Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:35
Behavioral task
behavioral1
Sample
JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe
-
Size
49KB
-
MD5
9350d86d2640e7caf05a04051c3f3cec
-
SHA1
4a2c4b668be9172c7f3735fcfd02b85dd01dd191
-
SHA256
00e4ccae2ee8d3210ad1d2e99c416c2014ed8cadab6fe8ba34cc3eafacd90cc9
-
SHA512
994c9267047064c8149beaf1e5868b69220e7377af4fcc33e2726b4b30e517160f42148379dc0010e0df92a50c02db35b03204ce1dbeff6d8c96e76ffd16a8f7
-
SSDEEP
1536:LvQBeOGtrYS3srx93UBWfwC6Ggnouy8g5Uhuz:LhOmTsF93UYfwC6GIoutg5UhK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2504-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2544-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2068-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2132-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2848-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2376-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/768-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1544-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2484-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1636-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1196-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1800-196-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/916-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2292-219-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1832-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1396-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2120-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/880-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2552-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2548-298-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2084-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2016-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2952-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2812-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1880-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1948-424-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2832-447-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1732-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/444-471-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1608-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2096-532-0x00000000772C0000-0x00000000773BA000-memory.dmp family_blackmoon behavioral1/memory/2096-531-0x00000000771A0000-0x00000000772BF000-memory.dmp family_blackmoon behavioral1/memory/2320-574-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-606-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-623-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3028-645-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2828-693-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2828-692-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1076-1058-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2688-1091-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1820-1161-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2096-8158-0x00000000771A0000-0x00000000772BF000-memory.dmp family_blackmoon behavioral1/memory/2096-11095-0x00000000771A0000-0x00000000772BF000-memory.dmp family_blackmoon behavioral1/memory/2096-16453-0x00000000771A0000-0x00000000772BF000-memory.dmp family_blackmoon behavioral1/memory/2096-23067-0x00000000771A0000-0x00000000772BF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2544 lfrrffl.exe 2068 5dvjp.exe 2132 vvvjp.exe 2664 7rrfxxf.exe 592 bbnthn.exe 2720 vpvdj.exe 2848 jdvvv.exe 2780 fxrxlxx.exe 2876 lxrxxfl.exe 2376 hthhnn.exe 2580 dpdvj.exe 2700 lxflrrx.exe 