Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:35
Behavioral task
behavioral1
Sample
JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe
-
Size
49KB
-
MD5
9350d86d2640e7caf05a04051c3f3cec
-
SHA1
4a2c4b668be9172c7f3735fcfd02b85dd01dd191
-
SHA256
00e4ccae2ee8d3210ad1d2e99c416c2014ed8cadab6fe8ba34cc3eafacd90cc9
-
SHA512
994c9267047064c8149beaf1e5868b69220e7377af4fcc33e2726b4b30e517160f42148379dc0010e0df92a50c02db35b03204ce1dbeff6d8c96e76ffd16a8f7
-
SSDEEP
1536:LvQBeOGtrYS3srx93UBWfwC6Ggnouy8g5Uhuz:LhOmTsF93UYfwC6GIoutg5UhK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/948-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3200-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1784-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/100-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3928-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3712-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2796-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1184-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/624-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1224-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4888-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4736-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1164-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3020-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1184-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3340-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4744-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/460-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2276-575-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-589-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/324-742-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-1123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2764 bnnhhb.exe 544 7pdpj.exe 4668 fxlfxrl.exe 1612 xfxlxrf.exe 3480 httnbb.exe 1120 ntnhbt.exe 4800 3ppdv.exe 2080 9xfllrr.exe 4584 hthbnh.exe 4040 pvdpd.exe 3200 vjjdp.exe 4256 rrxrrll.exe 4952 nbnhbt.exe 1784 hhbtht.exe 100 9vppj.exe 824 pvdvj.exe 1724 rflfllf.exe 3928 nnhhbb.exe 3712 ddvpj.exe 2512 xlrrrll.exe 3988 thnbth.exe 1508 nbthbt.exe 1528 vvdvv.exe 1108 dvpjj.exe 4840 tnhtbt.exe 536 tbbnbb.exe 748 jdpjv.exe 2032 fxrfxrl.exe 4576 5nnhtn.exe 2796 pvdpd.exe 4844 dpvvj.exe 2544 lrfrrfx.exe 3564 bnnhhh.exe 1184 ttnnbb.exe 4564 bbbtbt.exe 2176 xllflfl.exe 624 hbthbt.exe 380 tbhthh.exe 3320 pdvpd.exe 1224 1flxrlx.exe 4888 xlfxlfr.exe 3036 tnnhtt.exe 4272 nhtnnh.exe 4756 vpjdd.exe 616 rfxxrrl.exe 2220 rlrlxxl.exe 3240 nbbtnh.exe 2612 3vdvp.exe 4732 5pvjd.exe 4984 rfxrxrr.exe 4736 hbbbtt.exe 5044 7btnbt.exe 2824 dpvjv.exe 1948 lrfxllf.exe 1752 nbbnhb.exe 4480 vjpjd.exe 3308 xlxxlrr.exe 4884 bhnhbt.exe 1772 dvjdj.exe 2588 jdjpj.exe 1580 fxllrll.exe 1828 xrrllfx.exe 2480 nbbnbh.exe 2604 vjdvd.exe -
