory of 2936 2552 5nhnth.exe 33 PID 2552 wrote to memory of 2936 2552 5nhnth.exe 33 PID 2552 wrote to memory of 2936 2552 5nhnth.exe 33 PID 2936 wrote to memory of 2712 2936 3tnhhn.exe 34 PID 2936 wrote to memory of 2712 2936 3tnhhn.exe 34 PID 2936 wrote to memory of 2712 2936 3tnhhn.exe 34 PID 2936 wrote to memory of 2712 2936 3tnhhn.exe 34 PID 2712 wrote to memory of 2576 2712 jdppp.exe 35 PID 2712 wrote to memory of 2576 2712 jdppp.exe 35 PID 2712 wrote to memory of 2576 2712 jdppp.exe 35 PID 2712 wrote to memory of 2576 2712 jdppp.exe 35 PID 2576 wrote to memory of 2140 2576 lrrlrlf.exe 36 PID 2576 wrote to memory of 2140 2576 lrrlrlf.exe 36 PID 2576 wrote to memory of 2140 2576 lrrlrlf.exe 36 PID 2576 wrote to memory of 2140 2576 lrrlrlf.exe 36 PID 2140 wrote to memory of 1388 2140 tbbnhb.exe 37 PID 2140 wrote to memory of 1388 2140 tbbnhb.exe 37 PID 2140 wrote to memory of 1388 2140 tbbnhb.exe 37 PID 2140 wrote to memory of 1388 2140 tbbnhb.exe 37 PID 1388 wrote to memory of 1372 1388 3nhnbt.exe 38 PID 1388 wrote to memory of 1372 1388 3nhnbt.exe 38 PID 1388 wrote to memory of 1372 1388 3nhnbt.exe 38 PID 1388 wrote to memory of 1372 1388 3nhnbt.exe 38 PID 1372 wrote to memory of 3008 1372 pjdpd.exe 39 PID 1372 wrote to memory of 3008 1372 pjdpd.exe 39 PID 1372 wrote to memory of 3008 1372 pjdpd.exe 39 PID 1372 wrote to memory of 3008 1372 pjdpd.exe 39 PID 3008 wrote to memory of 2644 3008 xfxlrlr.exe 40 PID 3008 wrote to memory of 2644 3008 xfxlrlr.exe 40 PID 3008 wrote to memory of 2644 3008 xfxlrlr.exe 40 PID 3008 wrote to memory of 2644 3008 xfxlrlr.exe 40 PID 2644 wrote to memory of 1544 2644 lrlxxlr.exe 41 PID 2644 wrote to memory of 1544 2644 lrlxxlr.exe 41 PID 2644 wrote to memory of 1544 2644 lrlxxlr.exe 41 PID 2644 wrote to memory of 1544 2644 lrlxxlr.exe 41 PID 1544 wrote to memory of 2796 1544 hthhnh.exe 42 PID 1544 wrote to memory of 2796 1544 hthhnh.exe 42 PID 1544 wrote to memory of 2796 1544 hthhnh.exe 42 PID 1544 wrote to memory of 2796 1544 hthhnh.exe 42 PID 2796 wrote to memory of 2768 2796 pjdpv.exe 43 PID 2796 wrote to memory of 2768 2796 pjdpv.exe 43 PID 2796 wrote to memory of 2768 2796 pjdpv.exe 43 PID 2796 wrote to memory of 2768 2796 pjdpv.exe 43 PID 2768 wrote to memory of 2640 2768 lllfrrx.exe 44 PID 2768 wrote to memory of 2640 2768 lllfrrx.exe 44 PID 2768 wrote to memory of 2640 2768 lllfrrx.exe 44 PID 2768 wrote to memory of 2640 2768 lllfrrx.exe 44 PID 2640 wrote to memory of 2856 2640 ntbhtn.exe 45 PID 2640 wrote to memory of 2856 2640 ntbhtn.exe 45 PID 2640 wrote to memory of 2856 2640 ntbhtn.exe 45 PID 2640 wrote to memory of 2856 2640 ntbhtn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\djvpv.exec:\djvpv.