Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 16:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe
-
Size
117KB
-
MD5
586b0bd5539aca526d396624015ac2f4
-
SHA1
a7f9416cfc9057843d8a1034ecf423d59fa1cd45
-
SHA256
699b5fb8c9fba4f5cf706e2aec41c4b3fbf69b139ff0950444bc8fe2aeb10b89
-
SHA512
893fc5584def676ebd8a4b5e3b886263a09e426ee02482be790fde3cd3dde514a6935c286011f66ac74a864da3d2f9e83454a0a1d025c7161b9a2425139697ff
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73t6MlYqn+jMp9EarSAcUeFN+T:ymb3NkkiQ3mdBjFo73tvn+Yp9WT6jwi
Malware Config
Signatures
-
Detect Blackmoon payload 20 IoCs
resource yara_rule behavioral1/memory/2316-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2300-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2300-21-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2808-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2856-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2888-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2620-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2640-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1904-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2236-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2332-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1612-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/568-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2244-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1344-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/624-224-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1884-232-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1908-250-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/284-259-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2300-2211-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 tnhhbn.exe 2808 pppvp.exe 2856 lrflxrf.exe 2888 1ntbht.exe 2620 lffrxxf.exe 2640 xxlflrf.exe 1904 ddvdp.exe 2236 jdjpp.exe 1576 xrlxrxf.exe 2760 3tbntb.exe 2784 ppdjp.exe 2916 vvvdj.exe 2332 9rrfrfl.exe 2304 frlfflr.exe 1612 5bthtt.exe 888 jvpdj.exe 568 xxrffrf.exe 2156 7bnbbh.exe 2244 jvvjp.exe 844 dvjjd.exe 1344 lfrfxxr.exe 624 nnnthh.exe 1884 vdpjd.exe 1340 lfrfllx.exe 1908 5nthth.exe 284 bththt.exe 300 jjjpj.exe 1720 xxrxxxx.exe 1408 bbtthh.exe 2492 vpjvj.exe 2840 5frrxxf.exe 2820 rxrllfx.exe 3008 1nnhtn.exe 2680 vvvvj.exe 2932 vvpvp.exe 2748 lfxlflx.exe 2632 ttnthh.exe 2208 nnhtnt.exe 2640 3dvpv.exe 1784 vpvdp.exe 1968 xfrlrff.exe 2676 7nthbb.exe 1576 nnhtht.exe 484 vvvjd.exe 1336 jddjj.exe 1880 xfrrxrl.exe 2940 1lxfxfx.exe 2936 bnbtnn.exe 1516 vvppd.exe 2304 ddjpd.exe 1152 5llxffx.exe 1644 llfxrxl.exe 3024 ntbttn.exe 1608 nnbhbh.exe 2556 pppdv.exe 1780 ppjpd.exe 1048 lxrrllx.exe 1344 ffrfrrf.exe 2172 hhhnbb.exe 2328 9nhbhh.exe 2404 vpjjd.exe 1340 3vjdj.exe 1908 rxxllxl.exe 688 xxxxxfx.exe -