768 1fxrflr.exe 1544 ttthnt.exe 1984 httttt.exe 2484 ddddd.exe 1636 7rxxffl.exe 2040 frfrxxx.exe 1340 tnhhnn.exe 1196 tttbnt.exe 2896 5dvvj.exe 2992 dvjvp.exe 1800 xxrrlrx.exe 660 lfxlxxr.exe 916 htnntb.exe 2292 tnbnht.exe 1832 vpjjv.exe 1648 rrflrrx.exe 904 xrlrxxx.exe 2944 thnnbb.exe 1396 pvddd.exe 2120 vpdjp.exe 880 frfxflr.exe 2300 3btbnn.exe 2552 htnhnn.exe 1480 thtbtn.exe 2196 vpvdd.exe 2548 xrllrrx.exe 844 lfrrfxf.exe 2084 hthnbb.exe 2664 bnttbb.exe 2884 vvpvp.exe 2016 5pvdp.exe 2952 tnttnt.exe 2812 3thbhn.exe 2160 vdjdd.exe 2460 jjdjp.exe 3032 ffrffxf.exe 2748 1frrxfl.exe 2576 lxrrfxf.exe 2656 hbntbt.exe 2384 jdjdd.exe 3028 pjvvd.exe 1532 rrlfrrx.exe 2332 lflrrrx.exe 1452 htbhhh.exe 1432 bhbnnt.exe 2484 ppdjj.exe 336 vpjdj.exe 1880 rlrlxxf.exe 1948 lflrflr.exe 1268 hhhhbh.exe 840 7htbtt.exe 2680 pvvvp.exe -
resource yara_rule behavioral1/memory/2504-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b000000012029-5.dat upx behavioral1/memory/2544-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2504-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d64-17.dat upx behavioral1/memory/2544-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d6d-26.dat upx behavioral1/memory/2068-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2132-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d75-35.dat upx behavioral1/memory/2664-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d7f-43.dat upx behavioral1/memory/592-51-0x00000000002B0000-0x00000000002D7000-memory.dmp upx behavioral1/files/0x0007000000015e25-53.dat upx behavioral1/files/0x0007000000015e47-60.dat upx behavioral1/memory/2848-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2720-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015f1b-69.dat upx behavioral1/memory/2848-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000160ae-79.dat upx behavioral1/memory/2780-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2780-77-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000600000001903d-86.dat upx behavioral1/memory/2876-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001920f-95.dat upx behavioral1/memory/2376-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019228-103.dat upx behavioral1/memory/2580-102-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000019234-110.dat upx behavioral1/files/0x0005000000019241-117.dat upx behavioral1/memory/768-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001925c-126.dat upx behavioral1/memory/1544-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019273-136.dat upx behavioral1/memory/2484-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2484-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000192f0-142.dat upx behavioral1/memory/1636-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001932a-151.dat upx behavioral1/memory/1636-152-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001933e-159.dat upx behavioral1/memory/1196-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019346-167.dat upx behavioral1/files/0x0005000000019384-174.dat upx behavioral1/files/0x00050000000193a2-182.dat upx behavioral1/files/0x00050000000193af-189.dat upx behavioral1/files/0x00050000000193c9-197.dat upx behavioral1/memory/1800-196-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00050000000193f8-204.dat upx behavioral1/files/0x00050000000193fa-213.dat upx behavioral1/memory/916-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019408-220.dat upx behavioral1/files/0x0005000000019494-228.dat upx behavioral1/memory/1832-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194a7-235.dat upx behavioral1/files/0x00050000000194b4-242.dat upx