Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 23:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0230b81d5f788e582797fd54bea56470_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
General
-
Target
0230b81d5f788e582797fd54bea56470_JaffaCakes118.exe
-
Size
209KB
-
MD5
0230b81d5f788e582797fd54bea56470
-
SHA1
98fd12512f29fcf4a3a8a78b0f013699cdb5c925
-
SHA256
81e43925032313743f0d0f85c6b81b10f79376bd106b8de655e3e640709cdad6
-
SHA512
e148db08609779a2936cb804546765938cd532c42822ca943c8a030c30351e5f9291bc26c272d90e11c80c145f8c37bdee22c326248e688b8b75f854deb8afba
-
SSDEEP
3072:EhOm2sI93UufdC67ciyt3ujFf7TQsq5VaQv2:Ecm7ImGddXyt38TU5u
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/564-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4572 nnbtbn.exe 4756 7vpjd.exe 2588 dpjdp.exe 564 rllffxx.exe 4356 7tbtbb.exe 2620 1dvdd.exe 1920 bhhbtt.exe 3124 jddvv.exe 2700 xrlfffx.exe 2236 hhtttn.exe 3096 vdvvp.exe 4536 ffxxrrr.exe 3528 nhbhbh.exe 5076 djpvj.exe 4836 xrlxlxl.exe 4300 bthhbb.exe 1436 jvddj.exe 4768 vjjdd.exe 3012 nhtntt.exe 516 jvjdv.exe 5028 fxxrrll.exe 1656 thhhbt.exe 536 pjppp.exe 3832 bhhntb.exe 4832 jvppv.exe 440 xxlfxlx.exe 2688 hnnbtn.exe 4360 3pjjd.exe 1484 tnnnbh.exe 1200 jpppj.exe 2028 rlxlfff.exe 3064 thnhbn.exe 2212 xfrrllf.exe 1940 ffxlfrx.exe 4152 nhbtnb.exe 4736 jddpd.exe 3752 xlfxrrf.exe 1672 5tnhbb.exe 4404 jdvjv.exe 4672 ddvjd.exe 2936 xrxrllf.exe 3724 hhhnhb.exe 4816 dvvdd.exe 5064 rxlrfrl.exe 4516 hnttbt.exe 3288 vpvdj.exe 4356 lfllxlf.exe 2624 hbnntt.exe 2492 nhtntt.exe 3128 jpjdj.exe 3120 vjjvv.exe 3124 rffxfll.exe 4988 bbthtn.exe 3236 htttnn.exe 1660 jvpjd.exe 1552 rxlrlll.exe 1760 ntbthh.exe 1568 5pvjp.exe 1764 rllxrrl.exe 4592 1nnhbb.exe 1768 fxxrfxl.exe 4744 bhhbtt.exe 3476 pdppj.exe 3280 fxxrlrr.exe -
resource yara_rule behavioral2/memory/564-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-368-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0230b81d5f788e582797fd54bea56470_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 704 wrote to memory of 4572 704 0230b81d5f788e582797fd54bea56470_JaffaCakes118.exe 84 PID 704 wrote to memory of 4572 704 0230b81d5f788e582797fd54bea56470_JaffaCakes118.exe 84 PID 704 wrote to memory of 4572 704 0230b81d5f788e582797fd54bea56470_JaffaCakes118.exe 84 PID 4572 wrote to memory of 4756 4572 nnbtbn.exe 85 PID 4572 wrote to memory of 4756 4572 nnbtbn.exe 85 PID 4572 wrote to memory of 4756 4572 nnbtbn.exe 85 PID 4756 wrote to memory of 2588 4756 7vpjd.exe 86 PID 4756 wrote to memory of 2588 4756 7vpjd.exe 86 PID 4756 wrote to memory of 2588 4756 7vpjd.exe 86 PID 2588 wrote to memory of 564 2588 dpjdp.exe 87 PID 2588 wrote to memory of 564 2588 dpjdp.exe 87 PID 2588 wrote to memory of 564 2588 dpjdp.exe 87 PID 564 wrote to memory of 4356 564 rllffxx.exe 88 PID 564 wrote to memory of 4356 564 rllffxx.exe 88 PID 564 wrote to memory of 4356 564 rllffxx.exe 88 PID 4356 wrote to memory of 2620 4356 7tbtbb.exe 89 PID 4356 wrote to memory of 2620 4356 7tbtbb.exe 89 PID 4356 wrote to memory of 2620 4356 7tbtbb.exe 89 PID 2620 wrote to memory of 1920 2620 1dvdd.exe 91 PID 2620 wrote to memory of 1920 2620 1dvdd.exe 91 PID 2620 wrote to memory