Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 09:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe
-
Size
195KB
-
MD5
f5aea7ea840e3599af7bba8f765a981c
-
SHA1
eab5a34783ee085e2f9276700bdb4e26c64f559c
-
SHA256
ee8cc67402655c1bf1271a5a105c13fd230dd4cabacb54bc0e38e0432ad2d9fc
-
SHA512
4488817177bc485a7c28a6ca0850775d75c7cab816cabffb1c7d785f277ccd572c21d3218f37b41f9c7f20f5876fd5ddfff78671d913e39af5b3df22c9738b58
-
SSDEEP
1536:PvQBeOGtrYSSsrc93UBIfdC67m6AJiqyShdzr08QaVz9kv:PhOm2sI93UufdC67cih8hE7v
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3236-5-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1660-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2716-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2052-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/220-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4132-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/208-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1132-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4328-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1816-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/840-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2944-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3212-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2504-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4664-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/624-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1516-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3728-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2792-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3832-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1948-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4748-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3160-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3592-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1808-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1228-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/556-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4560-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4196-215-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4744-219-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3252-226-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/640-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3896-234-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1848-238-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2732-251-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4272-255-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3308-259-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2776-273-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1704-276-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1764-277-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4632-287-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1480-291-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4160-301-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3976-326-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4256-330-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4648-344-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2340-387-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1132-397-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4364-425-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1704-435-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2532-448-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2460-461-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4828-483-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4432-513-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4272-562-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1932-594-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3396-604-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3832-608-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5040-612-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1644-722-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/944-816-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1608-826-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1452-1859-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3236 