behavioral1/memory/2944-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194d4-250.dat upx behavioral1/memory/1396-257-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194da-258.dat upx behavioral1/memory/2120-265-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/880-271-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2552-293-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2548-299-0x00000000003C0000-0x00000000003E7000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2544 2504 JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe 30 PID 2504 wrote to memory of 2544 2504 JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe 30 PID 2504 wrote to memory of 2544 2504 JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe 30 PID 2504 wrote to memory of 2544 2504 JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe 30 PID 2544 wrote to memory of 2068 2544 lfrrffl.exe 31 PID 2544 wrote to memory of 2068 2544 lfrrffl.exe 31 PID 2544 wrote to memory of 2068 2544 lfrrffl.exe 31 PID 2544 wrote to memory of 2068 2544 lfrrffl.exe 31 PID 2068 wrote to memory of 2132 2068 5dvjp.exe 32 PID 2068 wrote to memory of 2132 2068 5dvjp.exe 32 PID 2068 wrote to memory of 2132 2068 5dvjp.exe 32 PID 2068 wrote to memory of 2132 2068 5dvjp.exe 32 PID 2132 wrote to memory of 2664 2132 vvvjp.exe 33 PID 2132 wrote to memory of 2664 2132 vvvjp.exe 33 PID 2132 wrote to memory of 2664 2132 vvvjp.exe 33 PID 2132 wrote to memory of 2664 2132 vvvjp.exe 33 PID 2664 wrote to memory of 592 2664 7rrfxxf.exe 34 PID 2664 wrote to memory of 592 2664 7rrfxxf.exe 34 PID 2664 wrote to memory of 592 2664 7rrfxxf.exe 34 PID 2664 wrote to memory of 592 2664 7rrfxxf.exe 34 PID 592 wrote to memory of 2720 592 bbnthn.exe 35 PID 592 wrote to memory of 2720 592 bbnthn.exe 35 PID 592 wrote to memory of 2720 592 bbnthn.exe 35 PID 592 wrote to memory of 2720 592 bbnthn.exe 35 PID 2720 wrote to memory of 2848 2720 vpvdj.exe 36 PID 2720 wrote to memory of 2848 2720 vpvdj.exe 36 PID 2720 wrote to memory of 2848 2720 vpvdj.exe 36 PID 2720 wrote to memory of 2848 2720 vpvdj.exe 36 PID 2848 wrote to memory of 2780 2848 jdvvv.exe 37 PID 2848 wrote to memory of 2780 2848 jdvvv.exe 37 PID 2848 wrote to memory of 2780 2848 jdvvv.exe 37 PID 2848 wrote to memory of 2780 2848 jdvvv.exe 37 PID 2780 wrote to memory of 2876 2780 fxrxlxx.exe 38 PID 2780 wrote to memory of 2876 2780 fxrxlxx.exe 38 PID 2780 wrote to memory of 2876 2780 fxrxlxx.exe 38 PID 2780 wrote to memory of 2876 2780 fxrxlxx.exe 38 PID 2876 wrote to memory of 2376 2876 lxrxxfl.exe 39 PID 2876 wrote to memory of 2376 2876 lxrxxfl.exe 39 PID 2876 wrote to memory of 2376 2876 lxrxxfl.exe 39 PID 2876 wrote to memory of 2376 2876 lxrxxfl.exe 39 PID 2376 wrote to memory of 2580 2376 hthhnn.exe 40 PID 2376 wrote to memory of 2580 2376 hthhnn.exe 40 PID 2376 wrote to memory of 2580 2376 hthhnn.exe 40 PID 2376 wrote to memory of 2580 2376 hthhnn.exe 40 PID 2580 wrote to memory of 2700 2580 dpdvj.exe 41 PID 2580 wrote to memory of 2700 2580 dpdvj.exe 41 PID 2580 wrote to memory of 2700 2580 dpdvj.exe 41 PID 2580 wrote to memory of 2700 2580 dpdvj.exe 41 PID 2700 wrote to memory of 768 2700 lxflrrx.exe 42 PID 2700 wrote to memory of 768 2700 lxflrrx.exe 42 PID 2700 wrote to memory of 768 2700 lxflrrx.exe 42 PID 2700 wrote to memory of 768 2700 lxflrrx.exe 42 PID 768 wrote to memory of 1544 768 1fxrflr.exe 43 PID 768 wrote to memory of 1544 768 1fxrflr.exe 43 PID 768 wrote to memory of 1544 768 1fxrflr.exe 43 PID 768 wrote to memory of 1544 768 1fxrflr.exe 43 PID 1544 wrote to memory of 1984 1544 ttthnt.exe 44 PID 1544 wrote to memory of 1984 1544 ttthnt.exe 44 PID 1544 wrote to memory of 1984 1544 ttthnt.exe 