of 1920 2620 1dvdd.exe 91 PID 1920 wrote to memory of 3124 1920 bhhbtt.exe 92 PID 1920 wrote to memory of 3124 1920 bhhbtt.exe 92 PID 1920 wrote to memory of 3124 1920 bhhbtt.exe 92 PID 3124 wrote to memory of 2700 3124 jddvv.exe 93 PID 3124 wrote to memory of 2700 3124 jddvv.exe 93 PID 3124 wrote to memory of 2700 3124 jddvv.exe 93 PID 2700 wrote to memory of 2236 2700 xrlfffx.exe 95 PID 2700 wrote to memory of 2236 2700 xrlfffx.exe 95 PID 2700 wrote to memory of 2236 2700 xrlfffx.exe 95 PID 2236 wrote to memory of 3096 2236 hhtttn.exe 96 PID 2236 wrote to memory of 3096 2236 hhtttn.exe 96 PID 2236 wrote to memory of 3096 2236 hhtttn.exe 96 PID 3096 wrote to memory of 4536 3096 vdvvp.exe 97 PID 3096 wrote to memory of 4536 3096 vdvvp.exe 97 PID 3096 wrote to memory of 4536 3096 vdvvp.exe 97 PID 4536 wrote to memory of 3528 4536 ffxxrrr.exe 98 PID 4536 wrote to memory of 3528 4536 ffxxrrr.exe 98 PID 4536 wrote to memory of 3528 4536 ffxxrrr.exe 98 PID 3528 wrote to memory of 5076 3528 nhbhbh.exe 99 PID 3528 wrote to memory of 5076 3528 nhbhbh.exe 99 PID 3528 wrote to memory of 5076 3528 nhbhbh.exe 99 PID 5076 wrote to memory of 4836 5076 djpvj.exe 100 PID 5076 wrote to memory of 4836 5076 djpvj.exe 100 PID 5076 wrote to memory of 4836 5076 djpvj.exe 100 PID 4836 wrote to memory of 4300 4836 xrlxlxl.exe 102 PID 4836 wrote to memory of 4300 4836 xrlxlxl.exe 102 PID 4836 wrote to memory of 4300 4836 xrlxlxl.exe 102 PID 4300 wrote to memory of 1436 4300 bthhbb.exe 103 PID 4300 wrote to memory of 1436 4300 bthhbb.exe 103 PID 4300 wrote to memory of 1436 4300 bthhbb.exe 103 PID 1436 wrote to memory of 4768 1436 jvddj.exe 104 PID 1436 wrote to memory of 4768 1436 jvddj.exe 104 PID 1436 wrote to memory of 4768 1436 jvddj.exe 104 PID 4768 wrote to memory of 3012 4768 vjjdd.exe 105 PID 4768 wrote to memory of 3012 4768 vjjdd.exe 105 PID 4768 wrote to memory of 3012 4768 vjjdd.exe 105 PID 3012 wrote to memory of 516 3012 nhtntt.exe 106 PID 3012 wrote to memory of 516 3012 nhtntt.exe 106 PID 3012 wrote to memory of 516 3012 nhtntt.exe 106 PID 516 wrote to memory of 5028 516 jvjdv.exe 107 PID 516 wrote to memory of 5028 516 jvjdv.exe 107 PID 516 wrote to memory of 5028 516 jvjdv.exe 107 PID 5028 wrote to memory of 1656 5028 fxxrrll.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\0230b81d5f788e582797fd54bea56470_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0230b81d5f788e582797fd54bea56470_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\nnbtbn.exec:\nnbtbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\7vpjd.exec:\7vpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\dpjdp.exec:\dpjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\rllffxx.exec:\rllffxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