q84488.exe 2052 462684.exe 2716 dpvpj.exe 220 bhbtnt.exe 4132 648024.exe 208 nnnhhb.exe 1132 600008.exe 4328 0682660.exe 1816 hbnnnn.exe 2868 tbhthb.exe 840 rrxrlfx.exe 2944 200824.exe 3816 lflxxrr.exe 3212 e66044.exe 4664 fxlfxrf.exe 2504 286840.exe 3728 xxfrlrl.exe 624 22080.exe 1516 nnthtt.exe 4520 xrrlxxl.exe 2792 c626000.exe 3832 8446260.exe 4960 08262.exe 1948 3ddvp.exe 4748 jvdjv.exe 3160 20426.exe 3592 7htbth.exe 2100 xrrlllr.exe 2880 0848882.exe 780 4648226.exe 1808 lxxlllf.exe 4956 xrxrrlf.exe 1228 6048804.exe 556 bbtbbb.exe 4168 260646.exe 1660 002088.exe 4560 a6266.exe 5024 00244.exe 4196 xxfxrlx.exe 4744 08086.exe 4908 64402.exe 3252 s8820.exe 640 ppddv.exe 3896 a2664.exe 1848 xrlffxr.exe 960 llrlrlf.exe 3724 240822.exe 3076 k40482.exe 2732 0820826.exe 4272 46602.exe 3308 26420.exe 1524 m0404.exe 3188 1rfxlfx.exe 2356 0248244.exe 2776 684208.exe 1704 02686.exe 1764 nhhbnn.exe 876 2042648.exe 4632 82882.exe 1480 628822.exe 1644 1lxrlll.exe 2812 4244882.exe 4160 4006086.exe 2412 486060.exe -
resource yara_rule behavioral2/memory/3236-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1660-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2716-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/220-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2052-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/220-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4132-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/208-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1132-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4328-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1816-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/840-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2944-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3212-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/840-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2504-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4664-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/624-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1516-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3728-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2792-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3832-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1948-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4748-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3160-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3592-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1808-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1228-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/556-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4560-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4196-215-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4744-219-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3252-226-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/640-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3896-234-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1848-238-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2732-251-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4272-255-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3308-259-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2776-273-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1704-276-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1764-277-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4632-287-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1480-291-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