44 PID 1544 wrote to memory of 1984 1544 ttthnt.exe 44 PID 1984 wrote to memory of 2484 1984 httttt.exe 45 PID 1984 wrote to memory of 2484 1984 httttt.exe 45 PID 1984 wrote to memory of 2484 1984 httttt.exe 45 PID 1984 wrote to memory of 2484 1984 httttt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\lfrrffl.exec:\lfrrffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\5dvjp.exec:\5dvjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\vvvjp.exec:\vvvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\7rrfxxf.exec:\7rrfxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\bbnthn.exec:\bbnthn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\vpvdj.exec:\vpvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\jdvvv.exec:\jdvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\fxrxlxx.exec:\fxrxlxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\lxrxxfl.exec:\lxrxxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\hthhnn.exec:\hthhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\dpdvj.exec:\dpdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\lxflrrx.exec:\lxflrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\1fxrflr.exec:\1fxrflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\ttthnt.exec:\ttthnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\httttt.exec:\httttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\ddddd.exec:\ddddd.exe17⤵
- Executes dropped EXE
PID:2484 -
\??\c:\7rxxffl.exec:\7rxxffl.exe18⤵
- Executes dropped EXE
PID:1636 -
\??\c:\frfrxxx.exec:\frfrxxx.exe19⤵
- Executes dropped EXE
PID:2040 -
\??\c:\tnhhnn.exec:\tnhhnn.exe20⤵
- Executes dropped EXE
PID:1340 -
\??\c:\tttbnt.exec:\tttbnt.exe21⤵
- Executes dropped EXE
PID:1196 -
\??\c:\5dvvj.exec:\5dvvj.exe22⤵
- Executes dropped EXE
PID:2896 -
\??\c:\dvjvp.exec:\dvjvp.exe23⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xxrrlrx.exec:\xxrrlrx.exe24⤵
- Executes dropped EXE
PID:1800 -
\??\c:\lfxlxxr.exec:\lfxlxxr.exe25⤵
- Executes dropped EXE
PID:660 -
\??\c:\htnntb.exec:\htnntb.exe26⤵
- Executes dropped EXE
PID:916 -
\??\c:\tnbnht.exec:\tnbnht.exe27⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vpjjv.exec:\vpjjv.exe28⤵
- Executes dropped EXE
PID:1832 -
\??\c:\rrflrrx.exec:\rrflrrx.exe29⤵
- Executes dropped EXE
PID:1648 -
\??\c:\xrlrxxx.exec:\xrlrxxx.exe30⤵
- Executes dropped EXE
PID:904 -
\??\c:\thnnbb.exec:\thnnbb.exe31⤵
- Executes dropped EXE
PID:2944 -
\??\c:\pvddd.exec:\pvddd.exe32⤵
- Executes dropped EXE
PID:1396 -
\??\c:\vpdjp.exec:\vpdjp.exe33⤵
- Executes dropped EXE
PID:2120 -
\??\c:\frfxflr.exec:\frfxflr.exe34⤵
- Executes dropped EXE
PID:880 -
\??\c:\3btbnn.exec:\3btbnn.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300 -
\??\c:\htnhnn.exec:\htnhnn.exe36⤵
- Executes dropped EXE
PID:2552 -
\??\c:\thtbtn.exec:\thtbtn.exe37⤵
- Executes dropped EXE
PID:1480 -
\??\c:\vpvdd.exec:\vpvdd.exe38⤵
- Executes dropped EXE
PID:2196 -
\??\c:\xrllrrx.exec:\xrllrrx.exe39⤵
- Executes dropped EXE
PID:2548 -
\??\c:\lfrrfxf.exec:\lfrrfxf.exe40⤵
- Executes dropped EXE
PID:844 -
\??\c:\hthnbb.exec:\hthnbb.exe41⤵
- Executes dropped EXE
PID:2084 -
\??\c:\bnttbb.exec:\bnttbb.exe42⤵
- Executes dropped EXE
PID:2664 -
\??\c:\vvpvp.exec:\vvpvp.exe43⤵
- Executes dropped EXE
PID:2884 -
\??\c:\5pvdp.exec:\5pvdp.exe44⤵
- Executes dropped EXE
PID:2016 -
\??\c:\tnttnt.exec:\tnttnt.exe45⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3thbhn.exec:\3thbhn.exe46⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vdjdd.exec:\vdjdd.exe47⤵
- Executes dropped EXE
PID:2160 -
\??\c:\jjdjp.exec:\jjdjp.exe48⤵
- Executes dropped EXE
PID:2460 -
\??\c:\ffrffxf.exec:\ffrffxf.exe49⤵
- Executes dropped EXE
