Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28/07/2024, 00:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
03ad68f25761d9fa82eec404f7a5238f_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
General
-
Target
03ad68f25761d9fa82eec404f7a5238f_JaffaCakes118.exe
-
Size
214KB
-
MD5
03ad68f25761d9fa82eec404f7a5238f
-
SHA1
e1010586b700329fd0bc2e3086a7c5a0349a21fc
-
SHA256
40db1fbcac32c2f083575de7c310d27d455b7d5ea639370bea5773c8076727e8
-
SHA512
b8ad726e8c17244018cbc18391dbf0e9834da4ea4082938d3c964ae1e5eb7a28ae602a976c7a0be8cbdc43f8abcc2e10fdedfaf375f584ebce11dde1c7985fce
-
SSDEEP
3072:PhOm2sI93UufdC67cihvH1aV0Tx+5cuMI0cH:Pcm7ImGddXWV0F+cI0cH
Malware Config
Signatures
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/1852-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1936-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3040-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2356-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2192-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2292-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2120-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2632-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2452-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1844-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1844-118-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2608-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1056-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1944-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1544-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1780-213-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1284-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1680-240-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2520-296-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2416-327-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1532-353-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2120-382-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2452-412-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1844-422-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/108-436-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1228-462-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2508-483-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2696-489-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/572-502-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1536-517-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2088-541-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2856-543-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2088-580-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1244-752-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2108-851-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2616-1319-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2616-1322-0x00000000002B0000-0x00000000002D9000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 888 s2024.exe 1936 206802.exe 3040 082804.exe 2356 hhthhb.exe 2192 q82028.exe 2292 42068.exe 2640 9tnbbh.exe 2592 btntth.exe 2120 djvdv.exe 2632 40084.exe 2576 ntthht.exe 2452 6082068.exe 1844 22266.exe 2608 i442064.exe 1056 fxxllxf.exe 1928 tnhnbb.exe 1556 66064.exe 1944 20868.exe 1544 880882.exe 1704 26086.exe 496 7rrllfl.exe 2760 djvpv.exe 1780 nhttbh.exe 2136 608068.exe 1284 e02624.exe 1680 888228.exe 2088 222064.exe 864 62200.exe 876 4804006.exe 1236 bbbttn.exe 2308 nhtbnt.exe 2500 nhbhht.exe 884 7fffllr.exe 2520 1rxlrxf.exe 1320 xrlrffx.exe 2840 26424.exe 888 46044.exe 2416 ppjjv.exe 2900 4408208.exe 2988 004626.exe 772 2848822.exe 1532 60242.exe 2976 5xlflfr.exe 2664 0060860.exe 2544 c240680.exe 2596 9hbtht.exe 2120 pdjpj.exe 3000 m6080.exe 2440 48284.exe 2484 bhtnbb.exe 2452 4422446.exe 1844 xxlrfrf.exe 2228 e82626.exe 108 5btbbn.exe 1740 e46628.exe 2256 pdvjj.exe 1648 jdppv.exe 580 60468.exe 1228 66468.exe 2428 5jjjv.exe 2508 g6066.exe 2696 w82820.exe 2948 086464.exe 572 7fxrlrf.exe -