4160-301-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3976-326-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4256-330-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4648-344-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2340-387-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1132-397-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4364-425-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1704-435-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2532-448-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2460-461-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1744-484-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-483-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2268-497-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4432-513-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4272-562-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1768-569-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1932-594-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3396-604-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3832-608-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5040-612-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2226048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q62222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q84822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 3236 1660 f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe 89 PID 1660 wrote to memory of 3236 1660 f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe 89 PID 1660 wrote to memory of 3236 1660 f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe 89 PID 3236 wrote to memory of 2052 3236 q84488.exe 90 PID 3236 wrote to memory of 2052 3236 q84488.exe 90 PID 3236 wrote to memory of 2052 3236 q84488.exe 90 PID 2052 wrote to memory of 2716 2052 462684.exe 91 PID 2052 wrote to memory of 2716 2052 462684.exe 91 PID 2052 wrote to memory of 2716 2052 462684.exe 91 PID 2716 wrote to memory of 220 2716 dpvpj.exe 92 PID 2716 wrote to memory of 220 2716 dpvpj.exe 92 PID 2716 wrote to memory of 220 2716 dpvpj.exe 92 PID 220 wrote to memory of 4132 220 bhbtnt.exe 93 PID 220 wrote to memory of 4132 220 bhbtnt.exe 93 PID 220 wrote to memory of 4132 220 bhbtnt.exe 93 PID 4132 wrote to memory of 208 4132 648024.exe 94 PID 4132 wrote to memory of 208 4132 648024.exe 94 PID 4132 wrote to memory of 208 4132 648024.exe 94 PID 208 wrote to memory of 1132 208 nnnhhb.exe 95 PID 208 wrote to memory of 1132 208 nnnhhb.exe 95 PID 208 wrote to memory of 1132 208 nnnhhb.exe 95 PID 1132 wrote to memory of 4328 1132 600008.exe 96 PID 1132 wrote to memory of 4328 1132 600008.exe 96 PID 1132 wrote to memory of 4328 1132 600008.exe 96 PID 4328 wrote to memory of 1816 4328 0682660.exe 97 PID 4328 wrote to memory of 1816 4328 0682660.exe 97 PID 4328 wrote to memory of 1816 4328 0682660.exe 97 PID 1816 wrote to memory of 2868 1816 hbnnnn.exe 98 PID 1816 wrote to memory of 2868 1816 hbnnnn.exe 98 PID 1816 wrote to memory of 2868 1816 hbnnnn.exe 98 PID 2868 wrote to memory of 840 2868 tbhthb.exe 99 PID 2868 wrote to memory of 840 2868 tbhthb.exe 99 PID 2868 wrote to memory of 840 2868 tbhthb.exe 99 PID 840 wrote to memory of 2944 840 rrxrlfx.exe 100 PID 840 wrote to memory of 2944 840 rrxrlfx.exe 100 PID 840 wrote to memory of 2944 840 rrxrlfx.exe 100 PID 2944 wrote to memory of 3816 2944 200824.exe 101 PID 2944 wrote to memory of 3816 2944 200824.exe 101 PID 2944 wrote to memory of 3816 2944 200824.exe 101 PID 3816 wrote to memory of 3212 3816 lflxxrr.exe 102 PID 3816 wrote to memory of 3212 3816 lflxxrr.exe 102 PID 3816 wrote to memory of 3212 3816 lflxxrr.exe 102 PID 3212 wrote to memory of 4664 3212 e66044.exe 103 PID 3212 wrote to memory of 4664 3212 e66044.exe 103 PID 3212 wrote to memory of 4664 3212 e66044.exe 103 PID 4664 wrote to memory of 2504 4664 fxlfxrf.exe 104 PID 4664 wrote to memory of 2504 4664 fxlfxrf.exe 104 PID 4664 wrote to