Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 16:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe
-
Size
117KB
-
MD5
586b0bd5539aca526d396624015ac2f4
-
SHA1
a7f9416cfc9057843d8a1034ecf423d59fa1cd45
-
SHA256
699b5fb8c9fba4f5cf706e2aec41c4b3fbf69b139ff0950444bc8fe2aeb10b89
-
SHA512
893fc5584def676ebd8a4b5e3b886263a09e426ee02482be790fde3cd3dde514a6935c286011f66ac74a864da3d2f9e83454a0a1d025c7161b9a2425139697ff
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73t6MlYqn+jMp9EarSAcUeFN+T:ymb3NkkiQ3mdBjFo73tvn+Yp9WT6jwi
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral2/memory/3144-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3144-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3992-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4860-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4456-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3912-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4512-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4372-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4688-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/244-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4708-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1608-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3180-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1968-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4644-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/980-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4996-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1464-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3940-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3440-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2928-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1904-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1632 bthhbb.exe 3992 nnntnt.exe 4860 jjdvp.exe 3568 xllxrrl.exe 4456 hhhhbh.exe 3912 1nbttn.exe 4512 rrxrxrr.exe 4372 3bhbtt.exe 4688 vvdjp.exe 2876 tnbbbb.exe 244 5vpvp.exe 4708 fxlffff.exe 1608 nbnbth.exe 3180 hbhhnh.exe 1968 rxlrlfl.exe 4368 bbbttb.exe 2892 3vjpj.exe 4644 xlxrrfl.exe 980 ffffxrr.exe 4996 nhnhbb.exe 1464 vvdvd.exe 3648 7vpjj.exe 3940 rfrlxlx.exe 4008 bntnnh.exe 3440 dvpvj.exe 4424 9lllllr.exe 2084 xrrrrxx.exe 2928 hhtbhh.exe 1904 pdppd.exe 220 fxfxrll.exe 4928 rrxrffl.exe 4188 9hthbb.exe 2428 nnhthn.exe 4012 jjjpj.exe 2172 lfrlffr.exe 812 bnbttb.exe 392 llrrllf.exe 2912 3lfxrrr.exe 4204 ntnntb.exe 1808 hbhhbh.exe 1860 ppvjj.exe 4860 xlrxrxx.exe 2976 xrrlflf.exe 4912 bhnnhh.exe 3912 pdppj.exe 4384 3rrlrrr.exe 4432 btttnn.exe 3544 vpdpv.exe 2060 flfrrrr.exe 1484 ththbh.exe 244 xxflfrr.exe 4836 flxxrxx.exe 1708 5hntbt.exe 4832 htbhbt.exe 1128 ddddv.exe 4604 xrxxlrl.exe 2088 xflllll.exe 2892 hhbbhh.exe 2188 dvvvv.exe 3644 dpjjd.exe 4628 xrrrlll.exe 5116 hhhhht.exe 2472 ddddd.exe 4624 1vpvd.exe -