\??\c:\7tbtbb.exec:\7tbtbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\1dvdd.exec:\1dvdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\bhhbtt.exec:\bhhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\jddvv.exec:\jddvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\xrlfffx.exec:\xrlfffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\hhtttn.exec:\hhtttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\vdvvp.exec:\vdvvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\ffxxrrr.exec:\ffxxrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\nhbhbh.exec:\nhbhbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\djpvj.exec:\djpvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\xrlxlxl.exec:\xrlxlxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\bthhbb.exec:\bthhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\jvddj.exec:\jvddj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\vjjdd.exec:\vjjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\nhtntt.exec:\nhtntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\jvjdv.exec:\jvjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\fxxrrll.exec:\fxxrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\thhhbt.exec:\thhhbt.exe23⤵
- Executes dropped EXE
PID:1656 -
\??\c:\pjppp.exec:\pjppp.exe24⤵
- Executes dropped EXE
PID:536 -
\??\c:\bhhntb.exec:\bhhntb.exe25⤵
- Executes dropped EXE
PID:3832 -
\??\c:\jvppv.exec:\jvppv.exe26⤵
- Executes dropped EXE
PID:4832 -
\??\c:\xxlfxlx.exec:\xxlfxlx.exe27⤵
- Executes dropped EXE
PID:440 -
\??\c:\hnnbtn.exec:\hnnbtn.exe28⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3pjjd.exec:\3pjjd.exe29⤵
- Executes dropped EXE
PID:4360 -
\??\c:\tnnnbh.exec:\tnnnbh.exe30⤵
- Executes dropped EXE
PID:1484 -
\??\c:\jpppj.exec:\jpppj.exe31⤵
- Executes dropped EXE
PID:1200 -
\??\c:\rlxlfff.exec:\rlxlfff.exe32⤵
- Executes dropped EXE
PID:2028 -
\??\c:\thnhbn.exec:\thnhbn.exe33⤵
- Executes dropped EXE
PID:3064 -
\??\c:\xfrrllf.exec:\xfrrllf.exe34⤵
- Executes dropped EXE
PID:2212 -
\??\c:\ffxlfrx.exec:\ffxlfrx.exe35⤵
- Executes dropped EXE
PID:1940 -
\??\c:\nhbtnb.exec:\nhbtnb.exe36⤵
- Executes dropped EXE
PID:4152 -
\??\c:\jddpd.exec:\jddpd.exe37⤵
- Executes dropped EXE
PID:4736 -
\??\c:\xlfxrrf.exec:\xlfxrrf.exe38⤵
- Executes dropped EXE
PID:3752 -
\??\c:\5tnhbb.exec:\5tnhbb.exe39⤵
- Executes dropped EXE
PID:1672 -
\??\c:\jdvjv.exec:\jdvjv.exe40⤵
- Executes dropped EXE
PID:4404 -
\??\c:\ddvjd.exec:\ddvjd.exe41⤵
- Executes dropped EXE
PID:4672 -
\??\c:\xrxrllf.exec:\xrxrllf.exe42⤵
- Executes dropped EXE
PID:2936 -
\??\c:\hhhnhb.exec:\hhhnhb.exe43⤵
- Executes dropped EXE
PID:3724 -
\??\c:\dvvdd.exec:\dvvdd.exe44⤵
- Executes dropped EXE
PID:4816 -
\??\c:\rxlrfrl.exec:\rxlrfrl.exe45⤵
- Executes dropped EXE
PID:5064 -
\??\c:\hnttbt.exec:\hnttbt.exe46⤵
- Executes dropped EXE
PID:4516 -
\??\c:\vpvdj.exec:\vpvdj.exe47⤵
- Executes dropped EXE
PID:3288 -
\??\c:\lfllxlf.exec:\lfllxlf.exe48⤵
- Executes dropped EXE
PID:4356 -
\??\c:\hbnntt.exec:\hbnntt.exe49⤵
- Executes dropped EXE
PID:2624 -
\??\c:\nhtntt.exec:\nhtntt.exe50⤵
- Executes dropped EXE
PID:2492 -
\??\c:\jpjdj.exec:\jpjdj.exe51⤵
- Executes dropped EXE
PID:3128 -
\??\c:\vjjvv.exec:\vjjvv.exe52⤵
- Executes dropped EXE
PID:3120 -
\??\c:\rffxfll.exec:\rffxfll.exe53⤵
- Executes dropped EXE
PID:3124 -
\??\c:\bbthtn.exec:\bbthtn.exe54⤵
- Executes dropped EXE
PID:4988 -
\??\c:\htttnn.exec:\htttnn.exe55⤵
- Executes dropped EXE
PID:3236 -
\??\c:\jvpjd.exec:\jvpjd.exe56⤵
- Executes dropped EXE
PID:1660 -
\??\c:\rxlrlll.exec:\rxlrlll.exe57⤵
- Executes dropped EXE