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\rxllffr.exec:\rxllffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\5nhnth.exec:\5nhnth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\3tnhhn.exec:\3tnhhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\jdppp.exec:\jdppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\lrrlrlf.exec:\lrrlrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\tbbnhb.exec:\tbbnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\3nhnbt.exec:\3nhnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\pjdpd.exec:\pjdpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\xfxlrlr.exec:\xfxlrlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\lrlxxlr.exec:\lrlxxlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\hthhnh.exec:\hthhnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\pjdpv.exec:\pjdpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\lllfrrx.exec:\lllfrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\ntbhtn.exec:\ntbhtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\djjdd.exec:\djjdd.exe17⤵
- Executes dropped EXE
PID:2856 -
\??\c:\ddvjj.exec:\ddvjj.exe18⤵
- Executes dropped EXE
PID:792 -
\??\c:\lfxflrf.exec:\lfxflrf.exe19⤵
- Executes dropped EXE
PID:2348 -
\??\c:\btntbn.exec:\btntbn.exe20⤵
- Executes dropped EXE
PID:2176 -
\??\c:\5ntntn.exec:\5ntntn.exe21⤵
- Executes dropped EXE
PID:2148 -
\??\c:\ppdpv.exec:\ppdpv.exe22⤵
- Executes dropped EXE
PID:2120 -
\??\c:\xlfflrf.exec:\xlfflrf.exe23⤵
- Executes dropped EXE
PID:1872 -
\??\c:\nttthn.exec:\nttthn.exe24⤵
- Executes dropped EXE
PID:2436 -
\??\c:\3nhtnb.exec:\3nhtnb.exe25⤵
- Executes dropped EXE
PID:492 -
\??\c:\vvpdp.exec:\vvpdp.exe26⤵
- Executes dropped EXE
PID:2072 -
\??\c:\9xxrllx.exec:\9xxrllx.exe27⤵
- Executes dropped EXE
PID:2484 -
\??\c:\hhhthn.exec:\hhhthn.exe28⤵
- Executes dropped EXE
PID:3044 -
\??\c:\btnthn.exec:\btnthn.exe29⤵
- Executes dropped EXE
PID:2472 -
\??\c:\jjvpj.exec:\jjvpj.exe30⤵
- Executes dropped EXE
PID:2228 -
\??\c:\xxrlrfr.exec:\xxrlrfr.exe31⤵
- Executes dropped EXE
PID:464 -
\??\c:\hnnnbt.exec:\hnnnbt.exe32⤵
- Executes dropped EXE
PID:2692 -