resource yara_rule behavioral2/memory/3144-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3144-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3992-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4860-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4456-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4456-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4456-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3912-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3912-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3912-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3912-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4512-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4372-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4372-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4372-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4688-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4688-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4688-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/244-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4708-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1608-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3180-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1968-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4644-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/980-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4996-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1464-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3940-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3440-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2928-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1904-199-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3144 wrote to memory of 1632 3144 586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe 88 PID 3144 wrote to memory of 1632 3144 586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe 88 PID 3144 wrote to memory of 1632 3144 586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe 88 PID 1632 wrote to memory of 3992 1632 bthhbb.exe 89 PID 1632 wrote to memory of 3992 1632 bthhbb.exe 89 PID 1632 wrote to memory of 3992 1632 bthhbb.exe 89 PID 3992 wrote to memory of 4860 3992 nnntnt.exe 90 PID 3992 wrote to memory of 4860 3992 nnntnt.exe 90 PID 3992 wrote to memory of 4860 3992 nnntnt.exe 90 PID 4860 wrote to memory of 3568 4860 jjdvp.exe 91 PID 4860 wrote to memory of 3568 4860 jjdvp.exe 91 PID 4860 wrote to memory of 3568 4860 jjdvp.exe 91 PID 3568 wrote to memory of 4456 3568 xllxrrl.exe 92 PID 3568 wrote to memory of 4456 3568 xllxrrl.exe 92 PID 3568 wrote to memory of 4456 3568 xllxrrl.exe 92 PID 4456 wrote to memory of 3912 4456 hhhhbh.exe 93 PID 4456 wrote to memory of 3912 4456 hhhhbh.exe 93 PID 4456 wrote to memory of 3912 4456 hhhhbh.exe 93 PID 3912 wrote to memory of 4512 3912 1nbttn.exe 94 PID 3912 wrote to memory of 4512 3912 1nbttn.exe 94 PID 3912 wrote to memory of 4512 3912 1nbttn.exe 94 PID 4512 wrote to memory of 4372 4512 rrxrxrr.exe 95 PID 4512 wrote to memory of 4372 4512 rrxrxrr.exe 95 PID 4512 wrote to memory of 4372 4512 rrxrxrr.exe 95 PID 4372 wrote to memory of 4688 4372 3bhbtt.exe 