resource yara_rule behavioral1/memory/2316-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2316-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2300-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2888-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1904-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2236-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2236-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2236-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2332-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1612-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/568-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1344-214-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/624-224-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1884-232-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1908-250-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/284-259-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2300-2211-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrffrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lflllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2300 2316 586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe 30 PID 2316 wrote to memory of 2300 2316 586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe 30 PID 2316 wrote to memory of 2300 2316 586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe 30 PID 2316 wrote to memory of 2300 2316 586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe 30 PID 2300 wrote to memory of 2808 2300 tnhhbn.exe 31 PID 2300 wrote to memory of 2808 2300 tnhhbn.exe 31 PID 2300 wrote to memory of 2808 2300 tnhhbn.exe 31 PID 2300 wrote to memory of 2808 2300 tnhhbn.exe 31 PID 2808 wrote to memory of 2856 2808 pppvp.exe 32 PID 2808 wrote to memory of 2856 2808 pppvp.exe 32 PID 2808 wrote to memory of 2856 2808 pppvp.exe 32 PID 2808 wrote to memory of 2856 2808 pppvp.exe 32 PID 2856 wrote to memory of 2888 2856 lrflxrf.exe 33 PID 2856 wrote to memory of 2888 2856 lrflxrf.exe 33 PID 2856 wrote to memory of 2888 2856 lrflxrf.exe 33 PID 2856 wrote to memory of 2888 2856 lrflxrf.exe 33 PID 2888 wrote to memory of 2620 2888 1ntbht.exe 34 PID 2888 wrote to memory of 2620 2888 1ntbht.exe 34 PID 2888 wrote to memory of 2620 2888 1ntbht.exe 34 PID 2888 wrote to memory of 2620 2888 1ntbht.exe 34 PID 2620 wrote to memory of 2640 2620 lffrxxf.exe 35 PID 2620 wrote to memory of 2640 2620 lffrxxf.exe 35 PID 2620 wrote to memory of 2640 2620 lffrxxf.exe 35 PID 2620 wrote to memory of 2640 2620 lffrxxf.exe 35 PID 2640 wrote to memory of 1904 2640 xxlflrf.exe 36 PID 2640 wrote to memory of 1904 2640 xxlflrf.exe 36 PID 2640 wrote to memory of 1904 2640 xxlflrf.exe 36 PID 2640 wrote to memory of 1904 2640 xxlflrf.exe 36 PID 1904 wrote to memory of 2236 1904 ddvdp.exe 37 PID 1904 wrote to memory of 2236 1904 ddvdp.exe 37 PID 1904 wrote to memory of 2236 1904 ddvdp.exe 37 PID 1904 wrote to memory of 2236 1904 ddvdp.exe 37 PID 2236 