resource yara_rule behavioral1/memory/1852-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1852-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1936-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1936-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3040-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2356-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2192-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2292-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2120-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2632-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2452-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1844-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2608-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1056-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1944-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1544-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1780-213-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1284-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1680-240-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/876-261-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2520-296-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2416-327-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1532-353-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-360-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2596-373-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2120-382-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2452-412-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1844-422-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2228-423-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/108-436-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2256-443-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1228-462-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2508-476-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2508-483-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2696-489-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/572-502-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2428-515-0x00000000002A0000-0x00000000002C9000-memory.dmp upx behavioral1/memory/1536-517-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-543-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1500-555-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2520-593-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2212-600-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1532-638-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-657-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2120-670-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2608-708-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1792-727-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1244-752-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1752-759-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1668-772-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-779-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1980-812-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2312-826-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2108-851-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/752-858-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1616-871-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-939-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/540-1073-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1492-1164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2704-1244-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1640-1275-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1732-1282-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2616-1319-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4482204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0002460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q08866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8208402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4804006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 888 1852 03ad68f25761d9fa82eec404f7a5238f_JaffaCakes118.exe 28 PID 1852 wrote to memory of 888 1852 03ad68f25761d9fa82eec404f7a5238f_JaffaCakes118.exe 28 PID 1852 wrote to memory of 888 1852 03ad68f25761d9fa82eec404f7a5238f_JaffaCakes118.exe 28 PID 1852 wrote to memory of 888 1852 03ad68f25761d9fa82eec404f7a5238f_JaffaCakes118.exe 28 PID 888 wrote to memory of 1936 888 s2024.exe 29 PID 888 wrote to memory of 1936 888 s2024.exe 29 PID 888 wrote to memory of 1936 888 s2024.exe 29 PID 888 wrote to memory of 1936 888 s2024.exe 29 PID 1936 wrote to memory of 3040 1936 206802.exe 30 PID 1936 wrote to memory of 3040 1936 206802.exe 30 PID 1936 wrote to memory of 3040 1936 206802.exe 30 PID 1936 wrote to memory of 3040 1936 206802.exe 30 PID 3040 wrote to memory of 2356 3040 082804.exe 31 PID 3040 wrote to memory of 2356 3040 082804.exe 31 PID 3040 wrote to memory of 2356 3040 082804.exe 31 PID 3040 wrote to memory of 2356 3040 082804.exe 31 PID 2356 wrote to memory of 2192 2356 hhthhb.exe 32 PID 2356 wrote to memory of 2192 2356 hhthhb.exe 32 PID 2356 wrote to memory of 2192 2356 hhthhb.exe 32 PID 2356 wrote to memory of 2192 2356 hhthhb.exe 32 PID 2192 wrote to memory of 2292 2192 q82028.exe 33 PID 2192 wrote to memory of 2292 2192 q82028.exe 33 PID 2192 wrote to memory of 2292 2192 q82028.exe 33 PID 2192 wrote to memory of 2292 2192 q82028.exe 33 PID 2292 wrote to memory of 2640 2292 42068.exe 34 PID 2292 wrote to memory of 2640 2292 42068.exe 34 PID 2292 wrote to memory of 2640 2292 42068.exe 34 PID 2292 wrote to memory of 2640 2292 42068.exe 34 PID 2640 wrote to memory of 2592 2640 9tnbbh.exe 35 PID 2640 wrote to memory of 2592 2640 9tnbbh.exe 35 PID 2640 wrote to memory of 2592 2640 9tnbbh.exe 35 PID 2640 wrote to memory of 2592 2640 9tnbbh.exe 35 PID 2592 wrote to memory of 2120 2592 btntth.exe 36 PID 2592 wrote to memory of 2120 2592 btntth.exe 36 PID 2592 wrote to memory of 2120 2592 btntth.exe 36 PID 2592 wrote to memory of 2120 2592 btntth.exe 36 PID 2120 wrote to memory of 2632 2120 djvdv.exe 37 PID 2120 wrote to memory of 2632 2120 djvdv.exe 37 PID 2120 wrote to memory of 2632 2120 djvdv.exe 37 PID 2120 wrote to memory of 2632 2120 djvdv.exe 37 PID 2632 wrote to memory of 2576 2632 40084.exe 38 PID 2632 wrote to memory of 2576 2632 40084.exe 38 PID 2632 wrote to memory of 2576 2632 40084.exe 38 PID 2632 wrote to memory of 2576 2632 40084.exe 38 PID 2576 wrote to memory of 2452 2576 ntthht.exe 39 PID 2576 wrote to memory of 2452 2576 ntthht.exe 39 PID 2576 wrote to memory of 2452 2576 ntthht.exe 39 PID 2576 wrote to memory of 2452 2576 ntthht.exe 39 PID 2452 wrote to memory of 1844 2452 6082068.exe 40 PID 2452 wrote to memory of 1844 2452 6082068.exe 40 PID 2452 wrote to memory of 1844 2452 6082068.exe 40 PID 2452 wrote to memory of 1844 2452 6082068.exe 40 PID 1844 wrote to memory of 2608 1844 22266.exe 41 PID 1844 wrote to memory of 2608 1844 22266.exe 41 PID 1844 wrote to memory of 2608 1844 22266.exe 41 PID 1844 wrote to memory of 2608 1844 22266.exe 41 PID 2608 wrote to memory of 1056 2608 i442064.exe 42 PID 2608 wrote to memory of 1056 2608 i442064.exe 42 PID 2608 wrote to memory of 1056 2608 i442064.exe 42 PID 2608 wrote to memory of 1056 2608 i442064.exe 42 PID 1056 wrote to memory of 1928 1056 fxxllxf.exe 43 PID 1056 wrote to memory of 1928 1056 fxxllxf.exe 43 PID 1056 wrote to memory of 1928 1056 fxxllxf.exe 43 PID 1056 wrote to memory of 1928 1056 fxxllxf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ad68f25761d9fa82eec404f7a5238f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03ad68f25761d9fa82eec404f7a5238f_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\s2024.exec:\s2024.