96 PID 4372 wrote to memory of 4688 4372 3bhbtt.exe 96 PID 4372 wrote to memory of 4688 4372 3bhbtt.exe 96 PID 4688 wrote to memory of 2876 4688 vvdjp.exe 97 PID 4688 wrote to memory of 2876 4688 vvdjp.exe 97 PID 4688 wrote to memory of 2876 4688 vvdjp.exe 97 PID 2876 wrote to memory of 244 2876 tnbbbb.exe 98 PID 2876 wrote to memory of 244 2876 tnbbbb.exe 98 PID 2876 wrote to memory of 244 2876 tnbbbb.exe 98 PID 244 wrote to memory of 4708 244 5vpvp.exe 99 PID 244 wrote to memory of 4708 244 5vpvp.exe 99 PID 244 wrote to memory of 4708 244 5vpvp.exe 99 PID 4708 wrote to memory of 1608 4708 fxlffff.exe 100 PID 4708 wrote to memory of 1608 4708 fxlffff.exe 100 PID 4708 wrote to memory of 1608 4708 fxlffff.exe 100 PID 1608 wrote to memory of 3180 1608 nbnbth.exe 101 PID 1608 wrote to memory of 3180 1608 nbnbth.exe 101 PID 1608 wrote to memory of 3180 1608 nbnbth.exe 101 PID 3180 wrote to memory of 1968 3180 hbhhnh.exe 103 PID 3180 wrote to memory of 1968 3180 hbhhnh.exe 103 PID 3180 wrote to memory of 1968 3180 hbhhnh.exe 103 PID 1968 wrote to memory of 4368 1968 rxlrlfl.exe 104 PID 1968 wrote to memory of 4368 1968 rxlrlfl.exe 104 PID 1968 wrote to memory of 4368 1968 rxlrlfl.exe 104 PID 4368 wrote to memory of 2892 4368 bbbttb.exe 106 PID 4368 wrote to memory of 2892 4368 bbbttb.exe 106 PID 4368 wrote to memory of 2892 4368 bbbttb.exe 106 PID 2892 wrote to memory of 4644 2892 3vjpj.exe 107 PID 2892 wrote to memory of 4644 2892 3vjpj.exe 107 PID 2892 wrote to memory of 4644 2892 3vjpj.exe 107 PID 4644 wrote to memory of 980 4644 xlxrrfl.exe 108 PID 4644 wrote to memory of 980 4644 xlxrrfl.exe 108 PID 4644 wrote to memory of 980 4644 xlxrrfl.exe 108 PID 980 wrote to memory of 4996 980 ffffxrr.exe 109 PID 980 wrote to memory of 4996 980 ffffxrr.exe 109 PID 980 wrote to memory of 4996 980 ffffxrr.exe 109 PID 4996 wrote to memory of 1464 4996 nhnhbb.exe 110 PID 4996 wrote to memory of 1464 4996 nhnhbb.exe 110 PID 4996 wrote to memory of 1464 4996 nhnhbb.exe 110 PID 1464 wrote to memory of 3648 1464 vvdvd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\586b0bd5539aca526d396624015ac2f4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\bthhbb.exec:\bthhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\nnntnt.exec:\nnntnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\jjdvp.exec:\jjdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\xllxrrl.exec:\xllxrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\hhhhbh.exec:\hhhhbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\1nbttn.exec:\1nbttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\rrxrxrr.exec:\rrxrxrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\3bhbtt.exec:\3bhbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\vvdjp.exec:\vvdjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\tnbbbb.exec:\tnbbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\5vpvp.exec:\5vpvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\fxlffff.exec:\fxlffff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\nbnbth.exec:\nbnbth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