memory of 2504 4664 fxlfxrf.exe 104 PID 2504 wrote to memory of 3728 2504 286840.exe 105 PID 2504 wrote to memory of 3728 2504 286840.exe 105 PID 2504 wrote to memory of 3728 2504 286840.exe 105 PID 3728 wrote to memory of 624 3728 xxfrlrl.exe 106 PID 3728 wrote to memory of 624 3728 xxfrlrl.exe 106 PID 3728 wrote to memory of 624 3728 xxfrlrl.exe 106 PID 624 wrote to memory of 1516 624 22080.exe 107 PID 624 wrote to memory of 1516 624 22080.exe 107 PID 624 wrote to memory of 1516 624 22080.exe 107 PID 1516 wrote to memory of 4520 1516 nnthtt.exe 108 PID 1516 wrote to memory of 4520 1516 nnthtt.exe 108 PID 1516 wrote to memory of 4520 1516 nnthtt.exe 108 PID 4520 wrote to memory of 2792 4520 xrrlxxl.exe 109 PID 4520 wrote to memory of 2792 4520 xrrlxxl.exe 109 PID 4520 wrote to memory of 2792 4520 xrrlxxl.exe 109 PID 2792 wrote to memory of 3832 2792 c626000.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5aea7ea840e3599af7bba8f765a981c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\q84488.exec:\q84488.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\462684.exec:\462684.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\dpvpj.exec:\dpvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\bhbtnt.exec:\bhbtnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\648024.exec:\648024.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\nnnhhb.exec:\nnnhhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\600008.exec:\600008.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\0682660.exec:\0682660.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\hbnnnn.exec:\hbnnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\tbhthb.exec:\tbhthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\200824.exec:\200824.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\lflxxrr.exec:\lflxxrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\e66044.exec:\e66044.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\fxlfxrf.exec:\fxlfxrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\286840.exec:\286840.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\xxfrlrl.exec:\xxfrlrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\22080.exec:\22080.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\nnthtt.exec:\nnthtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\xrrlxxl.exec:\xrrlxxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\c626000.exec:\c626000.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\8446260.exec:\8446260.exe23⤵
- Executes dropped EXE
PID:3832 -
\??\c:\08262.exec:\08262.exe24⤵
- Executes dropped EXE
PID:4960 -
\??\c:\3ddvp.exec:\3ddvp.exe25⤵
- Executes dropped EXE
PID:1948 -
\??\c:\jvdjv.exec:\jvdjv.exe26⤵
- Executes dropped EXE
PID:4748 -
\??\c:\20426.exec:\20426.exe27⤵
- Executes dropped EXE
PID:3160 -
\??\c:\7htbth.exec:\7htbth.exe28⤵
- Executes dropped EXE
PID:3592 -
\??\c:\xrrlllr.exec:\xrrlllr.exe29⤵
- Executes dropped EXE
PID:2100 -
\??\c:\0848882.exec:\0848882.exe30⤵
- Executes dropped EXE
PID:2880 -
\??\c:\4648226.exec:\4648226.exe31⤵
- Executes dropped EXE
PID:780 -
\??\c:\lxxlllf.exec:\lxxlllf.exe32⤵
- Executes dropped EXE
PID:1808 -
\??\c:\xrxrrlf.exec:\xrxrrlf.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4956 -
\??\c:\6048804.exec:\6048804.exe34⤵
- Executes dropped EXE
PID:1228 -
\??\c:\bbtbbb.exec:\bbtbbb.exe35⤵
- Executes dropped EXE
PID:556 -
\??\c:\260646.exec:\260646.exe36⤵
- Executes dropped EXE
PID:4168 -
\??\c:\002088.exec:\002088.exe37⤵
- Executes dropped EXE
PID:1660 -
\??\c:\a6266.exec:\a6266.exe38⤵
- Executes dropped EXE
PID:4560 -
\??\c:\00244.exec:\00244.exe39⤵
- Executes dropped EXE
PID:5024 -
\??\c:\xxfxrlx.exec:\xxfxrlx.exe40⤵
- Executes dropped EXE
PID:4196 -
\??\c:\08086.exec:\08086.exe41⤵
- Executes dropped EXE
PID:4744 -
\??\c:\64402.exec:\64402.exe42⤵
- Executes dropped EXE
PID:4908 -
\??\c:\s8820.exec:\s8820.exe43⤵
- Executes dropped EXE
PID:3252 -
\??\c:\ppddv.exec:\ppddv.exe44⤵
- Executes dropped EXE
PID:640 -
\??\c:\a2664.exec:\a2664.exe45⤵