PID:3032 -
\??\c:\1frrxfl.exec:\1frrxfl.exe50⤵
- Executes dropped EXE
PID:2748 -
\??\c:\lxrrfxf.exec:\lxrrfxf.exe51⤵
- Executes dropped EXE
PID:2576 -
\??\c:\hbntbt.exec:\hbntbt.exe52⤵
- Executes dropped EXE
PID:2656 -
\??\c:\jdjdd.exec:\jdjdd.exe53⤵
- Executes dropped EXE
PID:2384 -
\??\c:\pjvvd.exec:\pjvvd.exe54⤵
- Executes dropped EXE
PID:3028 -
\??\c:\rrlfrrx.exec:\rrlfrrx.exe55⤵
- Executes dropped EXE
PID:1532 -
\??\c:\lflrrrx.exec:\lflrrrx.exe56⤵
- Executes dropped EXE
PID:2332 -
\??\c:\htbhhh.exec:\htbhhh.exe57⤵
- Executes dropped EXE
PID:1452 -
\??\c:\bhbnnt.exec:\bhbnnt.exe58⤵
- Executes dropped EXE
PID:1432 -
\??\c:\ppdjj.exec:\ppdjj.exe59⤵
- Executes dropped EXE
PID:2484 -
\??\c:\vpjdj.exec:\vpjdj.exe60⤵
- Executes dropped EXE
PID:336 -
\??\c:\rlrlxxf.exec:\rlrlxxf.exe61⤵
- Executes dropped EXE
PID:1880 -
\??\c:\lflrflr.exec:\lflrflr.exe62⤵
- Executes dropped EXE
PID:1948 -
\??\c:\hhhhbh.exec:\hhhhbh.exe63⤵
- Executes dropped EXE
PID:1268 -
\??\c:\7htbtt.exec:\7htbtt.exe64⤵
- Executes dropped EXE
PID:840 -
\??\c:\pvvvp.exec:\pvvvp.exe65⤵
- Executes dropped EXE
PID:2680 -
\??\c:\dpvvd.exec:\dpvvd.exe66⤵PID:2832
-
\??\c:\ffxlffl.exec:\ffxlffl.exe67⤵PID:2676
-
\??\c:\xxllrlr.exec:\xxllrlr.exe68⤵PID:2432
-
\??\c:\thnhhh.exec:\thnhhh.exe69⤵PID:1732
-
\??\c:\nhnntn.exec:\nhnntn.exe70⤵PID:444
-
\??\c:\vvpjd.exec:\vvpjd.exe71⤵PID:1608
-
\??\c:\ppppp.exec:\ppppp.exe72⤵PID:1456
-
\??\c:\xrrlxrr.exec:\xrrlxrr.exe73⤵PID:1992
-
\??\c:\lfrxfxl.exec:\lfrxfxl.exe74⤵PID:2900
-
\??\c:\1bntbb.exec:\1bntbb.exe75⤵PID:2284
-
\??\c:\ttbtbb.exec:\ttbtbb.exe76⤵PID:2240
-
\??\c:\1pvdv.exec:\1pvdv.exe77⤵PID:2260
-
\??\c:\vpddj.exec:\vpddj.exe78⤵PID:1872
-
\??\c:\flrfxrr.exec:\flrfxrr.exe79⤵PID:2120
-
\??\c:\fxrflrf.exec:\fxrflrf.exe80⤵PID:1848
-
\??\c:\3ntnnn.exec:\3ntnnn.exe81⤵PID:2096
-
\??\c:\tnbbhh.exec:\tnbbhh.exe82⤵PID:2344
-
\??\c:\hbhnnb.exec:\hbhnnb.exe83⤵PID:2064
-
\??\c:\rfxxflr.exec:\rfxxflr.exe84⤵PID:324
-
\??\c:\lxlrxxf.exec:\lxlrxxf.exe85⤵PID:2544
-
\??\c:\nhhhhh.exec:\nhhhhh.exe86⤵PID:2548
-
\??\c:\5btbnh.exec:\5btbnh.exe87⤵PID:2068
-
\??\c:\dvdjd.exec:\dvdjd.exe88⤵PID:1520
-
\??\c:\vddjp.exec:\vddjp.exe89⤵PID:2320
-
\??\c:\rlflffr.exec:\rlflffr.exe90⤵PID:956
-
\??\c:\lrlrfrl.exec:\lrlrfrl.exe91⤵PID:2884
-
\??\c:\ttntbh.exec:\ttntbh.exe92⤵PID:2016
-
\??\c:\btbhbb.exec:\btbhbb.exe93⤵PID:2588
-
\??\c:\vjpjp.exec:\vjpjp.exe94⤵PID:2788
-
\??\c:\3pddd.exec:\3pddd.exe95⤵PID:2776
-
\??\c:\3frlffr.exec:\3frlffr.exe96⤵PID:2852
-
\??\c:\5rllrxf.exec:\5rllrxf.exe97⤵PID:3032
-
\??\c:\thnnnn.exec:\thnnnn.exe98⤵PID:2744
-
\??\c:\nbntnn.exec:\nbntnn.exe99⤵PID:2644
-
\??\c:\ddpjd.exec:\ddpjd.exe100⤵PID:2656
-
\??\c:\ddpjp.exec:\ddpjp.exe101⤵PID:1708
-
\??\c:\rffflrl.exec:\rffflrl.exe102⤵PID:3028
-
\??\c:\lfrrfxx.exec:\lfrrfxx.exe103⤵PID:1492
-
\??\c:\llrxfxf.exec:\llrxfxf.exe104⤵PID:2424
-
\??\c:\9htbtb.exec:\9htbtb.exe105⤵PID:1640
-
\??\c:\bthnth.exec:\bthnth.exe106⤵PID:1808
-
\??\c:\vdppp.exec:\vdppp.exe107⤵PID:1636
-
\??\c:\jvddp.exec:\jvddp.exe108⤵PID:852
-
\??\c:\rlxflrl.exec:\rlxflrl.exe109⤵PID:1652
-
\??\c:\ffxlxrl.exec:\ffxlxrl.exe110⤵PID:1340
-
\??\c:\nnhnhh.exec:\nnhnhh.exe111⤵PID:2828
-
\??\c:\tnbbbh.exec:\tnbbbh.exe112⤵PID:2904
-
\??\c:\vpvvv.exec:\vpvvv.exe113⤵PID:532
-
\??\c:\9vvdv.exec:\9vvdv.exe114⤵PID:2200
-
\??\c:\rfxrrll.exec:\rfxrrll.exe115⤵PID:1800
-
\??\c:\fxlxfxr.exec:\fxlxfxr.exe116⤵PID:1956
-
\??\c:\nbnbhh.exec:\nbnbhh.exe117⤵PID:916
-
\??\c:\5bbnbh.exec:\5bbnbh.exe118⤵PID:444
-
\??\c:\dvjjj.exec:\dvjjj.exe119⤵PID:908
-
\??\c:\9jvdv.exec:\9jvdv.exe120⤵PID:848
-
\??\c:\jdvvv.exec:\jdvvv.exe121⤵PID:856
-
\??\c:\3lfxlxf.exec:\3lfxlxf.exe122⤵PID:1720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-