Analysis
-
max time kernel
107s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 00:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
036ec09cb290b832438fe3cc04661c86_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
6 signatures
150 seconds
General
-
Target
036ec09cb290b832438fe3cc04661c86_JaffaCakes118.exe
-
Size
460KB
-
MD5
036ec09cb290b832438fe3cc04661c86
-
SHA1
33f9c99059c36db0f584d51cf70ad7b0dce747b2
-
SHA256
9deb65f64e3e481e6878581c617e129700548364b485a777b85df5e738a21bdf
-
SHA512
d826b1006fbf136ecb205a9da4382f1938f94d87a2f61770638a525bffb4e60111b0494a113f96b357ceef378bcdc2288f954f917a4df71231ba615baf8da70c
-
SSDEEP
6144:Pcm7ImGddXtWrXD486jJq1BStv4Ib1HsstsQ:d7Tc9Wj16A3StvxEQ
Malware Config
Signatures
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2732-0-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1208-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2824-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2664-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2792-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3064-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2716-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3044-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2528-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2352-204-0x00000000003C0000-0x00000000003E9000-memory.dmp family_blackmoon behavioral1/memory/2352-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2464-322-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2800-424-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2896-468-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2496-760-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/628-1077-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2432-739-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1052-662-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2832-625-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-575-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3052-392-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/3060-372-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2540-358-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2892-351-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2580-342-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1608-308-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1300-263-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2272-246-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1728-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1704-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2100-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3044-128-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2932-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2768-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2324-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2176-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1948 htbnbh.exe 1208 fflrfxx.exe 2176 bhtntt.exe 2324 vdjdj.exe 2768 dvpvp.exe 2824 hhntnh.exe 2664 dpjdv.exe 2792 lllxrxl.exe 2556 7nnbbn.exe 3064 ddppp.exe 2716 1lrlllf.exe 2932 jvjdv.exe 3044 1ddjv.exe 2100 thbhnt.exe 1704 xxxlfrl.exe 2884 nhnhhb.exe 1728 bntttb.exe 272 djvdv.exe 2528 fxrrxfr.exe 2180 bbbnbh.exe 2352 dvppv.exe 1928 xlxllxf.exe 1176 frxxfff.exe 2496 bhhttt.exe 324 7rfxlrr.exe 2272 bnhtht.exe 1756 vppjj.exe 1300 flrfxrl.exe 688 nnbbbn.exe 1092 dppjj.exe 1332 ffllxfr.exe 836 bhnhtb.exe 2732 fxffllx.exe 1608 tnhhtt.exe 1948 1ppdp.exe 2464 7fflfrf.exe 2676 9btntt.exe 2324 pppjv.exe 2780 dpdvv.exe 2580 rrxlfrl.exe 2892 bhnnhh.exe 2540 dpdvv.exe 2668 lxlfxrl.exe 3060 fxxfffx.exe 1964 thbttn.exe 3052 jdpjp.exe 2660 rlxlxlr.exe 2128 9bbhbh.exe 2100 nthhnh.exe 2392 ddjpd.exe 2648 lfxflxr.exe 2800 bnbtnn.exe 448 xxfrlxr.exe 1420 hnhbbb.exe 1256 ddpdj.exe 2356 lrxllff.exe 2140 hhbhth.exe 2896 vpjdj.exe 1404 lrlrlrl.exe 2192 lxxlrxf.exe 1308 hhhtnt.exe 2500 djpjv.exe 288 fffrrxr.exe 2956 frffrxx.exe -