\??\c:\ntbbhb.exec:\ntbbhb.exe33⤵
- Executes dropped EXE
PID:1496 -
\??\c:\vvdvp.exec:\vvdvp.exe34⤵
- Executes dropped EXE
PID:2736 -
\??\c:\vdpjp.exec:\vdpjp.exe35⤵
- Executes dropped EXE
PID:2756 -
\??\c:\xxrfrrf.exec:\xxrfrrf.exe36⤵
- Executes dropped EXE
PID:2504 -
\??\c:\lfrlxlf.exec:\lfrlxlf.exe37⤵
- Executes dropped EXE
PID:2600 -
\??\c:\btbbhh.exec:\btbbhh.exe38⤵
- Executes dropped EXE
PID:2544 -
\??\c:\hnhtbn.exec:\hnhtbn.exe39⤵
- Executes dropped EXE
PID:2264 -
\??\c:\5dvjv.exec:\5dvjv.exe40⤵
- Executes dropped EXE
PID:2572 -
\??\c:\dvddd.exec:\dvddd.exe41⤵
- Executes dropped EXE
PID:2068 -
\??\c:\7rxlxxl.exec:\7rxlxxl.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\tbhtth.exec:\tbhtth.exe43⤵
- Executes dropped EXE
PID:2812 -
\??\c:\jjdvp.exec:\jjdvp.exe44⤵
- Executes dropped EXE
PID:1924 -
\??\c:\lllxrxl.exec:\lllxrxl.exe45⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hhbhbn.exec:\hhbhbn.exe46⤵
- Executes dropped EXE
PID:1112 -
\??\c:\btnbtb.exec:\btnbtb.exe47⤵
- Executes dropped EXE
PID:2900 -
\??\c:\ddpvj.exec:\ddpvj.exe48⤵
- Executes dropped EXE
PID:1072 -
\??\c:\ffrfrxl.exec:\ffrfrxl.exe49⤵
- Executes dropped EXE
PID:2648 -
\??\c:\5xxrlxf.exec:\5xxrlxf.exe50⤵
- Executes dropped EXE
PID:2108 -
\??\c:\bnhhnn.exec:\bnhhnn.exe51⤵
- Executes dropped EXE
PID:2612 -
\??\c:\pddvv.exec:\pddvv.exe52⤵
- Executes dropped EXE
PID:2320 -
\??\c:\xrrxlrf.exec:\xrrxlrf.exe53⤵
- Executes dropped EXE
PID:544 -
\??\c:\tttnth.exec:\tttnth.exe54⤵
- Executes dropped EXE
PID:1932 -
\??\c:\nhbnbb.exec:\nhbnbb.exe55⤵
- Executes dropped EXE
PID:1756 -
\??\c:\pvpjd.exec:\pvpjd.exe56⤵
- Executes dropped EXE
PID:2112 -
\??\c:\nnnhtn.exec:\nnnhtn.exe57⤵
- Executes dropped EXE
PID:1452 -
\??\c:\hnttnh.exec:\hnttnh.exe58⤵
- Executes dropped EXE
PID:2096 -
\??\c:\flxffxl.exec:\flxffxl.exe59⤵
- Executes dropped EXE
PID:1600 -
\??\c:\5xfrrfr.exec:\5xfrrfr.exe60⤵
- Executes dropped EXE
PID:1392 -
\??\c:\ttbhnh.exec:\ttbhnh.exe61⤵
- Executes dropped EXE
PID:932 -
\??\c:\5dvpv.exec:\5dvpv.exe62⤵
- Executes dropped EXE
PID:1640 -
\??\c:\1frffrf.exec:\1frffrf.exe63⤵
- Executes dropped EXE
PID:1852 -
\??\c:\xxxllxf.exec:\xxxllxf.exe64⤵
- Executes dropped EXE
PID:2024 -
\??\c:\ntbbth.exec:\ntbbth.exe65⤵
- Executes dropped EXE
PID:2484 -
\??\c:\dvppv.exec:\dvppv.exe66⤵PID:2232
-
\??\c:\llffxxr.exec:\llffxxr.exe67⤵PID:1796
-
\??\c:\rrlrlfx.exec:\rrlrlfx.exe68⤵PID:2728
-