\hbhhnh.exec:\hbhhnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\rxlrlfl.exec:\rxlrlfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\bbbttb.exec:\bbbttb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\3vjpj.exec:\3vjpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\xlxrrfl.exec:\xlxrrfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\ffffxrr.exec:\ffffxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\nhnhbb.exec:\nhnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\vvdvd.exec:\vvdvd.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\7vpjj.exec:\7vpjj.exe23⤵
- Executes dropped EXE
PID:3648 -
\??\c:\rfrlxlx.exec:\rfrlxlx.exe24⤵
- Executes dropped EXE
PID:3940 -
\??\c:\bntnnh.exec:\bntnnh.exe25⤵
- Executes dropped EXE
PID:4008 -
\??\c:\dvpvj.exec:\dvpvj.exe26⤵
- Executes dropped EXE
PID:3440 -
\??\c:\9lllllr.exec:\9lllllr.exe27⤵
- Executes dropped EXE
PID:4424 -
\??\c:\xrrrrxx.exec:\xrrrrxx.exe28⤵
- Executes dropped EXE
PID:2084 -
\??\c:\hhtbhh.exec:\hhtbhh.exe29⤵
- Executes dropped EXE
PID:2928 -
\??\c:\pdppd.exec:\pdppd.exe30⤵
- Executes dropped EXE
PID:1904 -
\??\c:\fxfxrll.exec:\fxfxrll.exe31⤵
- Executes dropped EXE
PID:220 -
\??\c:\rrxrffl.exec:\rrxrffl.exe32⤵
- Executes dropped EXE
PID:4928 -
\??\c:\9hthbb.exec:\9hthbb.exe33⤵
- Executes dropped EXE
PID:4188 -
\??\c:\nnhthn.exec:\nnhthn.exe34⤵
- Executes dropped EXE
PID:2428 -
\??\c:\jjjpj.exec:\jjjpj.exe35⤵
- Executes dropped EXE
PID:4012 -
\??\c:\lfrlffr.exec:\lfrlffr.exe36⤵
- Executes dropped EXE
PID:2172 -
\??\c:\bnbttb.exec:\bnbttb.exe37⤵
- Executes dropped EXE
PID:812 -
\??\c:\llrrllf.exec:\llrrllf.exe38⤵
- Executes dropped EXE
PID:392 -
\??\c:\3lfxrrr.exec:\3lfxrrr.exe39⤵
- Executes dropped EXE
PID:2912 -
\??\c:\ntnntb.exec:\ntnntb.exe40⤵
- Executes dropped EXE
PID:4204 -
\??\c:\hbhhbh.exec:\hbhhbh.exe41⤵
- Executes dropped EXE
PID:1808 -
\??\c:\ppvjj.exec:\ppvjj.exe42⤵
- Executes dropped EXE
PID:1860 -
\??\c:\xlrxrxx.exec:\xlrxrxx.exe43⤵
- Executes dropped EXE
PID:4860 -
\??\c:\xrrlflf.exec:\xrrlflf.exe44⤵
- Executes dropped EXE
PID:2976 -
\??\c:\bhnnhh.exec:\bhnnhh.exe45⤵
- Executes dropped EXE
PID:4912 -
\??\c:\pdppj.exec:\pdppj.exe46⤵
- Executes dropped EXE
PID:3912 -
\??\c:\3rrlrrr.exec:\3rrlrrr.exe47⤵
- Executes dropped EXE
PID:4384 -
\??\c:\btttnn.exec:\btttnn.exe48⤵
- Executes dropped EXE
PID:4432 -
\??\c:\vpdpv.exec:\vpdpv.exe49⤵
- Executes dropped EXE
PID:3544 -
\??\c:\flfrrrr.exec:\flfrrrr.exe50⤵
- Executes dropped EXE
PID:2060 -
\??\c:\ththbh.exec:\ththbh.exe51⤵
- Executes dropped EXE
PID:1484 -
\??\c:\xxflfrr.exec:\xxflfrr.exe52⤵
- Executes dropped EXE
PID:244 -
\??\c:\flxxrxx.exec:\flxxrxx.exe53⤵
- Executes dropped EXE
PID:4836 -
\??\c:\5hntbt.exec:\5hntbt.exe54⤵
- Executes dropped EXE
PID:1708 -
\??\c:\htbhbt.exec:\htbhbt.exe55⤵
- Executes dropped EXE
PID:4832 -
\??\c:\ddddv.exec:\ddddv.exe56⤵
- Executes dropped EXE
PID:1128 -
\??\c:\xrxxlrl.exec:\xrxxlrl.exe57⤵
- Executes dropped EXE
PID:4604 -
\??\c:\xflllll.exec:\xflllll.exe58⤵
- Executes dropped EXE
PID:2088 -
\??\c:\hhbbhh.exec:\hhbbhh.exe59⤵