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
\??\c:\206802.exec:\206802.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\082804.exec:\082804.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\hhthhb.exec:\hhthhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\q82028.exec:\q82028.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\42068.exec:\42068.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\9tnbbh.exec:\9tnbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\btntth.exec:\btntth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\djvdv.exec:\djvdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\40084.exec:\40084.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\ntthht.exec:\ntthht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\6082068.exec:\6082068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\22266.exec:\22266.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\i442064.exec:\i442064.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\fxxllxf.exec:\fxxllxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\tnhnbb.exec:\tnhnbb.exe17⤵
- Executes dropped EXE
PID:1928 -
\??\c:\66064.exec:\66064.exe18⤵
- Executes dropped EXE
PID:1556 -
\??\c:\20868.exec:\20868.exe19⤵
- Executes dropped EXE
PID:1944 -
\??\c:\880882.exec:\880882.exe20⤵
- Executes dropped EXE
PID:1544 -
\??\c:\26086.exec:\26086.exe21⤵
- Executes dropped EXE
PID:1704 -
\??\c:\7rrllfl.exec:\7rrllfl.exe22⤵
- Executes dropped EXE
PID:496 -
\??\c:\djvpv.exec:\djvpv.exe23⤵
- Executes dropped EXE
PID:2760 -
\??\c:\nhttbh.exec:\nhttbh.exe24⤵
- Executes dropped EXE
PID:1780 -
\??\c:\608068.exec:\608068.exe25⤵
- Executes dropped EXE
PID:2136 -
\??\c:\e02624.exec:\e02624.exe26⤵
- Executes dropped EXE
PID:1284 -
\??\c:\888228.exec:\888228.exe27⤵
- Executes dropped EXE
PID:1680 -
\??\c:\222064.exec:\222064.exe28⤵
- Executes dropped EXE
PID:2088 -
\??\c:\62200.exec:\62200.exe29⤵
- Executes dropped EXE
PID:864 -
\??\c:\4804006.exec:\4804006.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876 -
\??\c:\bbbttn.exec:\bbbttn.exe31⤵
- Executes dropped EXE
PID:1236 -
\??\c:\nhtbnt.exec:\nhtbnt.exe32⤵
- Executes dropped EXE
PID:2308 -
\??\c:\nhbhht.exec:\nhbhht.exe33⤵
- Executes dropped EXE
PID:2500 -
\??\c:\7fffllr.exec:\7fffllr.exe34⤵
- Executes dropped EXE
PID:884 -
\??\c:\1rxlrxf.exec:\1rxlrxf.exe35⤵
- Executes dropped EXE
PID:2520 -
\??\c:\xrlrffx.exec:\xrlrffx.exe36⤵
- Executes dropped EXE
PID:1320 -
\??\c:\26424.exec:\26424.exe37⤵
- Executes dropped EXE
PID:2840 -
\??\c:\46044.exec:\46044.exe38⤵
- Executes dropped EXE
PID:888 -
\??\c:\ppjjv.exec:\ppjjv.exe39⤵
- Executes dropped EXE
PID:2416 -
\??\c:\4408208.exec:\4408208.exe40⤵
- Executes dropped EXE
PID:2900 -
\??\c:\004626.exec:\004626.exe41⤵
- Executes dropped EXE
PID:2988 -
\??\c:\2848822.exec:\2848822.exe42⤵
- Executes dropped EXE
PID:772 -
\??\c:\60242.exec:\60242.exe43⤵
- Executes dropped EXE
PID:1532 -
\??\c:\5xlflfr.exec:\5xlflfr.exe44⤵
- Executes dropped EXE
PID:2976 -
\??\c:\0060860.exec:\0060860.exe45⤵
- Executes dropped EXE
PID:2664 -
\??\c:\c240680.exec:\c240680.exe46⤵
- Executes dropped EXE
PID:2544 -
\??\c:\9hbtht.exec:\9hbtht.exe47⤵
- Executes dropped EXE
PID:2596 -