resource yara_rule behavioral2/memory/948-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b96-3.dat upx behavioral2/memory/948-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c83-9.dat upx behavioral2/memory/2764-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/544-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c88-12.dat upx behavioral2/memory/4668-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-19.dat upx behavioral2/memory/1612-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-24.dat upx behavioral2/memory/3480-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-28.dat upx behavioral2/files/0x0007000000023c8c-33.dat upx behavioral2/memory/1120-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4800-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-39.dat upx behavioral2/memory/4800-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-44.dat upx behavioral2/memory/2080-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4584-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8f-49.dat upx behavioral2/files/0x0007000000023c90-54.dat upx behavioral2/files/0x0007000000023c91-58.dat upx behavioral2/memory/3200-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-63.dat upx behavioral2/memory/4256-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4952-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-68.dat upx behavioral2/memory/1784-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-74.dat upx behavioral2/memory/100-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-79.dat upx behavioral2/files/0x0007000000023c96-83.dat upx behavioral2/memory/1724-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-87.dat upx behavioral2/files/0x0007000000023c98-92.dat upx behavioral2/memory/3928-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3712-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-99.dat upx behavioral2/files/0x0007000000023c9a-102.dat upx behavioral2/files/0x0007000000023c9c-106.dat upx behavioral2/files/0x0007000000023c9d-110.dat upx behavioral2/files/0x0007000000023c9e-115.dat upx behavioral2/memory/1528-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c84-119.dat upx behavioral2/memory/4840-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-125.dat upx behavioral2/memory/536-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-130.dat upx behavioral2/memory/748-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-135.dat upx behavioral2/memory/2032-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-138.dat upx behavioral2/files/0x0007000000023c8f-143.dat upx behavioral2/memory/2796-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-148.dat upx behavioral2/files/0x0007000000023ca4-153.dat upx behavioral2/memory/4844-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2544-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3564-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1184-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2176-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/624-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 948 wrote to memory of 2764 948 JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe 82 PID 948 wrote to memory of 2764 948 JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe 82 PID 948 wrote to memory of 2764 948 JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe 82 PID 2764 wrote to memory of 544 2764 bnnhhb.exe 83 PID 2764 wrote to memory of 544 2764 bnnhhb.exe 83 PID 2764 wrote to memory of 544 2764 bnnhhb.exe 83 PID 544 wrote to memory of 4668 544 7pdpj.exe 84 PID 544 wrote to memory of 4668 544 7pdpj.exe 84 PID 544 wrote to memory of 4668 544 7pdpj.exe 84 PID 4668 wrote to memory of 1612 4668 fxlfxrl.exe 85 PID 4668 wrote