Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
28/07/2024, 01:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0472547823c9419605a1514cf582e323_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
150 seconds
General
-
Target
0472547823c9419605a1514cf582e323_JaffaCakes118.exe
-
Size
452KB
-
MD5
0472547823c9419605a1514cf582e323
-
SHA1
2518af8bf595b294d7bd821f9a722a3b70aa5afc
-
SHA256
b2d94bee233c9e0c887b9d64fdab5200436a50e1399166480af56d78326cb7fc
-
SHA512
5c04c0093f8c3c268341ec988cabf31b05cbbe1bec84ee83833fa6e8d0f56a0eb352213db81a779594bd873cef8f4ff39f1342a47d48e1631c41e58cdb2e3cd7
-
SSDEEP
6144:Pcm7ImGddXtWrXD486jJq1BStv4Ib1H6I+N:d7Tc9Wj16A3Stvx6I+N
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4756-5-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4612-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2292-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4876-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2888-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2612-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2964-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4472-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/636-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1964-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3980-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4016-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3768-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4776-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3152-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4696-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1264-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2780-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1404-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4116-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2088-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3180-182-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1108-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4376-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2232-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2496-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2600-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2928-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1212-222-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2612-226-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/636-233-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2684-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1564-247-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4336-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2508-264-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5064-274-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/544-285-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4768-295-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1588-302-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1484-309-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/776-316-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4384-343-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4376-356-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3040-360-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2404-367-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3248-381-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4780-388-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2144-425-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1648-450-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1912-460-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2040-491-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2284-528-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3664-532-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1072-566-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2464-605-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/616-717-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4912-730-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/372-774-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/776-790-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/784-806-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4960-866-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/440-889-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1448-1029-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4820-1036-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4612 