resource yara_rule behavioral1/memory/2732-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1208-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1208-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2824-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3064-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2716-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3044-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1704-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2528-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2352-203-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2496-221-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2464-322-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1964-379-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-424-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-461-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-468-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-568-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1744-598-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-663-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2488-676-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2496-760-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1640-804-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1672-880-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2352-1005-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/628-1077-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2724-1044-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2432-1018-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1148-980-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2372-973-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-917-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-830-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2732-823-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1780-747-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2432-739-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1052-662-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1964-641-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2832-625-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2476-583-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1208-576-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-575-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3052-392-0x00000000001B0000-0x00000000001D9000-memory.dmp upx behavioral1/memory/3060-372-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-358-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2892-351-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-342-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-335-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-309-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1608-308-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1300-263-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2272-246-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2528-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/272-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1728-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1704-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2100-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2932-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2932-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2768-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2324-41-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 1948 2732 036ec09cb290b832438fe3cc04661c86_JaffaCakes118.exe 29 PID 2732 wrote to memory of 1948 2732 036ec09cb290b832438fe3cc04661c86_JaffaCakes118.exe 29 PID 2732 wrote to memory of 1948 2732 036ec09cb290b832438fe3cc04661c86_JaffaCakes118.exe 29 PID 2732 wrote to memory of 1948 2732 036ec09cb290b832438fe3cc04661c86_JaffaCakes118.exe 29 PID 1948 wrote to memory of 1208 1948 htbnbh.exe 104 PID 1948 wrote to memory of 1208 1948 htbnbh.exe 104 PID 1948 wrote to memory of 1208 1948 htbnbh.exe 104 PID 1948 wrote to memory of 1208 1948 htbnbh.exe 104 PID 1208 wrote to memory of 2176 1208 fflrfxx.exe 31 PID 1208 wrote to memory of 2176 1208 fflrfxx.exe 31 PID 1208 wrote to memory of 2176 1208 fflrfxx.exe 31 PID 1208 wrote to memory of 2176 1208 fflrfxx.exe 31 PID 2176 wrote to memory of 2324 2176 bhtntt.exe 66 PID 2176 wrote to memory of 2324 2176 bhtntt.exe 66 PID 2176 wrote to memory of 2324 2176 bhtntt.exe 66 PID 2176 wrote to memory of 2324 2176 bhtntt.exe 66 PID 2324 wrote to memory of 2768 2324 vdjdj.exe 33 PID 2324 wrote to memory of 2768 2324 vdjdj.exe 33 PID 2324 wrote to memory of 2768 2324 vdjdj.exe 33 PID 2324 wrote to memory of 2768 2324 vdjdj.exe 33 PID 2768 wrote to memory of 2824 2768 dvpvp.exe 34 PID 2768 wrote to memory of 2824 2768 dvpvp.exe 34 PID 2768 wrote to memory of 2824 2768 dvpvp.exe 34 PID 2768 wrote to memory of 2824 2768 dvpvp.exe 34 PID 2824 wrote to memory of 2664 2824 hhntnh.exe 35 PID 2824 wrote to memory of 2664 2824 hhntnh.exe 35 PID 2824 wrote to memory of 2664 2824 hhntnh.exe 35 PID 2824 wrote to memory of 2664 2824 hhntnh.exe 35 PID 2664 wrote to memory of 2792 2664 dpjdv.exe 36 PID 2664 wrote to memory of 2792 2664 dpjdv.exe 36 PID 2664 wrote to memory of 2792 2664 dpjdv.exe 36 PID 2664 wrote to memory of 2792 2664 dpjdv.exe 36 PID 2792 wrote to memory of 2556 2792 lllxrxl.exe 37 PID 2792 wrote to memory of 2556 2792 lllxrxl.exe 37 PID 2792 wrote to memory of 2556 2792 lllxrxl.exe 37 PID 2792 wrote to memory of 2556 2792 lllxrxl.exe 37 PID 2556 wrote to memory of 3064 2556 7nnbbn.exe 38 PID 2556 wrote to memory of 3064 2556 7nnbbn.exe 38 PID 2556 wrote to memory of 3064 2556 7nnbbn.exe 38 PID 2556 wrote to memory of 3064 2556 7nnbbn.exe 38 PID 3064 wrote to memory of 2716 3064 ddppp.exe 39 PID 3064 wrote to memory of 2716 3064 ddppp.exe 39 PID 3064 wrote to memory of 2716 3064 ddppp.exe 39 PID 3064 wrote to memory of 2716 3064 ddppp.exe 39 PID 2716 wrote to memory of 2932 2716 1lrlllf.exe 40 PID 2716 wrote to memory of 2932 2716 1lrlllf.exe 40 PID 2716 wrote to memory of 2932 2716 1lrlllf.exe 40 PID 2716 wrote to memory of 2932 2716 1lrlllf.exe 40 PID 2932 wrote to memory of 3044 2932 jvjdv.exe 41 PID 2932 wrote to memory of 3044 2932 jvjdv.exe 41 PID 2932 wrote to memory of 3044 2932 jvjdv.exe 41 PID 2932 wrote to memory of 3044 2932 jvjdv.exe 41 PID 3044 wrote to memory of 2100 3044 1ddjv.exe 42 PID 3044 wrote to memory of 2100 3044 1ddjv.exe 42 PID 3044 wrote to memory of 2100 3044 1ddjv.exe 42 PID 3044 wrote to memory of 2100 3044 1ddjv.exe 42 PID 2100 wrote to memory of 1704 2100 thbhnt.exe 43 PID 2100 wrote to memory of 1704 2100 thbhnt.exe 43 PID 2100 wrote to memory of 1704 2100 thbhnt.exe 43 PID 2100 wrote to memory of 1704 2100 thbhnt.exe 43 PID 1704 wrote to memory of 2884 1704 xxxlfrl.exe 44 PID 1704 wrote to memory of 2884 1704 xxxlfrl.exe 44 PID 1704 wrote to memory of 2884 1704 xxxlfrl.exe 44 PID 1704 wrote to memory of 2884 1704 xxxlfrl.