to memory of 1612 4668 fxlfxrl.exe 85 PID 4668 wrote to memory of 1612 4668 fxlfxrl.exe 85 PID 1612 wrote to memory of 3480 1612 xfxlxrf.exe 86 PID 1612 wrote to memory of 3480 1612 xfxlxrf.exe 86 PID 1612 wrote to memory of 3480 1612 xfxlxrf.exe 86 PID 3480 wrote to memory of 1120 3480 httnbb.exe 87 PID 3480 wrote to memory of 1120 3480 httnbb.exe 87 PID 3480 wrote to memory of 1120 3480 httnbb.exe 87 PID 1120 wrote to memory of 4800 1120 ntnhbt.exe 88 PID 1120 wrote to memory of 4800 1120 ntnhbt.exe 88 PID 1120 wrote to memory of 4800 1120 ntnhbt.exe 88 PID 4800 wrote to memory of 2080 4800 3ppdv.exe 89 PID 4800 wrote to memory of 2080 4800 3ppdv.exe 89 PID 4800 wrote to memory of 2080 4800 3ppdv.exe 89 PID 2080 wrote to memory of 4584 2080 9xfllrr.exe 90 PID 2080 wrote to memory of 4584 2080 9xfllrr.exe 90 PID 2080 wrote to memory of 4584 2080 9xfllrr.exe 90 PID 4584 wrote to memory of 4040 4584 hthbnh.exe 91 PID 4584 wrote to memory of 4040 4584 hthbnh.exe 91 PID 4584 wrote to memory of 4040 4584 hthbnh.exe 91 PID 4040 wrote to memory of 3200 4040 pvdpd.exe 92 PID 4040 wrote to memory of 3200 4040 pvdpd.exe 92 PID 4040 wrote to memory of 3200 4040 pvdpd.exe 92 PID 3200 wrote to memory of 4256 3200 vjjdp.exe 93 PID 3200 wrote to memory of 4256 3200 vjjdp.exe 93 PID 3200 wrote to memory of 4256 3200 vjjdp.exe 93 PID 4256 wrote to memory of 4952 4256 rrxrrll.exe 94 PID 4256 wrote to memory of 4952 4256 rrxrrll.exe 94 PID 4256 wrote to memory of 4952 4256 rrxrrll.exe 94 PID 4952 wrote to memory of 1784 4952 nbnhbt.exe 95 PID 4952 wrote to memory of 1784 4952 nbnhbt.exe 95 PID 4952 wrote to memory of 1784 4952 nbnhbt.exe 95 PID 1784 wrote to memory of 100 1784 hhbtht.exe 96 PID 1784 wrote to memory of 100 1784 hhbtht.exe 96 PID 1784 wrote to memory of 100 1784 hhbtht.exe 96 PID 100 wrote to memory of 824 100 9vppj.exe 97 PID 100 wrote to memory of 824 100 9vppj.exe 97 PID 100 wrote to memory of 824 100 9vppj.exe 97 PID 824 wrote to memory of 1724 824 pvdvj.exe 98 PID 824 wrote to memory of 1724 824 pvdvj.exe 98 PID 824 wrote to memory of 1724 824 pvdvj.exe 98 PID 1724 wrote to memory of 3928 1724 rflfllf.exe 99 PID 1724 wrote to memory of 3928 1724 rflfllf.exe 99 PID 1724 wrote to memory of 3928 1724 rflfllf.exe 99 PID 3928 wrote to memory of 3712 3928 nnhhbb.exe 100 PID 3928 wrote to memory of 3712 3928 nnhhbb.exe 100 PID 3928 wrote to memory of 3712 3928 nnhhbb.exe 100 PID 3712 wrote to memory of 2512 3712 ddvpj.exe 101 PID 3712 wrote to memory of 2512 3712 ddvpj.exe 101 PID 3712 wrote to memory of 2512 3712 ddvpj.exe 101 PID 2512 wrote to memory of 3988 2512 xlrrrll.exe 102 PID 2512 wrote to memory of 3988 2512 xlrrrll.exe 102 PID 2512 wrote to memory of 3988 2512 xlrrrll.exe 102 PID 3988 wrote to memory of 1508 3988 thnbth.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9350d86d2640e7caf05a04051c3f3cec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\bnnhhb.exec:\bnnhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\7pdpj.exec:\7pdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\fxlfxrl.exec:\fxlfxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\xfxlxrf.exec:\xfxlxrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\httnbb.exec:\httnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\ntnhbt.exec:\ntnhbt