jdppv.exe 2292 nbbbtb.exe 4876 jjjjd.exe 2888 pvjpv.exe 2612 nhbhbh.exe 636 dvvdd.exe 4472 nhntbh.exe 2964 jdppp.exe 3772 lflllll.exe 3548 jjppp.exe 1964 hbbnbn.exe 3980 9jdvd.exe 2704 nhtnhh.exe 4016 pvdvv.exe 3768 dvdpj.exe 4776 pdvvv.exe 3152 hnnhbh.exe 4696 jjvpv.exe 1052 fxxlflf.exe 5028 xxxrrrl.exe 1264 bbbhhn.exe 2296 tnhbnt.exe 2780 fflllrr.exe 1404 vpjjp.exe 4116 fflfffx.exe 2852 nnnhhh.exe 456 vpjdj.exe 2088 rlxrllx.exe 2040 ttnhnn.exe 1084 ddjdd.exe 3180 1rfxlrl.exe 224 lrrllrl.exe 1108 vdpvj.exe 4376 xllfxfx.exe 2232 vvpvv.exe 2496 7pjjp.exe 2600 frfllll.exe 3824 hnttnb.exe 2928 dvdvj.exe 1448 xlrrrxx.exe 1212 hnnbbb.exe 2612 dpvpj.exe 1392 lrllxxf.exe 636 pdvdd.exe 2684 1lllrrf.exe 3420 5rxlllr.exe 3380 bbbbbb.exe 1564 ppvjj.exe 3132 lrlflll.exe 4336 bbbbbt.exe 2628 pvpvp.exe 4852 xxrllff.exe 2508 5thhbb.exe 2144 pdjvv.exe 3500 xxxxllf.exe 5064 tnhtbt.exe 2280 1dppp.exe 4524 5flxfff.exe 544 ttnnbh.exe 1660 jdddd.exe 1648 vpvvv.exe 716 xrrlfff.exe 4768 hbbbnn.exe 1588 7djpv.exe -
resource yara_rule behavioral2/memory/4756-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4612-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4612-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2292-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4876-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2888-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2612-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2964-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4472-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/636-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1964-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3980-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3980-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4016-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3768-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4776-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4776-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3152-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4696-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1264-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2780-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1404-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4116-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2088-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3180-182-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1108-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4376-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2232-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2232-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2496-203-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2600-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2928-214-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1212-222-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2612-226-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/636-233-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2684-237-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1564-247-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4336-254-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2508-264-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2280-275-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5064-274-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