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\036ec09cb290b832438fe3cc04661c86_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\036ec09cb290b832438fe3cc04661c86_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\htbnbh.exec:\htbnbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\fflrfxx.exec:\fflrfxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\bhtntt.exec:\bhtntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\vdjdj.exec:\vdjdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\dvpvp.exec:\dvpvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\hhntnh.exec:\hhntnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\dpjdv.exec:\dpjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\lllxrxl.exec:\lllxrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\7nnbbn.exec:\7nnbbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\ddppp.exec:\ddppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\1lrlllf.exec:\1lrlllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\jvjdv.exec:\jvjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\1ddjv.exec:\1ddjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\thbhnt.exec:\thbhnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\nhnhhb.exec:\nhnhhb.exe17⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bntttb.exec:\bntttb.exe18⤵
- Executes dropped EXE
PID:1728 -
\??\c:\djvdv.exec:\djvdv.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:272 -
\??\c:\fxrrxfr.exec:\fxrrxfr.exe20⤵
- Executes dropped EXE
PID:2528 -
\??\c:\bbbnbh.exec:\bbbnbh.exe21⤵
- Executes dropped EXE
PID:2180 -
\??\c:\dvppv.exec:\dvppv.exe22⤵
- Executes dropped EXE
PID:2352 -
\??\c:\xlxllxf.exec:\xlxllxf.exe23⤵
- Executes dropped EXE
PID:1928 -
\??\c:\frxxfff.exec:\frxxfff.exe24⤵
- Executes dropped EXE
PID:1176 -
\??\c:\bhhttt.exec:\bhhttt.exe25⤵
- Executes dropped EXE
PID:2496 -
\??\c:\7rfxlrr.exec:\7rfxlrr.exe26⤵
- Executes dropped EXE
PID:324 -
\??\c:\bnhtht.exec:\bnhtht.exe27⤵
- Executes dropped EXE
PID:2272 -
\??\c:\vppjj.exec:\vppjj.exe28⤵
- Executes dropped EXE
PID:1756 -
\??\c:\flrfxrl.exec:\flrfxrl.exe29⤵
- Executes dropped EXE
PID:1300 -
\??\c:\nnbbbn.exec:\nnbbbn.exe30⤵
- Executes dropped EXE
PID:688 -
\??\c:\dppjj.exec:\dppjj.exe31⤵
- Executes dropped EXE
PID:1092 -
\??\c:\ffllxfr.exec:\ffllxfr.exe32⤵
- Executes dropped EXE
PID:1332 -
\??\c:\bhnhtb.exec:\bhnhtb.exe33⤵
- Executes dropped EXE
PID:836 -
\??\c:\fxffllx.exec:\fxffllx.exe34⤵
- Executes dropped EXE
PID:2732 -
\??\c:\tnhhtt.exec:\tnhhtt.exe35⤵
- Executes dropped EXE
PID:1608 -
\??\c:\1ppdp.exec:\1ppdp.exe36⤵
- Executes dropped EXE
PID:1948 -
\??\c:\7fflfrf.exec:\7fflfrf.exe37⤵
- Executes dropped EXE
PID:2464 -
\??\c:\9btntt.exec:\9btntt.exe38⤵
- Executes dropped EXE
PID:2676 -
\??\c:\pppjv.exec:\pppjv.exe39⤵
- Executes dropped EXE
PID:2324 -
\??\c:\dpdvv.exec:\dpdvv.exe40⤵
- Executes dropped EXE
PID:2780 -
\??\c:\rrxlfrl.exec:\rrxlfrl.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
\??\c:\bhnnhh.exec:\bhnnhh.exe42⤵
- Executes dropped EXE
PID:2892 -
\??\c:\dpdvv.exec:\dpdvv.exe43⤵
- Executes dropped EXE
PID:2540 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe44⤵
- Executes dropped EXE
PID:2668 -
\??\c:\fxxfffx.exec:\fxxfffx.exe45⤵
- Executes dropped EXE
PID:3060 -
\??\c:\thbttn.exec:\thbttn.exe46⤵
- Executes dropped EXE
PID:1964 -
\??\c:\jdpjp.exec:\jdpjp.exe47⤵
- Executes dropped EXE
PID:3052 -
\??\c:\rlxlxlr.exec:\rlxlxlr.exe48⤵
- Executes dropped EXE
PID:2660 -