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\3ppdv.exec:\3ppdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\9xfllrr.exec:\9xfllrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\hthbnh.exec:\hthbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\pvdpd.exec:\pvdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\vjjdp.exec:\vjjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\rrxrrll.exec:\rrxrrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\nbnhbt.exec:\nbnhbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\hhbtht.exec:\hhbtht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\9vppj.exec:\9vppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\pvdvj.exec:\pvdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\rflfllf.exec:\rflfllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\nnhhbb.exec:\nnhhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\ddvpj.exec:\ddvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\xlrrrll.exec:\xlrrrll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\thnbth.exec:\thnbth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\nbthbt.exec:\nbthbt.exe23⤵
- Executes dropped EXE
PID:1508 -
\??\c:\vvdvv.exec:\vvdvv.exe24⤵
- Executes dropped EXE
PID:1528 -
\??\c:\dvpjj.exec:\dvpjj.exe25⤵
- Executes dropped EXE
PID:1108 -
\??\c:\tnhtbt.exec:\tnhtbt.exe26⤵
- Executes dropped EXE
PID:4840 -
\??\c:\tbbnbb.exec:\tbbnbb.exe27⤵
- Executes dropped EXE
PID:536 -
\??\c:\jdpjv.exec:\jdpjv.exe28⤵
- Executes dropped EXE
PID:748 -
\??\c:\fxrfxrl.exec:\fxrfxrl.exe29⤵
- Executes dropped EXE
PID:2032 -
\??\c:\5nnhtn.exec:\5nnhtn.exe30⤵
- Executes dropped EXE
PID:4576 -
\??\c:\pvdpd.exec:\pvdpd.exe31⤵
- Executes dropped EXE
PID:2796 -
\??\c:\dpvvj.exec:\dpvvj.exe32⤵
- Executes dropped EXE
PID:4844 -
\??\c:\lrfrrfx.exec:\lrfrrfx.exe33⤵
- Executes dropped EXE
PID:2544 -
\??\c:\bnnhhh.exec:\bnnhhh.exe34⤵
- Executes dropped EXE
PID:3564 -
\??\c:\ttnnbb.exec:\ttnnbb.exe35⤵
- Executes dropped EXE
PID:1184 -
\??\c:\bbbtbt.exec:\bbbtbt.exe36⤵
- Executes dropped EXE
PID:4564 -
\??\c:\xllflfl.exec:\xllflfl.exe37⤵
- Executes dropped EXE
PID:2176 -
\??\c:\hbthbt.exec:\hbthbt.exe38⤵
- Executes dropped EXE
PID:624 -
\??\c:\tbhthh.exec:\tbhthh.exe39⤵
- Executes dropped EXE
PID:380 -
\??\c:\pdvpd.exec:\pdvpd.exe40⤵
- Executes dropped EXE
PID:3320 -
\??\c:\1flxrlx.exec:\1flxrlx.exe41⤵
- Executes dropped EXE
PID:1224 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe42⤵
- Executes dropped EXE
PID:4888 -
\??\c:\tnnhtt.exec:\tnnhtt.exe43⤵
- Executes dropped EXE
PID:3036 -
\??\c:\nhtnnh.exec:\nhtnnh.exe44⤵
- Executes dropped EXE
PID:4272 -
\??\c:\vpjdd.exec:\vpjdd.exe45⤵
- Executes dropped EXE
PID:4756 -
\??\c:\rfxxrrl.exec:\rfxxrrl.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:616 -
\??\c:\rlrlxxl.exec:\rlrlxxl.exe47⤵
- Executes dropped EXE
PID:2220 -
\??\c:\nbbtnh.exec:\nbbtnh.exe48⤵
- Executes dropped EXE
PID:3240 -
\??\c:\3vdvp.exec:\3vdvp.exe49⤵
- Executes dropped EXE
PID:2612 -
\??\c:\5pvjd.exec:\5pvjd.exe50⤵
- Executes dropped EXE
PID:4732 -
\??\c:\rfxrxrr.exec:\rfxrxrr.exe51⤵
- Executes dropped EXE
PID:4984 -
\??\c:\hbbbtt.exec:\hbbbtt.exe52⤵
- Executes dropped EXE
PID:4736 -
\??\c:\7btnbt.exec:\7btnbt.exe53⤵
- Executes dropped EXE
PID:5044 -
\??\c:\dpvjv.exec:\dpvjv.exe54⤵
- Executes dropped EXE
PID:2824 -