/544-285-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4768-295-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1588-302-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1484-309-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/776-316-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4116-317-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1084-336-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4384-343-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4376-356-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3040-360-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2404-367-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3248-381-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4780-388-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2144-425-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1632-435-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/372-442-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1648-446-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1648-450-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1912-460-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2040-491-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2284-528-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3664-532-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1072-566-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4756 wrote to memory of 4612 4756 0472547823c9419605a1514cf582e323_JaffaCakes118.exe 83 PID 4756 wrote to memory of 4612 4756 0472547823c9419605a1514cf582e323_JaffaCakes118.exe 83 PID 4756 wrote to memory of 4612 4756 0472547823c9419605a1514cf582e323_JaffaCakes118.exe 83 PID 4612 wrote to memory of 2292 4612 jdppv.exe 84 PID 4612 wrote to memory of 2292 4612 jdppv.exe 84 PID 4612 wrote to memory of 2292 4612 jdppv.exe 84 PID 2292 wrote to memory of 4876 2292 nbbbtb.exe 85 PID 2292 wrote to memory of 4876 2292 nbbbtb.exe 85 PID 2292 wrote to memory of 4876 2292 nbbbtb.exe 85 PID 4876 wrote to memory of 2888 4876 jjjjd.exe 87 PID 4876 wrote to memory of 2888 4876 jjjjd.exe 87 PID 4876 wrote to memory of 2888 4876 jjjjd.exe 87 PID 2888 wrote to memory of 2612 2888 pvjpv.exe 88 PID 2888 wrote to memory of 2612 2888 pvjpv.exe 88 PID 2888 wrote to memory of 2612 2888 pvjpv.exe 88 PID 2612 wrote to memory of 636 2612 nhbhbh.exe 89 PID 2612 wrote to memory of 636 2612 nhbhbh.exe 89 PID 2612 wrote to memory of 636 2612 nhbhbh.exe 89 PID 636 wrote to memory of 4472 636 dvvdd.exe 90 PID 636 wrote to memory of 4472 636 dvvdd.exe 90 PID 636 wrote to memory of 4472 636 dvvdd.exe 90 PID 4472 wrote to memory of 2964 4472 nhntbh.exe 91 PID 4472 wrote to memory of 2964 4472 nhntbh.exe 91 PID 4472 wrote to memory of 2964 4472 nhntbh.exe 91 PID 2964 wrote to memory of 3772 2964 jdppp.exe 93 PID 2964 wrote to memory of 3772 2964 jdppp.exe 93 PID 2964 wrote to memory of 3772 2964 jdppp.exe 93 PID 3772 wrote to memory of 3548 3772 lflllll.exe 94 PID 3772 wrote to memory of 3548 3772 lflllll.exe 94 PID 3772 wrote to memory of 3548 3772 lflllll.exe 94 PID 3548 wrote to memory of 1964 3548 jjppp.exe 95 PID 3548 wrote to memory of 1964 3548 jjppp.exe 95 PID 3548 wrote to memory of 1964 3548 jjppp.exe 95 PID 1964 wrote to memory of 3980 1964 hbbnbn.exe 96 PID 1964 wrote to memory of 3980 1964 hbbnbn.exe 96 PID 1964 wrote to memory of 3980 1964 hbbnbn.exe 96 PID 3980 wrote to memory of 2704 3980 9jdvd.exe 98 PID 3980 wrote to memory of 2704 3980 9jdvd.exe 98 PID 3980 wrote to memory of 2704 3980 9jdvd.exe 98 PID 2704 wrote to memory of 4016 2704 nhtnhh.exe 99 PID 2704 wrote to memory of 4016 2704 nhtnhh.exe 99 PID 2704 wrote to memory of 4016 2704 nhtnhh.exe 99 PID 4016 wrote to memory of 3768 4016 pvdvv.exe 100 PID 4016 wrote to memory of 3768 4016 pvdvv.exe 100 PID 4016 wrote to memory of 3768 4016 pvdvv.exe 100 PID 3768 wrote to memory of 4776 3768 dvdpj.exe 101 PID 3768 wrote to memory of 4776 3768 dvdpj.exe 101 PID 3768 wrote to memory of 4776 3768 dvdpj.exe 101 PID 