\??\c:\pdjpj.exec:\pdjpj.exe48⤵
- Executes dropped EXE
PID:2120 -
\??\c:\m6080.exec:\m6080.exe49⤵
- Executes dropped EXE
PID:3000 -
\??\c:\48284.exec:\48284.exe50⤵
- Executes dropped EXE
PID:2440 -
\??\c:\bhtnbb.exec:\bhtnbb.exe51⤵
- Executes dropped EXE
PID:2484 -
\??\c:\4422446.exec:\4422446.exe52⤵
- Executes dropped EXE
PID:2452 -
\??\c:\xxlrfrf.exec:\xxlrfrf.exe53⤵
- Executes dropped EXE
PID:1844 -
\??\c:\e82626.exec:\e82626.exe54⤵
- Executes dropped EXE
PID:2228 -
\??\c:\5btbbn.exec:\5btbbn.exe55⤵
- Executes dropped EXE
PID:108 -
\??\c:\e46628.exec:\e46628.exe56⤵
- Executes dropped EXE
PID:1740 -
\??\c:\pdvjj.exec:\pdvjj.exe57⤵
- Executes dropped EXE
PID:2256 -
\??\c:\jdppv.exec:\jdppv.exe58⤵
- Executes dropped EXE
PID:1648 -
\??\c:\60468.exec:\60468.exe59⤵
- Executes dropped EXE
PID:580 -
\??\c:\66468.exec:\66468.exe60⤵
- Executes dropped EXE
PID:1228 -
\??\c:\5jjjv.exec:\5jjjv.exe61⤵
- Executes dropped EXE
PID:2428 -
\??\c:\g6066.exec:\g6066.exe62⤵
- Executes dropped EXE
PID:2508 -
\??\c:\w82820.exec:\w82820.exe63⤵
- Executes dropped EXE
PID:2696 -
\??\c:\086464.exec:\086464.exe64⤵
- Executes dropped EXE
PID:2948 -
\??\c:\7fxrlrf.exec:\7fxrlrf.exe65⤵
- Executes dropped EXE
PID:572 -
\??\c:\2826266.exec:\2826266.exe66⤵PID:1100
-
\??\c:\86020.exec:\86020.exe67⤵PID:1520
-
\??\c:\822424.exec:\822424.exe68⤵PID:1536
-
\??\c:\m8846.exec:\m8846.exe69⤵PID:1128
-
\??\c:\2440802.exec:\2440802.exe70⤵PID:1204
-
\??\c:\226624.exec:\226624.exe71⤵PID:2088
-
\??\c:\g8028.exec:\g8028.exe72⤵PID:2856
-
\??\c:\vddvd.exec:\vddvd.exe73⤵PID:2092
-
\??\c:\fxxrlff.exec:\fxxrlff.exe74⤵PID:1500
-
\??\c:\268840.exec:\268840.exe75⤵PID:2404
-
\??\c:\1bnntb.exec:\1bnntb.exe76⤵PID:2852
-
\??\c:\m6068.exec:\m6068.exe77⤵PID:1672
-
\??\c:\7fxlxfl.exec:\7fxlxfl.exe78⤵PID:1252
-
\??\c:\04428.exec:\04428.exe79⤵PID:2520
-
\??\c:\3pddp.exec:\3pddp.exe80⤵PID:2524
-
\??\c:\3tbbnt.exec:\3tbbnt.exe81⤵PID:2212
-
\??\c:\pjddp.exec:\pjddp.exe82⤵PID:2896
-
\??\c:\ffxxllf.exec:\ffxxllf.exe83⤵PID:3056
-
\??\c:\842482.exec:\842482.exe84⤵PID:2900
-
\??\c:\q80242.exec:\q80242.exe85⤵PID:2988
-
\??\c:\042404.exec:\042404.exe86⤵PID:1608
-
\??\c:\9jjjp.exec:\9jjjp.exe87⤵PID:1532
-
\??\c:\04466.exec:\04466.exe88⤵PID:2548
-
\??\c:\u862402.exec:\u862402.exe89⤵PID:2728
-
\??\c:\5vjpd.exec:\5vjpd.exe90⤵PID:2844
-
\??\c:\vvjpv.exec:\vvjpv.exe91⤵PID:2592
-
\??\c:\vjjpd.exec:\vjjpd.exe92⤵PID:2120
-
\??\c:\rlxxfrx.exec:\rlxxfrx.exe93⤵PID:2444
-
\??\c:\1xrrlxf.exec:\1xrrlxf.exe94⤵PID:2512
-
\??\c:\08062.exec:\08062.exe95⤵PID:3004
-
\??\c:\66026.exec:\66026.exe96⤵PID:2928
-
\??\c:\3rxxrff.exec:\3rxxrff.exe97⤵PID:2936
-
\??\c:\400208.exec:\400208.exe98⤵PID:2608
-
\??\c:\thbbhh.exec:\thbbhh.exe99⤵PID:1624
-
\??\c:\5nhnbb.exec:\5nhnbb.exe100⤵PID:340
-
\??\c:\g4284.exec:\g4284.exe101⤵PID:1792
-
\??\c:\rlxxffl.exec:\rlxxffl.exe102⤵PID:2224
-
\??\c:\k08800.exec:\k08800.exe103⤵PID:1944
-
\??\c:\rrfxlfr.exec:\rrfxlfr.exe104⤵PID:1244
-
\??\c:\jvpvd.exec:\jvpvd.exe105⤵PID:1220
-
\??\c:\tnhnnb.exec:\tnhnnb.exe106⤵PID:1752
-
\??\c:\xrlrxfl.exec:\xrlrxfl.exe107⤵PID:2756
-
\??\c:\pjpvj.exec:\pjpvj.exe108⤵PID:1668
-
\??\c:\pjvdj.exec:\pjvdj.exe109⤵PID:2948
-
\??\c:\vpjpd.exec:\vpjpd.exe110⤵PID:1884
-
\??\c:\4482204.exec:\4482204.exe111⤵
- System Location Discovery: System Language Discovery
PID:780 -
\??\c:\004608.exec:\004608.exe112⤵PID:1280
-
\??\c:\frfrxfl.exec:\frfrxfl.exe113⤵PID:2272
-
\??\c:\0462446.exec:\0462446.exe114⤵PID:1980
-
\??\c:\c422446.exec:\c422446.exe115⤵PID:2068
-
\??\c:\00020.exec:\00020.exe116⤵PID:2312
-
\??\c:\1hbhtb.exec:\1hbhtb.exe117⤵PID:876
-
\??\c:\m6084.exec:\m6084.exe118⤵PID:2092
-
\??\c:\q48646.exec:\q48646.exe119⤵PID:2108
-
\??\c:\fxflrxr.exec:\fxflrxr.exe120⤵PID:2404
-
\??\c:\m8840.exec:\m8840.exe121⤵PID:752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-