PID:1552 -
\??\c:\ntbthh.exec:\ntbthh.exe58⤵
- Executes dropped EXE
PID:1760 -
\??\c:\5pvjp.exec:\5pvjp.exe59⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rllxrrl.exec:\rllxrrl.exe60⤵
- Executes dropped EXE
PID:1764 -
\??\c:\1nnhbb.exec:\1nnhbb.exe61⤵
- Executes dropped EXE
PID:4592 -
\??\c:\fxxrfxl.exec:\fxxrfxl.exe62⤵
- Executes dropped EXE
PID:1768 -
\??\c:\bhhbtt.exec:\bhhbtt.exe63⤵
- Executes dropped EXE
PID:4744 -
\??\c:\pdppj.exec:\pdppj.exe64⤵
- Executes dropped EXE
PID:3476 -
\??\c:\fxxrlrr.exec:\fxxrlrr.exe65⤵
- Executes dropped EXE
PID:3280 -
\??\c:\rlfrlrf.exec:\rlfrlrf.exe66⤵PID:3388
-
\??\c:\hbbttt.exec:\hbbttt.exe67⤵PID:2164
-
\??\c:\dppdd.exec:\dppdd.exe68⤵PID:4424
-
\??\c:\vpvvj.exec:\vpvvj.exe69⤵PID:4100
-
\??\c:\7lrllll.exec:\7lrllll.exe70⤵PID:3556
-
\??\c:\thtthn.exec:\thtthn.exe71⤵PID:2064
-
\??\c:\nbbbbb.exec:\nbbbbb.exe72⤵PID:512
-
\??\c:\dpjdj.exec:\dpjdj.exe73⤵PID:4008
-
\??\c:\rxffrxx.exec:\rxffrxx.exe74⤵PID:1360
-
\??\c:\fxrrxll.exec:\fxrrxll.exe75⤵PID:3284
-
\??\c:\nhhtnb.exec:\nhhtnb.exe76⤵PID:4868
-
\??\c:\hhhbbh.exec:\hhhbbh.exe77⤵PID:4428
-
\??\c:\jpdvp.exec:\jpdvp.exe78⤵PID:4956
-
\??\c:\lxfxflf.exec:\lxfxflf.exe79⤵PID:4688
-
\??\c:\lfffxxr.exec:\lfffxxr.exe80⤵PID:1152
-
\??\c:\nhnnbh.exec:\nhnnbh.exe81⤵PID:3252
-
\??\c:\vvdvd.exec:\vvdvd.exe82⤵PID:2940
-
\??\c:\ddjdv.exec:\ddjdv.exe83⤵PID:4824
-
\??\c:\rlfxfrl.exec:\rlfxfrl.exe84⤵PID:4860
-
\??\c:\tnhbhh.exec:\tnhbhh.exe85⤵PID:2212
-
\??\c:\1jjpd.exec:\1jjpd.exe86⤵PID:1940
-
\??\c:\ffxrfll.exec:\ffxrfll.exe87⤵PID:4152
-
\??\c:\hnnntt.exec:\hnnntt.exe88⤵PID:4452
-
\??\c:\hnhhnt.exec:\hnhhnt.exe89⤵PID:3752
-
\??\c:\vvpdd.exec:\vvpdd.exe90⤵PID:4652
-
\??\c:\flrxrxf.exec:\flrxrxf.exe91⤵PID:1908
-
\??\c:\fxrllrf.exec:\fxrllrf.exe92⤵PID:468
-
\??\c:\bthhbn.exec:\bthhbn.exe93⤵PID:4572
-
\??\c:\jjpjd.exec:\jjpjd.exe94⤵PID:3724
-
\??\c:\9pdvv.exec:\9pdvv.exe95⤵
- System Location Discovery: System Language Discovery
PID:4384 -
\??\c:\llxxxff.exec:\llxxxff.exe96⤵PID:4584
-
\??\c:\nnbbbn.exec:\nnbbbn.exe97⤵PID:1432
-
\??\c:\hbtttb.exec:\hbtttb.exe98⤵PID:4052
-
\??\c:\djvpp.exec:\djvpp.exe99⤵PID:184
-
\??\c:\llrrxlx.exec:\llrrxlx.exe100⤵PID:2904
-
\??\c:\llflfff.exec:\llflfff.exe101⤵PID:4024
-
\??\c:\bhttnn.exec:\bhttnn.exe102⤵PID:2984
-
\??\c:\ntnnhh.exec:\ntnnhh.exe103⤵PID:548
-
\??\c:\ppdjp.exec:\ppdjp.exe104⤵PID:3872
-
\??\c:\xfxrrxx.exec:\xfxrrxx.exe105⤵PID:4200
-
\??\c:\xlrlfll.exec:\xlrlfll.exe106⤵PID:860
-
\??\c:\ttbtnh.exec:\ttbtnh.exe107⤵PID:3896
-
\??\c:\thnntn.exec:\thnntn.exe108⤵PID:2412
-
\??\c:\pjvpp.exec:\pjvpp.exe109⤵PID:3224
-
\??\c:\xrfxrll.exec:\xrfxrll.exe110⤵PID:2584
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe111⤵PID:4188
-
\??\c:\hhbttn.exec:\hhbttn.exe112⤵PID:2184
-
\??\c:\htbttt.exec:\htbttt.exe113⤵PID:4696
-
\??\c:\5jjdv.exec:\5jjdv.exe114⤵PID:2604
-
\??\c:\vvpjd.exec:\vvpjd.exe115⤵PID:4836
-
\??\c:\frllflf.exec:\frllflf.exe116⤵PID:4272
-
\??\c:\lrxlflx.exec:\lrxlflx.exe117⤵PID:1436
-
\??\c:\hnhhht.exec:\hnhhht.exe118⤵PID:4872
-
\??\c:\1vjpp.exec:\1vjpp.exe119⤵PID:952
-
\??\c:\vvvvd.exec:\vvvvd.exe120⤵PID:1488
-
\??\c:\lfflxxf.exec:\lfflxxf.exe121⤵PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-