4776 wrote to memory of 3152 4776 pdvvv.exe 102 PID 4776 wrote to memory of 3152 4776 pdvvv.exe 102 PID 4776 wrote to memory of 3152 4776 pdvvv.exe 102 PID 3152 wrote to memory of 4696 3152 hnnhbh.exe 103 PID 3152 wrote to memory of 4696 3152 hnnhbh.exe 103 PID 3152 wrote to memory of 4696 3152 hnnhbh.exe 103 PID 4696 wrote to memory of 1052 4696 jjvpv.exe 104 PID 4696 wrote to memory of 1052 4696 jjvpv.exe 104 PID 4696 wrote to memory of 1052 4696 jjvpv.exe 104 PID 1052 wrote to memory of 5028 1052 fxxlflf.exe 105 PID 1052 wrote to memory of 5028 1052 fxxlflf.exe 105 PID 1052 wrote to memory of 5028 1052 fxxlflf.exe 105 PID 5028 wrote to memory of 1264 5028 xxxrrrl.exe 106 PID 5028 wrote to memory of 1264 5028 xxxrrrl.exe 106 PID 5028 wrote to memory of 1264 5028 xxxrrrl.exe 106 PID 1264 wrote to memory of 2296 1264 bbbhhn.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\0472547823c9419605a1514cf582e323_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0472547823c9419605a1514cf582e323_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\jdppv.exec:\jdppv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\nbbbtb.exec:\nbbbtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\jjjjd.exec:\jjjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\pvjpv.exec:\pvjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\nhbhbh.exec:\nhbhbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\dvvdd.exec:\dvvdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\nhntbh.exec:\nhntbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\jdppp.exec:\jdppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\lflllll.exec:\lflllll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\jjppp.exec:\jjppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\hbbnbn.exec:\hbbnbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\9jdvd.exec:\9jdvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\nhtnhh.exec:\nhtnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\pvdvv.exec:\pvdvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\dvdpj.exec:\dvdpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\pdvvv.exec:\pdvvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\hnnhbh.exec:\hnnhbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\jjvpv.exec:\jjvpv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\fxxlflf.exec:\fxxlflf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\bbbhhn.exec:\bbbhhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\tnhbnt.exec:\tnhbnt.exe23⤵
- Executes dropped EXE
PID:2296 -
\??\c:\fflllrr.exec:\fflllrr.exe24⤵
- Executes dropped EXE
PID:2780 -
\??\c:\vpjjp.exec:\vpjjp.exe25⤵
- Executes dropped EXE
PID:1404 -
\??\c:\fflfffx.exec:\fflfffx.exe26⤵
- Executes dropped EXE
PID:4116 -
\??\c:\nnnhhh.exec:\nnnhhh.exe27⤵
- Executes dropped EXE
PID:2852 -
\??\c:\vpjdj.exec:\vpjdj.exe28⤵
- Executes dropped EXE
PID:456 -
\??\c:\rlxrllx.exec:\rlxrllx.exe29⤵
- Executes dropped EXE
PID:2088 -
\??\c:\ttnhnn.exec:\ttnhnn.exe30⤵
- Executes dropped EXE
PID:2040 -
\??\c:\ddjdd.exec:\ddjdd.exe31⤵
- Executes dropped EXE
PID:1084 -
\??\c:\1rfxlrl.exec:\1rfxlrl.exe32⤵
- Executes dropped EXE
PID:3180 -
\??\c:\lrrllrl.exec:\lrrllrl.exe33⤵
- Executes dropped EXE
PID:224 -
\??\c:\vdpvj.exec:\vdpvj.exe34⤵
- Executes dropped EXE
PID:1108 -
\??\c:\xllfxfx.exec:\xllfxfx.exe35⤵
- Executes dropped EXE
PID:4376 -
\??\c:\vvpvv.exec:\vvpvv.exe36⤵
- Executes dropped EXE
PID:2232 -
\??\c:\7pjjp.exec:\7pjjp.exe37⤵
- Executes dropped EXE
PID:2496 -
\??\c:\frfllll.exec:\frfllll.exe38⤵
- Executes dropped EXE
PID:2600 -
\??\c:\hnttnb.exec:\hnttnb.exe39⤵
- Executes dropped EXE
PID:3824 -
\??\c:\dvdvj.exec:\dvdvj.exe40⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xlrrrxx.exec:\xlrrrxx.exe41⤵
- Executes dropped EXE
PID:1448 -
\??\c:\hnnbbb.exec:\hnnbbb.exe42⤵
- Executes dropped EXE
PID:1212 -
\??\c:\dpvpj.exec:\dpvpj.exe43⤵
- Executes dropped EXE
PID:2612 -
\??\c:\lrllxxf.exec:\lrllxxf.exe44⤵
- Executes dropped EXE
PID:1392 -
\??\c:\pdvdd.exec:\pdvdd.exe45⤵