wrote to memory of 1576 2236 jdjpp.exe 38 PID 2236 wrote to memory of 1576 2236 jdjpp.exe 38 PID 2236 wrote to memory of 1576 2236 jdjpp.exe 38 PID 2236 wrote to memory of 1576 2236 jdjpp.exe 38 PID 1576 wrote to memory of 2760 1576 xrlxrxf.exe 39 PID 1576 wrote to memory of 2760 1576 xrlxrxf.exe 39 PID 1576 wrote to memory of 2760 1576 xrlxrxf.exe 39 PID 1576 wrote to memory of 2760 1576 xrlxrxf.exe 39 PID 2760 wrote to memory of 2784 2760 3tbntb.exe 40 PID 2760 wrote to memory of 2784 2760 3tbntb.exe 40 PID 2760 wrote to memory of 2784 2760 3tbntb.exe 40 PID 2760 wrote to memory of 2784 2760 3tbntb.exe 40 PID 2784 wrote to memory of 2916 2784 ppdjp.exe 41 PID 2784 wrote to memory of 2916 2784 ppdjp.exe 41 PID 2784 wrote to memory of 2916 2784 ppdjp.exe 41 PID 2784 wrote to memory of 2916 2784 ppdjp.exe 41 PID 2916 wrote to memory of 2332 2916 vvvdj.exe 42 PID 2916 wrote to memory of 2332 2916 vvvdj.exe 42 PID 2916 wrote to memory of 2332 2916 vvvdj.exe 42 PID 2916 wrote to memory of 2332 2916 vvvdj.exe 42 PID 2332 wrote to memory of 2304 2332 9rrfrfl.exe 43 PID 2332 wrote to memory of 2304 2332 9rrfrfl.exe 43 PID 2332 wrote to memory of 2304 2332 9rrfrfl.exe 43 PID 2332 wrote to memory of 2304 2332 9rrfrfl.exe 43 PID 2304 wrote to memory of 1612 2304 frlfflr.exe 44 PID 2304 wrote to memory of 1612 2304 frlfflr.exe 44 PID 2304 wrote to memory of 1612 2304 frlfflr.exe 44 PID 2304 wrote to memory of 1612 2304 frlfflr.exe 44 PID 1612 wrote to memory of 888 1612 5bthtt.exe 45 PID 1612 wrote to memory of 888 1612 5bthtt.exe 45 PID 1612 wrote to memory of 888 1612 5bthtt.exe 45 PID 1612 wrote to memory of 888 1612 5bthtt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\tnhhbn.exec:\tnhhbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\pppvp.exec:\pppvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\lrflxrf.exec:\lrflxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\1ntbht.exec:\1ntbht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\lffrxxf.exec:\lffrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\xxlflrf.exec:\xxlflrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\ddvdp.exec:\ddvdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\jdjpp.exec:\jdjpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\xrlxrxf.exec:\xrlxrxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\3tbntb.exec:\3tbntb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\ppdjp.exec:\ppdjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\vvvdj.exec:\vvvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\9rrfrfl.exec:\9rrfrfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\frlfflr.exec:\frlfflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\5bthtt.exec:\5bthtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\jvpdj.exec:\jvpdj.exe17⤵
- Executes dropped EXE
PID:888 -
\??\c:\xxrffrf.exec:\xxrffrf.exe18⤵
- Executes dropped EXE
PID:568 -