- Executes dropped EXE
PID:3896 -
\??\c:\xrlffxr.exec:\xrlffxr.exe46⤵
- Executes dropped EXE
PID:1848 -
\??\c:\llrlrlf.exec:\llrlrlf.exe47⤵
- Executes dropped EXE
PID:960 -
\??\c:\240822.exec:\240822.exe48⤵
- Executes dropped EXE
PID:3724 -
\??\c:\k40482.exec:\k40482.exe49⤵
- Executes dropped EXE
PID:3076 -
\??\c:\0820826.exec:\0820826.exe50⤵
- Executes dropped EXE
PID:2732 -
\??\c:\46602.exec:\46602.exe51⤵
- Executes dropped EXE
PID:4272 -
\??\c:\26420.exec:\26420.exe52⤵
- Executes dropped EXE
PID:3308 -
\??\c:\m0404.exec:\m0404.exe53⤵
- Executes dropped EXE
PID:1524 -
\??\c:\1rfxlfx.exec:\1rfxlfx.exe54⤵
- Executes dropped EXE
PID:3188 -
\??\c:\0248244.exec:\0248244.exe55⤵
- Executes dropped EXE
PID:2356 -
\??\c:\684208.exec:\684208.exe56⤵
- Executes dropped EXE
PID:2776 -
\??\c:\02686.exec:\02686.exe57⤵
- Executes dropped EXE
PID:1704 -
\??\c:\nhhbnn.exec:\nhhbnn.exe58⤵
- Executes dropped EXE
PID:1764 -
\??\c:\2042648.exec:\2042648.exe59⤵
- Executes dropped EXE
PID:876 -
\??\c:\82882.exec:\82882.exe60⤵
- Executes dropped EXE
PID:4632 -
\??\c:\628822.exec:\628822.exe61⤵
- Executes dropped EXE
PID:1480 -
\??\c:\1lxrlll.exec:\1lxrlll.exe62⤵
- Executes dropped EXE
PID:1644 -
\??\c:\4244882.exec:\4244882.exe63⤵
- Executes dropped EXE
PID:2812 -
\??\c:\4006086.exec:\4006086.exe64⤵
- Executes dropped EXE
PID:4160 -
\??\c:\486060.exec:\486060.exe65⤵
- Executes dropped EXE
PID:2412 -
\??\c:\ffxxrxf.exec:\ffxxrxf.exe66⤵PID:4352
-
\??\c:\022406.exec:\022406.exe67⤵PID:3180
-
\??\c:\8888222.exec:\8888222.exe68⤵PID:3624
-
\??\c:\5vdvp.exec:\5vdvp.exe69⤵PID:4960
-
\??\c:\rrfffxr.exec:\rrfffxr.exe70⤵PID:3700
-
\??\c:\s4004.exec:\s4004.exe71⤵PID:1380
-
\??\c:\4626000.exec:\4626000.exe72⤵PID:3976
-
\??\c:\e28826.exec:\e28826.exe73⤵PID:4256
-
\??\c:\042688.exec:\042688.exe74⤵PID:1396
-
\??\c:\00666.exec:\00666.exe75⤵PID:4012
-
\??\c:\hhhtth.exec:\hhhtth.exe76⤵PID:3104
-
\??\c:\6000806.exec:\6000806.exe77⤵PID:4648
-
\??\c:\ppddd.exec:\ppddd.exe78⤵PID:780
-
\??\c:\jdjdv.exec:\jdjdv.exe79⤵PID:1488
-
\??\c:\rlxxffl.exec:\rlxxffl.exe80⤵PID:3940
-
\??\c:\nttttb.exec:\nttttb.exe81⤵PID:4204
-
\??\c:\006082.exec:\006082.exe82⤵PID:3268
-
\??\c:\hhhhtn.exec:\hhhhtn.exe83⤵PID:4968
-
\??\c:\rlrrfll.exec:\rlrrfll.exe84⤵PID:5088
-
\??\c:\g2226.exec:\g2226.exe85⤵PID:3468
-
\??\c:\nthbtt.exec:\nthbtt.exe86⤵PID:3112
-
\??\c:\g4448.exec:\g4448.exe87⤵PID:5024
-
\??\c:\222600.exec:\222600.exe88⤵PID:632
-
\??\c:\lxlfxlf.exec:\lxlfxlf.exe89⤵PID:2716
-
\??\c:\1bttnn.exec:\1bttnn.exe90⤵PID:4908
-
\??\c:\fxxrfxr.exec:\fxxrfxr.exe91⤵PID:2340
-
\??\c:\24484.exec:\24484.exe92⤵PID:3504
-
\??\c:\8288222.exec:\8288222.exe93⤵PID:4288
-
\??\c:\fflxxfx.exec:\fflxxfx.exe94⤵PID:1132
-
\??\c:\djjjd.exec:\djjjd.exe95⤵PID:1792
-
\??\c:\o804848.exec:\o804848.exe96⤵PID:5000
-
\??\c:\s2466.exec:\s2466.exe97⤵PID:3304
-
\??\c:\422640.exec:\422640.exe98⤵PID:4176
-
\??\c:\tbtnbb.exec:\tbtnbb.exe99⤵PID:2016
-
\??\c:\7rfrrrl.exec:\7rfrrrl.exe100⤵PID:944
-
\??\c:\602604.exec:\602604.exe101⤵PID:2944
-
\??\c:\9pjdp.exec:\9pjdp.exe102⤵PID:1524
-
\??\c:\ttbtbt.exec:\ttbtbt.exe103⤵PID:4364
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe104⤵PID:3632
-
\??\c:\lllllrl.exec:\lllllrl.exe105⤵PID:3712
-
\??\c:\a0044.exec:\a0044.exe106⤵PID:1704
-
\??\c:\806600.exec:\806600.exe107⤵PID:1532
-
\??\c:\pdpjj.exec:\pdpjj.exe108⤵PID:5064
-
\??\c:\062686.exec:\062686.exe109⤵PID:624
-
\??\c:\04208.exec:\04208.exe110⤵PID:2532
-
\??\c:\08044.exec:\08044.exe111⤵PID:2540
-
\??\c:\60260.exec:\60260.exe112⤵PID:3396
-
\??\c:\lrlxlfr.exec:\lrlxlfr.exe113⤵PID:4608
-
\??\c:\pvdjd.exec:\pvdjd.exe114⤵PID:2460
-
\??\c:\8866662.exec:\8866662.exe115⤵PID:2104
-
\??\c:\jdvpd.exec:\jdvpd.exe116⤵PID:4640
-
\??\c:\80606.exec:\80606.exe117⤵PID:1968
-
\??\c:\hbhbtt.exec:\hbhbtt.exe118⤵PID:456
-
\??\c:\2446088.exec:\2446088.exe119⤵PID:5108
-
\??\c:\3nhbhb.exec:\3nhbhb.exe120⤵PID:1180
-
\??\c:\xffxllr.exec:\xffxllr.exe121⤵PID:4828
-
\??\c:\666600.exec:\666600.exe122⤵PID:1744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-