- Executes dropped EXE
PID:636 -
\??\c:\1lllrrf.exec:\1lllrrf.exe46⤵
- Executes dropped EXE
PID:2684 -
\??\c:\5rxlllr.exec:\5rxlllr.exe47⤵
- Executes dropped EXE
PID:3420 -
\??\c:\bbbbbb.exec:\bbbbbb.exe48⤵
- Executes dropped EXE
PID:3380 -
\??\c:\ppvjj.exec:\ppvjj.exe49⤵
- Executes dropped EXE
PID:1564 -
\??\c:\lrlflll.exec:\lrlflll.exe50⤵
- Executes dropped EXE
PID:3132 -
\??\c:\bbbbbt.exec:\bbbbbt.exe51⤵
- Executes dropped EXE
PID:4336 -
\??\c:\pvpvp.exec:\pvpvp.exe52⤵
- Executes dropped EXE
PID:2628 -
\??\c:\xxrllff.exec:\xxrllff.exe53⤵
- Executes dropped EXE
PID:4852 -
\??\c:\5thhbb.exec:\5thhbb.exe54⤵
- Executes dropped EXE
PID:2508 -
\??\c:\pdjvv.exec:\pdjvv.exe55⤵
- Executes dropped EXE
PID:2144 -
\??\c:\xxxxllf.exec:\xxxxllf.exe56⤵
- Executes dropped EXE
PID:3500 -
\??\c:\tnhtbt.exec:\tnhtbt.exe57⤵
- Executes dropped EXE
PID:5064 -
\??\c:\1dppp.exec:\1dppp.exe58⤵
- Executes dropped EXE
PID:2280 -
\??\c:\5flxfff.exec:\5flxfff.exe59⤵
- Executes dropped EXE
PID:4524 -
\??\c:\ttnnbh.exec:\ttnnbh.exe60⤵
- Executes dropped EXE
PID:544 -
\??\c:\jdddd.exec:\jdddd.exe61⤵
- Executes dropped EXE
PID:1660 -
\??\c:\vpvvv.exec:\vpvvv.exe62⤵
- Executes dropped EXE
PID:1648 -
\??\c:\xrrlfff.exec:\xrrlfff.exe63⤵
- Executes dropped EXE
PID:716 -
\??\c:\hbbbnn.exec:\hbbbnn.exe64⤵
- Executes dropped EXE
PID:4768 -
\??\c:\7djpv.exec:\7djpv.exe65⤵
- Executes dropped EXE
PID:1588 -
\??\c:\pdvjp.exec:\pdvjp.exe66⤵PID:1912
-
\??\c:\rlxfxfx.exec:\rlxfxfx.exe67⤵PID:4880
-
\??\c:\bhnnbb.exec:\bhnnbb.exe68⤵PID:1484
-
\??\c:\fxllllr.exec:\fxllllr.exe69⤵PID:776
-
\??\c:\tntnth.exec:\tntnth.exe70⤵
- System Location Discovery: System Language Discovery
PID:4116 -
\??\c:\jpddv.exec:\jpddv.exe71⤵PID:1636
-
\??\c:\vpppj.exec:\vpppj.exe72⤵PID:3944
-
\??\c:\xffffff.exec:\xffffff.exe73⤵PID:1736
-
\??\c:\hbbbbt.exec:\hbbbbt.exe74⤵PID:4548
-
\??\c:\pdjjd.exec:\pdjjd.exe75⤵PID:2040
-
\??\c:\vjjvd.exec:\vjjvd.exe76⤵PID:1084
-
\??\c:\llxxxfl.exec:\llxxxfl.exe77⤵PID:2388
-
\??\c:\btbttt.exec:\btbttt.exe78⤵PID:4384
-
\??\c:\vjppp.exec:\vjppp.exe79⤵PID:224
-
\??\c:\3dvdp.exec:\3dvdp.exe80⤵PID:1108
-
\??\c:\rxllllr.exec:\rxllllr.exe81⤵PID:4376
-
\??\c:\jddpp.exec:\jddpp.exe82⤵PID:3040
-
\??\c:\fflllxf.exec:\fflllxf.exe83⤵PID:4612
-
\??\c:\hbbtnt.exec:\hbbtnt.exe84⤵PID:2404
-
\??\c:\bnttnn.exec:\bnttnn.exe85⤵PID:3936
-
\??\c:\vpdjd.exec:\vpdjd.exe86⤵PID:2928
-
\??\c:\rxxllxf.exec:\rxxllxf.exe87⤵PID:4992
-
\??\c:\1bbttn.exec:\1bbttn.exe88⤵PID:3248
-
\??\c:\5jjjj.exec:\5jjjj.exe89⤵PID:4444
-
\??\c:\rxrrxrr.exec:\rxrrxrr.exe90⤵PID:2172
-
\??\c:\hbtntt.exec:\hbtntt.exe91⤵PID:4780
-
\??\c:\pjppp.exec:\pjppp.exe92⤵PID:1880
-
\??\c:\xlrrrlf.exec:\xlrrrlf.exe93⤵PID:1708
-
\??\c:\nnnhtn.exec:\nnnhtn.exe94⤵
- System Location Discovery: System Language Discovery
PID:1476 -
\??\c:\7nnnnt.exec:\7nnnnt.exe95⤵PID:4252
-
\??\c:\jjjvv.exec:\jjjvv.exe96⤵PID:4492
-
\??\c:\rrlfxrf.exec:\rrlfxrf.exe97⤵PID:3548
-
\??\c:\hhhthn.exec:\hhhthn.exe98⤵PID:4788
-
\??\c:\jdvvj.exec:\jdvvj.exe99⤵PID:3164
-
\??\c:\lflffxl.exec:\lflffxl.exe100⤵PID:1816
-
\??\c:\bbtnbt.exec:\bbtnbt.exe101⤵PID:2508
-
\??\c:\jvpvv.exec:\jvpvv.exe102⤵PID:2144
-
\??\c:\xxxffll.exec:\xxxffll.exe103⤵PID:3500
-
\??\c:\tntnbh.exec:\tntnbh.exe104⤵PID:3496
-
\??\c:\jvpjd.exec:\jvpjd.exe105⤵PID:864
-
\??\c:\lrfrlxx.exec:\lrfrlxx.exe106⤵PID:1632
-
\??\c:\nbbbht.exec:\nbbbht.exe107⤵PID:2464
-
\??\c:\jdppp.exec:\jdppp.exe108⤵PID:372
-
\??\c:\xxffxxx.exec:\xxffxxx.exe109⤵PID:1648
-
\??\c:\ntbhtt.exec:\ntbhtt.exe110⤵PID:4900
-
\??\c:\pjvdp.exec:\pjvdp.exe111⤵PID:4768
-
\??\c:\lfrrllr.exec:\lfrrllr.exe112⤵PID:1344
-
\??\c:\7bbnht.exec:\7bbnht.exe113⤵PID:1912
-
\??\c:\pppjj.exec:\pppjj.exe114⤵PID:2956
-
\??\c:\llfxxxx.exec:\llfxxxx.exe115⤵PID:3624
-
\??\c:\tbnhhn.exec:\tbnhhn.exe116⤵PID:784
-
\??\c:\htbhtt.exec:\htbhtt.exe117⤵PID:3680
-
\??\c:\5jjpd.exec:\5jjpd.exe118⤵PID:1220
-
\??\c:\llxxrxr.exec:\llxxrxr.exe119⤵PID:5044
-
\??\c:\hthhbb.exec:\hthhbb.exe120⤵PID:3912
-
\??\c:\tthhnt.exec:\tthhnt.exe121⤵PID:2332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-