\??\c:\7bnbbh.exec:\7bnbbh.exe19⤵
- Executes dropped EXE
PID:2156 -
\??\c:\jvvjp.exec:\jvvjp.exe20⤵
- Executes dropped EXE
PID:2244 -
\??\c:\dvjjd.exec:\dvjjd.exe21⤵
- Executes dropped EXE
PID:844 -
\??\c:\lfrfxxr.exec:\lfrfxxr.exe22⤵
- Executes dropped EXE
PID:1344 -
\??\c:\nnnthh.exec:\nnnthh.exe23⤵
- Executes dropped EXE
PID:624 -
\??\c:\vdpjd.exec:\vdpjd.exe24⤵
- Executes dropped EXE
PID:1884 -
\??\c:\lfrfllx.exec:\lfrfllx.exe25⤵
- Executes dropped EXE
PID:1340 -
\??\c:\5nthth.exec:\5nthth.exe26⤵
- Executes dropped EXE
PID:1908 -
\??\c:\bththt.exec:\bththt.exe27⤵
- Executes dropped EXE
PID:284 -
\??\c:\jjjpj.exec:\jjjpj.exe28⤵
- Executes dropped EXE
PID:300 -
\??\c:\xxrxxxx.exec:\xxrxxxx.exe29⤵
- Executes dropped EXE
PID:1720 -
\??\c:\bbtthh.exec:\bbtthh.exe30⤵
- Executes dropped EXE
PID:1408 -
\??\c:\vpjvj.exec:\vpjvj.exe31⤵
- Executes dropped EXE
PID:2492 -
\??\c:\5frrxxf.exec:\5frrxxf.exe32⤵
- Executes dropped EXE
PID:2840 -
\??\c:\rxrllfx.exec:\rxrllfx.exe33⤵
- Executes dropped EXE
PID:2820 -
\??\c:\1nnhtn.exec:\1nnhtn.exe34⤵
- Executes dropped EXE
PID:3008 -
\??\c:\vvvvj.exec:\vvvvj.exe35⤵
- Executes dropped EXE
PID:2680 -
\??\c:\vvpvp.exec:\vvpvp.exe36⤵
- Executes dropped EXE
PID:2932 -
\??\c:\lfxlflx.exec:\lfxlflx.exe37⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ttnthh.exec:\ttnthh.exe38⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nnhtnt.exec:\nnhtnt.exe39⤵
- Executes dropped EXE
PID:2208 -
\??\c:\3dvpv.exec:\3dvpv.exe40⤵
- Executes dropped EXE
PID:2640 -
\??\c:\vpvdp.exec:\vpvdp.exe41⤵
- Executes dropped EXE
PID:1784 -
\??\c:\xfrlrff.exec:\xfrlrff.exe42⤵
- Executes dropped EXE
PID:1968 -
\??\c:\7nthbb.exec:\7nthbb.exe43⤵
- Executes dropped EXE
PID:2676 -
\??\c:\nnhtht.exec:\nnhtht.exe44⤵
- Executes dropped EXE
PID:1576 -
\??\c:\vvvjd.exec:\vvvjd.exe45⤵
- Executes dropped EXE
PID:484 -
\??\c:\jddjj.exec:\jddjj.exe46⤵
- Executes dropped EXE
PID:1336 -
\??\c:\xfrrxrl.exec:\xfrrxrl.exe47⤵
- Executes dropped EXE
PID:1880 -
\??\c:\1lxfxfx.exec:\1lxfxfx.exe48⤵
- Executes dropped EXE
PID:2940 -
\??\c:\bnbtnn.exec:\bnbtnn.exe49⤵
- Executes dropped EXE
PID:2936 -
\??\c:\vvppd.exec:\vvppd.exe50⤵
- Executes dropped EXE
PID:1516 -
\??\c:\ddjpd.exec:\ddjpd.exe51⤵
- Executes dropped EXE
PID:2304 -
\??\c:\5llxffx.exec:\5llxffx.exe52⤵
- Executes dropped EXE
PID:1152 -
\??\c:\llfxrxl.exec:\llfxrxl.exe53⤵
- Executes dropped EXE
PID:1644 -
\??\c:\ntbttn.exec:\ntbttn.exe54⤵
- Executes dropped EXE
PID:3024 -
\??\c:\nnbhbh.exec:\nnbhbh.exe55⤵
- Executes dropped EXE
PID:1608 -
\??\c:\pppdv.exec:\pppdv.exe56⤵
- Executes dropped EXE
PID:2556 -
\??\c:\ppjpd.exec:\ppjpd.exe57⤵
- Executes dropped EXE
PID:1780 -
\??\c:\lxrrllx.exec:\lxrrllx.exe58⤵
- Executes dropped EXE
PID:1048 -
\??\c:\ffrfrrf.exec:\ffrfrrf.exe59⤵
- Executes dropped EXE
PID:1344 -
\??\c:\hhhnbb.exec:\hhhnbb.exe60⤵
- Executes dropped EXE
PID:2172 -
\??\c:\9nhbhh.exec:\9nhbhh.exe61⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vpjjd.exec:\vpjjd.exe62⤵