- Executes dropped EXE
PID:2892 -
\??\c:\dvvvv.exec:\dvvvv.exe60⤵
- Executes dropped EXE
PID:2188 -
\??\c:\dpjjd.exec:\dpjjd.exe61⤵
- Executes dropped EXE
PID:3644 -
\??\c:\xrrrlll.exec:\xrrrlll.exe62⤵
- Executes dropped EXE
PID:4628 -
\??\c:\hhhhht.exec:\hhhhht.exe63⤵
- Executes dropped EXE
PID:5116 -
\??\c:\ddddd.exec:\ddddd.exe64⤵
- Executes dropped EXE
PID:2472 -
\??\c:\1vpvd.exec:\1vpvd.exe65⤵
- Executes dropped EXE
PID:4624 -
\??\c:\rxfxlrl.exec:\rxfxlrl.exe66⤵PID:4776
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe67⤵PID:4140
-
\??\c:\ntttnh.exec:\ntttnh.exe68⤵PID:1572
-
\??\c:\dvvvj.exec:\dvvvj.exe69⤵PID:1456
-
\??\c:\ddjdj.exec:\ddjdj.exe70⤵PID:3300
-
\??\c:\lfllrrl.exec:\lfllrrl.exe71⤵PID:3440
-
\??\c:\rlrfffx.exec:\rlrfffx.exe72⤵PID:2516
-
\??\c:\bnhhhh.exec:\bnhhhh.exe73⤵PID:1648
-
\??\c:\5ppjd.exec:\5ppjd.exe74⤵PID:1232
-
\??\c:\rllfxll.exec:\rllfxll.exe75⤵PID:872
-
\??\c:\9xxflll.exec:\9xxflll.exe76⤵PID:1568
-
\??\c:\nhnnnn.exec:\nhnnnn.exe77⤵PID:5076
-
\??\c:\thbthn.exec:\thbthn.exe78⤵PID:4000
-
\??\c:\jppdd.exec:\jppdd.exe79⤵PID:4788
-
\??\c:\rflllll.exec:\rflllll.exe80⤵PID:1924
-
\??\c:\3xllrrl.exec:\3xllrrl.exe81⤵PID:2428
-
\??\c:\tnbtbn.exec:\tnbtbn.exe82⤵PID:4480
-
\??\c:\tnnhhh.exec:\tnnhhh.exe83⤵PID:4484
-
\??\c:\9ddvp.exec:\9ddvp.exe84⤵PID:3144
-
\??\c:\ffrffxl.exec:\ffrffxl.exe85⤵PID:2040
-
\??\c:\hnbhhb.exec:\hnbhhb.exe86⤵PID:2912
-
\??\c:\tntttt.exec:\tntttt.exe87⤵PID:2956
-
\??\c:\jpjjd.exec:\jpjjd.exe88⤵PID:2824
-
\??\c:\frxxrrl.exec:\frxxrrl.exe89⤵PID:4104
-
\??\c:\xxfxflr.exec:\xxfxflr.exe90⤵PID:4860
-
\??\c:\7tnnhb.exec:\7tnnhb.exe91⤵PID:1080
-
\??\c:\bhbhhb.exec:\bhbhhb.exe92⤵
- System Location Discovery: System Language Discovery
PID:332 -
\??\c:\jvvpj.exec:\jvvpj.exe93⤵PID:1364
-
\??\c:\pvpdp.exec:\pvpdp.exe94⤵PID:4924
-
\??\c:\1ffxxff.exec:\1ffxxff.exe95⤵PID:2360
-
\??\c:\7xffxxx.exec:\7xffxxx.exe96⤵PID:4504
-
\??\c:\bnbnbh.exec:\bnbnbh.exe97⤵PID:4552
-
\??\c:\vvvjv.exec:\vvvjv.exe98⤵PID:2368
-
\??\c:\vvddj.exec:\vvddj.exe99⤵PID:1308
-
\??\c:\rlffffl.exec:\rlffffl.exe100⤵PID:4548
-
\??\c:\hhbhtt.exec:\hhbhtt.exe101⤵PID:2324
-
\??\c:\hhntth.exec:\hhntth.exe102⤵PID:3444
-
\??\c:\vjpjd.exec:\vjpjd.exe103⤵PID:772
-
\??\c:\vdjdd.exec:\vdjdd.exe104⤵PID:3732
-
\??\c:\rxxrlll.exec:\rxxrlll.exe105⤵PID:3816
-
\??\c:\hbhntt.exec:\hbhntt.exe106⤵PID:3972
-
\??\c:\bhbtnn.exec:\bhbtnn.exe107⤵PID:4632
-
\??\c:\jvvdv.exec:\jvvdv.exe108⤵PID:3764
-
\??\c:\vjdpd.exec:\vjdpd.exe109⤵PID:2296
-
\??\c:\rfflxxl.exec:\rfflxxl.exe110⤵PID:2472
-
\??\c:\nbbnbn.exec:\nbbnbn.exe111⤵PID:2460
-
\??\c:\bbnbnh.exec:\bbnbnh.exe112⤵PID:4572
-
\??\c:\vvjdv.exec:\vvjdv.exe113⤵PID:2784
-
\??\c:\lflfrrx.exec:\lflfrrx.exe114⤵PID:1740
-
\??\c:\fxlfxrf.exec:\fxlfxrf.exe115⤵PID:1788
-
\??\c:\nnhnbn.exec:\nnhnbn.exe116⤵PID:3300
-
\??\c:\dppvj.exec:\dppvj.exe117⤵PID:884
-
\??\c:\7vvpp.exec:\7vvpp.exe118⤵PID:4976
-
\??\c:\frrfxrr.exec:\frrfxrr.exe119⤵PID:2292
-
\??\c:\nhnbnb.exec:\nhnbnb.exe120⤵PID:3620
-
\??\c:\5hhbtt.exec:\5hhbtt.exe121⤵PID:2016
-
\??\c:\dddpd.exec:\dddpd.exe122⤵PID:208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-