\??\c:\hbttnt.exec:\hbttnt.exe69⤵PID:2516
-
\??\c:\1pvjv.exec:\1pvjv.exe70⤵PID:1708
-
\??\c:\rrxlxfr.exec:\rrxlxfr.exe71⤵PID:2372
-
\??\c:\bbbtht.exec:\bbbtht.exe72⤵PID:2672
-
\??\c:\tntbtn.exec:\tntbtn.exe73⤵PID:2700
-
\??\c:\jvddj.exec:\jvddj.exe74⤵PID:2632
-
\??\c:\lxlrxlx.exec:\lxlrxlx.exe75⤵PID:880
-
\??\c:\5rllxxf.exec:\5rllxxf.exe76⤵PID:2060
-
\??\c:\tnhbhn.exec:\tnhbhn.exe77⤵PID:2712
-
\??\c:\nhtttb.exec:\nhtttb.exe78⤵PID:2564
-
\??\c:\vjjpd.exec:\vjjpd.exe79⤵PID:300
-
\??\c:\1xxrfrl.exec:\1xxrfrl.exe80⤵PID:2816
-
\??\c:\1rfrxxx.exec:\1rfrxxx.exe81⤵PID:2416
-
\??\c:\bhhtnt.exec:\bhhtnt.exe82⤵PID:1388
-
\??\c:\nnntbh.exec:\nnntbh.exe83⤵PID:2284
-
\??\c:\djdjv.exec:\djdjv.exe84⤵PID:2788
-
\??\c:\3djvp.exec:\3djvp.exe85⤵PID:2540
-
\??\c:\xlrrflr.exec:\xlrrflr.exe86⤵PID:1876
-
\??\c:\frlxflf.exec:\frlxflf.exe87⤵PID:2500
-
\??\c:\9tbtnh.exec:\9tbtnh.exe88⤵PID:2376
-
\??\c:\ntbnhn.exec:\ntbnhn.exe89⤵PID:1952
-
\??\c:\jjppd.exec:\jjppd.exe90⤵PID:580
-
\??\c:\xfflxlx.exec:\xfflxlx.exe91⤵PID:2612
-
\??\c:\xxrxlfr.exec:\xxrxlfr.exe92⤵PID:532
-
\??\c:\nnntnb.exec:\nnntnb.exe93⤵PID:1160
-
\??\c:\tttbnb.exec:\tttbnb.exe94⤵PID:1096
-
\??\c:\pvpdp.exec:\pvpdp.exe95⤵PID:1456
-
\??\c:\vvjvj.exec:\vvjvj.exe96⤵PID:2124
-
\??\c:\llfrllf.exec:\llfrllf.exe97⤵PID:2020
-
\??\c:\tbttbb.exec:\tbttbb.exe98⤵PID:1292
-
\??\c:\1hbhbb.exec:\1hbhbb.exe99⤵PID:2316
-
\??\c:\djdvd.exec:\djdvd.exe100⤵PID:916
-
\??\c:\pjdjp.exec:\pjdjp.exe101⤵PID:348
-
\??\c:\3xflflx.exec:\3xflflx.exe102⤵PID:1092
-
\??\c:\3rffrff.exec:\3rffrff.exe103⤵PID:2448
-
\??\c:\hbtbnt.exec:\hbtbnt.exe104⤵PID:2988
-
\??\c:\3nnhtb.exec:\3nnhtb.exe105⤵PID:2604
-
\??\c:\vvpvj.exec:\vvpvj.exe106⤵PID:812
-
\??\c:\lfrflxr.exec:\lfrflxr.exe107⤵PID:372
-
\??\c:\rrrlfrf.exec:\rrrlfrf.exe108⤵PID:1668
-
\??\c:\hntbbb.exec:\hntbbb.exe109⤵PID:2732
-
\??\c:\bnnntt.exec:\bnnntt.exe110⤵PID:604
-
\??\c:\vpjpp.exec:\vpjpp.exe111⤵PID:2992
-
\??\c:\xfllfrr.exec:\xfllfrr.exe112⤵PID:2832
-
\??\c:\7bnnht.exec:\7bnnht.exe113⤵PID:2780
-
\??\c:\tntthn.exec:\tntthn.exe114⤵PID:1752
-
\??\c:\dvddp.exec:\dvddp.exe115⤵PID:2552
-
\??\c:\fxxfrxr.exec:\fxxfrxr.exe116⤵PID:2772
-
\??\c:\xfxlrfl.exec:\xfxlrfl.exe117⤵PID:2616
-
\??\c:\1bbhbt.exec:\1bbhbt.exe118⤵PID:2588
-
\??\c:\ttnthn.exec:\ttnthn.exe119⤵PID:1920
-
\??\c:\dvddv.exec:\dvddv.exe120⤵PID:2140
-
\??\c:\jvvjj.exec:\jvvjj.exe121⤵PID:2068
-
\??\c:\fxxflrf.exec:\fxxflrf.exe122⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-