- Executes dropped EXE
PID:2404 -
\??\c:\3vjdj.exec:\3vjdj.exe63⤵
- Executes dropped EXE
PID:1340 -
\??\c:\rxxllxl.exec:\rxxllxl.exe64⤵
- Executes dropped EXE
PID:1908 -
\??\c:\xxxxxfx.exec:\xxxxxfx.exe65⤵
- Executes dropped EXE
PID:688 -
\??\c:\tnbbhb.exec:\tnbbhb.exe66⤵PID:1804
-
\??\c:\pvpdj.exec:\pvpdj.exe67⤵PID:1652
-
\??\c:\1pvjd.exec:\1pvjd.exe68⤵PID:1688
-
\??\c:\fxrxfxf.exec:\fxrxfxf.exe69⤵PID:868
-
\??\c:\7lfxfxx.exec:\7lfxfxx.exe70⤵PID:1856
-
\??\c:\thnhbh.exec:\thnhbh.exe71⤵PID:2704
-
\??\c:\jvvvd.exec:\jvvvd.exe72⤵PID:1592
-
\??\c:\vvpdv.exec:\vvpdv.exe73⤵PID:2876
-
\??\c:\lxlxlfx.exec:\lxlxlfx.exe74⤵PID:2868
-
\??\c:\tnhbnn.exec:\tnhbnn.exe75⤵PID:2792
-
\??\c:\btnthh.exec:\btnthh.exe76⤵PID:2576
-
\??\c:\pdppd.exec:\pdppd.exe77⤵PID:2864
-
\??\c:\vpjvj.exec:\vpjvj.exe78⤵PID:2632
-
\??\c:\llllxxl.exec:\llllxxl.exe79⤵PID:2572
-
\??\c:\llxrfrx.exec:\llxrfrx.exe80⤵PID:1528
-
\??\c:\hbnbnt.exec:\hbnbnt.exe81⤵PID:2212
-
\??\c:\5jdpv.exec:\5jdpv.exe82⤵PID:1968
-
\??\c:\vjddj.exec:\vjddj.exe83⤵PID:2676
-
\??\c:\3fxlrfr.exec:\3fxlrfr.exe84⤵PID:2116
-
\??\c:\3xxrflx.exec:\3xxrflx.exe85⤵PID:1264
-
\??\c:\tthbth.exec:\tthbth.exe86⤵PID:1336
-
\??\c:\bhtbhh.exec:\bhtbhh.exe87⤵PID:2648
-
\??\c:\vpjdj.exec:\vpjdj.exe88⤵PID:2940
-
\??\c:\fxrxllx.exec:\fxrxllx.exe89⤵PID:2756
-
\??\c:\3rrllfx.exec:\3rrllfx.exe90⤵PID:1548
-
\??\c:\bbbthn.exec:\bbbthn.exe91⤵PID:1820
-
\??\c:\vvdpv.exec:\vvdpv.exe92⤵PID:1156
-
\??\c:\dvjjp.exec:\dvjjp.exe93⤵PID:1096
-
\??\c:\1xxxlrl.exec:\1xxxlrl.exe94⤵PID:3024
-
\??\c:\rlxfllr.exec:\rlxfllr.exe95⤵PID:2560
-
\??\c:\7bbnbh.exec:\7bbnbh.exe96⤵PID:2556
-
\??\c:\dddvj.exec:\dddvj.exe97⤵PID:1780
-
\??\c:\jdjjp.exec:\jdjjp.exe98⤵PID:1048
-
\??\c:\fflffrr.exec:\fflffrr.exe99⤵
- System Location Discovery: System Language Discovery
PID:840 -
\??\c:\7frxlrl.exec:\7frxlrl.exe100⤵PID:2172
-
\??\c:\hhbnbb.exec:\hhbnbb.exe101⤵PID:664
-
\??\c:\vvjjv.exec:\vvjjv.exe102⤵PID:1036
-
\??\c:\jdpdd.exec:\jdpdd.exe103⤵PID:828
-
\??\c:\lxrrffr.exec:\lxrrffr.exe104⤵PID:1908
-
\??\c:\xxxlxlr.exec:\xxxlxlr.exe105⤵PID:972
-
\??\c:\tththn.exec:\tththn.exe106⤵PID:1804
-
\??\c:\nnbnbh.exec:\nnbnbh.exe107⤵PID:1964
-
\??\c:\ddvjd.exec:\ddvjd.exe108⤵PID:1688
-
\??\c:\ddpvj.exec:\ddpvj.exe109⤵PID:1408
-
\??\c:\fxxxfrf.exec:\fxxxfrf.exe110⤵PID:1856
-
\??\c:\5tnhbn.exec:\5tnhbn.exe111⤵PID:2836
-
\??\c:\9jdvp.exec:\9jdvp.exe112⤵PID:2732
-
\??\c:\vpjvv.exec:\vpjvv.exe113⤵PID:2820
-
\??\c:\rxfxlff.exec:\rxfxlff.exe114⤵PID:2616
-
\??\c:\hbnbth.exec:\hbnbth.exe115⤵PID:2680
-
\??\c:\hhbbnt.exec:\hhbbnt.exe116⤵PID:2576
-
\??\c:\7jdpj.exec:\7jdpj.exe117⤵PID:2748
-
\??\c:\lllrxfl.exec:\lllrxfl.exe118⤵PID:2632
-
\??\c:\rrlxxfr.exec:\rrlxxfr.exe119⤵PID:2208
-
\??\c:\5hbtnb.exec:\5hbtnb.exe120⤵PID:2640
-
\??\c:\tbtbth.exec:\tbtbth.exe121⤵PID:1784
-
\??\c:\jdppd.exec:\jdppd.exe122⤵PID:1968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-