\??\c:\9bbhbh.exec:\9bbhbh.exe49⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nthhnh.exec:\nthhnh.exe50⤵
- Executes dropped EXE
PID:2100 -
\??\c:\ddjpd.exec:\ddjpd.exe51⤵
- Executes dropped EXE
PID:2392 -
\??\c:\lfxflxr.exec:\lfxflxr.exe52⤵
- Executes dropped EXE
PID:2648 -
\??\c:\bnbtnn.exec:\bnbtnn.exe53⤵
- Executes dropped EXE
PID:2800 -
\??\c:\xxfrlxr.exec:\xxfrlxr.exe54⤵
- Executes dropped EXE
PID:448 -
\??\c:\hnhbbb.exec:\hnhbbb.exe55⤵
- Executes dropped EXE
PID:1420 -
\??\c:\ddpdj.exec:\ddpdj.exe56⤵
- Executes dropped EXE
PID:1256 -
\??\c:\lrxllff.exec:\lrxllff.exe57⤵
- Executes dropped EXE
PID:2356 -
\??\c:\hhbhth.exec:\hhbhth.exe58⤵
- Executes dropped EXE
PID:2140 -
\??\c:\vpjdj.exec:\vpjdj.exe59⤵
- Executes dropped EXE
PID:2896 -
\??\c:\lrlrlrl.exec:\lrlrlrl.exe60⤵
- Executes dropped EXE
PID:1404 -
\??\c:\lxxlrxf.exec:\lxxlrxf.exe61⤵
- Executes dropped EXE
PID:2192 -
\??\c:\hhhtnt.exec:\hhhtnt.exe62⤵
- Executes dropped EXE
PID:1308 -
\??\c:\djpjv.exec:\djpjv.exe63⤵
- Executes dropped EXE
PID:2500 -
\??\c:\fffrrxr.exec:\fffrrxr.exe64⤵
- Executes dropped EXE
PID:288 -
\??\c:\frffrxx.exec:\frffrxx.exe65⤵
- Executes dropped EXE
PID:2956 -
\??\c:\hhttbb.exec:\hhttbb.exe66⤵PID:2208
-
\??\c:\vpvjj.exec:\vpvjj.exe67⤵PID:968
-
\??\c:\xxfrlxr.exec:\xxfrlxr.exe68⤵PID:1924
-
\??\c:\flrxllx.exec:\flrxllx.exe69⤵PID:1640
-
\??\c:\hntnnn.exec:\hntnnn.exe70⤵PID:1092
-
\??\c:\pddpd.exec:\pddpd.exe71⤵PID:1332
-
\??\c:\1pdvv.exec:\1pdvv.exe72⤵PID:1720
-
\??\c:\lxrxxxx.exec:\lxrxxxx.exe73⤵PID:1628
-
\??\c:\tnhhth.exec:\tnhhth.exe74⤵PID:2292
-
\??\c:\jpvdv.exec:\jpvdv.exe75⤵PID:2224
-
\??\c:\djppp.exec:\djppp.exe76⤵PID:1948
-
\??\c:\fxrfrfx.exec:\fxrfrfx.exe77⤵PID:1208
-
\??\c:\hhhtnb.exec:\hhhtnb.exe78⤵PID:2476
-
\??\c:\vvdvj.exec:\vvdvj.exe79⤵PID:2760
-
\??\c:\frrxxll.exec:\frrxxll.exe80⤵PID:1744
-
\??\c:\nnthtn.exec:\nnthtn.exe81⤵PID:2684
-
\??\c:\bbbnbn.exec:\bbbnbn.exe82⤵PID:2120
-
\??\c:\vppdp.exec:\vppdp.exe83⤵PID:2556
-
\??\c:\frlxflx.exec:\frlxflx.exe84⤵PID:2832
-
\??\c:\7hbntt.exec:\7hbntt.exe85⤵PID:3056
-
\??\c:\nbthhb.exec:\nbthhb.exe86⤵PID:1964
-
\??\c:\djppp.exec:\djppp.exe87⤵PID:1540
-
\??\c:\fffrlfx.exec:\fffrlfx.exe88⤵PID:1052
-
\??\c:\htnbht.exec:\htnbht.exe89⤵PID:2828
-
\??\c:\ddjvd.exec:\ddjvd.exe90⤵PID:2632
-
\??\c:\djpvp.exec:\djpvp.exe91⤵PID:2488
-
\??\c:\xlrfrrx.exec:\xlrfrrx.exe92⤵PID:1620
-
\??\c:\nnhnbn.exec:\nnhnbn.exe93⤵PID:2072
-
\??\c:\thbnhn.exec:\thbnhn.exe94⤵PID:1360
-
\??\c:\ddjpd.exec:\ddjpd.exe95⤵PID:864
-
\??\c:\9xrrffr.exec:\9xrrffr.exe96⤵PID:980
-
\??\c:\3nnhbn.exec:\3nnhbn.exe97⤵PID:2492
-
\??\c:\htntnn.exec:\htntnn.exe98⤵PID:1160
-
\??\c:\vvvpj.exec:\vvvpj.exe99⤵PID:2352
-
\??\c:\xxrrrfr.exec:\xxrrrfr.exe100⤵PID:2384
-
\??\c:\5hnhbh.exec:\5hnhbh.exe101⤵PID:2432
-
\??\c:\nbnnhb.exec:\nbnnhb.exe102⤵PID:1780
-
\??\c:\jppdp.exec:\jppdp.exe103⤵PID:2496
-
\??\c:\xxlfrfx.exec:\xxlfrfx.exe104⤵PID:904
-
\??\c:\tbbnbn.exec:\tbbnbn.exe105⤵PID:2724
-
\??\c:\bhnthb.exec:\bhnthb.exe106⤵PID:2380
-
\??\c:\vdvjj.exec:\vdvjj.exe107⤵PID:664
-
\??\c:\frxlfll.exec:\frxlfll.exe108⤵PID:1300
-
\??\c:\rrrrlrl.exec:\rrrrlrl.exe109⤵PID:1156
-
\??\c:\jpddj.exec:\jpddj.exe110⤵PID:3040
-
\??\c:\lfxxlrl.exec:\lfxxlrl.exe111⤵PID:1640
-
\??\c:\hnnhbn.exec:\hnnhbn.exe112⤵PID:1040
-
\??\c:\vdjvp.exec:\vdjvp.exe113⤵PID:1480
-
\??\c:\rrflxxl.exec:\rrflxxl.exe114⤵PID:2732
-
\??\c:\9xxffrr.exec:\9xxffrr.exe115⤵PID:2260
-
\??\c:\nnhtnh.exec:\nnhtnh.exe116⤵PID:2168
-
\??\c:\vdjjp.exec:\vdjjp.exe117⤵PID:2156
-
\??\c:\7dvvp.exec:\7dvvp.exe118⤵PID:2136
-
\??\c:\flrxllf.exec:\flrxllf.exe119⤵PID:1296
-
\??\c:\7ttbbh.exec:\7ttbbh.exe120⤵PID:2824
-
\??\c:\vvpvp.exec:\vvpvp.exe121⤵PID:2760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-