\??\c:\lrfxllf.exec:\lrfxllf.exe55⤵
- Executes dropped EXE
PID:1948 -
\??\c:\nbbnhb.exec:\nbbnhb.exe56⤵
- Executes dropped EXE
PID:1752 -
\??\c:\nthtnn.exec:\nthtnn.exe57⤵PID:4308
-
\??\c:\vjpjd.exec:\vjpjd.exe58⤵
- Executes dropped EXE
PID:4480 -
\??\c:\xlxxlrr.exec:\xlxxlrr.exe59⤵
- Executes dropped EXE
PID:3308 -
\??\c:\bhnhbt.exec:\bhnhbt.exe60⤵
- Executes dropped EXE
PID:4884 -
\??\c:\dvjdj.exec:\dvjdj.exe61⤵
- Executes dropped EXE
PID:1772 -
\??\c:\jdjpj.exec:\jdjpj.exe62⤵
- Executes dropped EXE
PID:2588 -
\??\c:\fxllrll.exec:\fxllrll.exe63⤵
- Executes dropped EXE
PID:1580 -
\??\c:\xrrllfx.exec:\xrrllfx.exe64⤵
- Executes dropped EXE
PID:1828 -
\??\c:\nbbnbh.exec:\nbbnbh.exe65⤵
- Executes dropped EXE
PID:2480 -
\??\c:\vjdvd.exec:\vjdvd.exe66⤵
- Executes dropped EXE
PID:2604 -
\??\c:\vpjdv.exec:\vpjdv.exe67⤵PID:1120
-
\??\c:\fxfxfrx.exec:\fxfxfrx.exe68⤵PID:3684
-
\??\c:\7rxxrlf.exec:\7rxxrlf.exe69⤵PID:32
-
\??\c:\nbtnbb.exec:\nbtnbb.exe70⤵PID:3236
-
\??\c:\vpdvp.exec:\vpdvp.exe71⤵PID:4460
-
\??\c:\jvvpd.exec:\jvvpd.exe72⤵PID:732
-
\??\c:\7flfxxr.exec:\7flfxxr.exe73⤵PID:4876
-
\??\c:\3flxrrl.exec:\3flxrrl.exe74⤵PID:1164
-
\??\c:\ntnhth.exec:\ntnhth.exe75⤵PID:1160
-
\??\c:\tnnhtn.exec:\tnnhtn.exe76⤵PID:1756
-
\??\c:\vjpdd.exec:\vjpdd.exe77⤵PID:2028
-
\??\c:\lrlfrll.exec:\lrlfrll.exe78⤵PID:4932
-
\??\c:\rffrfxr.exec:\rffrfxr.exe79⤵PID:2836
-
\??\c:\nhbtnh.exec:\nhbtnh.exe80⤵PID:116
-
\??\c:\5pvpp.exec:\5pvpp.exe81⤵PID:4332
-
\??\c:\jppvj.exec:\jppvj.exe82⤵PID:4568
-
\??\c:\lxxlflf.exec:\lxxlflf.exe83⤵PID:1304
-
\??\c:\ttbthb.exec:\ttbthb.exe84⤵PID:3404
-
\??\c:\bbhhbb.exec:\bbhhbb.exe85⤵PID:4064
-
\??\c:\jppjd.exec:\jppjd.exe86⤵PID:1588
-
\??\c:\pddpd.exec:\pddpd.exe87⤵PID:2072
-
\??\c:\fflxrlf.exec:\fflxrlf.exe88⤵PID:4980
-
\??\c:\btthbt.exec:\btthbt.exe89⤵PID:5032
-
\??\c:\pddpv.exec:\pddpv.exe90⤵PID:3872
-
\??\c:\ddjdv.exec:\ddjdv.exe91⤵PID:3448
-
\??\c:\ffxrrrl.exec:\ffxrrrl.exe92⤵PID:1528
-
\??\c:\lfxxllr.exec:\lfxxllr.exe93⤵PID:2120
-
\??\c:\hbnhnh.exec:\hbnhnh.exe94⤵PID:2704
-
\??\c:\vvvpj.exec:\vvvpj.exe95⤵PID:5048
-
\??\c:\dpppj.exec:\dpppj.exe96⤵PID:2912
-
\??\c:\9xfxxxx.exec:\9xfxxxx.exe97⤵PID:2980
-
\??\c:\xrfxfxl.exec:\xrfxfxl.exe98⤵PID:4224
-
\??\c:\btnhbt.exec:\btnhbt.exe99⤵PID:3600
-
\??\c:\hhttbb.exec:\hhttbb.exe100⤵PID:2424
-
\??\c:\dppdp.exec:\dppdp.exe101⤵PID:880
-
\??\c:\jdjdp.exec:\jdjdp.exe102⤵PID:4788
-
\??\c:\7xxrlfr.exec:\7xxrlfr.exe103⤵PID:2296
-
\??\c:\lfxrffx.exec:\lfxrffx.exe104⤵PID:3768
-
\??\c:\hbbbnn.exec:\hbbbnn.exe105⤵PID:4452
-
\??\c:\btnbnh.exec:\btnbnh.exe106⤵PID:3020
-
\??\c:\jpjdp.exec:\jpjdp.exe107⤵PID:3544
-
\??\c:\lxxfrxr.exec:\lxxfrxr.exe108⤵PID:1184
-
\??\c:\hnthhn.exec:\hnthhn.exe109⤵PID:4608
-
\??\c:\jddjv.exec:\jddjv.exe110⤵PID:3300
-
\??\c:\jvvpd.exec:\jvvpd.exe111⤵PID:4616
-
\??\c:\jpvpd.exec:\jpvpd.exe112⤵PID:4700
-
\??\c:\lxrxllx.exec:\lxrxllx.exe113⤵PID:3280
-
\??\c:\flxxrrl.exec:\flxxrrl.exe114⤵PID:3588
-
\??\c:\nhbtnh.exec:\nhbtnh.exe115⤵PID:692
-
\??\c:\bnnbnh.exec:\bnnbnh.exe116⤵PID:4348
-
\??\c:\jvpjv.exec:\jvpjv.exe117⤵PID:4292
-
\??\c:\rxfrfxr.exec:\rxfrfxr.exe118⤵PID:4100
-
\??\c:\flrrrxf.exec:\flrrrxf.exe119⤵PID:3088
-
\??\c:\thhbbb.exec:\thhbbb.exe120⤵PID:4588
-
\??\c:\btbbtt.exec:\btbbtt.exe121⤵PID:4072
-
\??\c:\3jjvp.exec:\3jjvp.exe122⤵PID:2320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-