Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 13:27
Behavioral task
behavioral1
Sample
af670600dee2bf13a68eb962cce8f122_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
af670600dee2bf13a68eb962cce8f122_JaffaCakes118.exe
-
Size
16KB
-
MD5
af670600dee2bf13a68eb962cce8f122
-
SHA1
d3a0df4cf5507f03791c93bceef52b02a44c1f32
-
SHA256
90ed95f853a87a71be01f4de413543f2ffeb6ec39356c22f402543fc97f3a9a6
-
SHA512
9a13a720444862243e9de1289472b3ded663bb994616929e10faded7032a5f3d0f683fad426669f736620a7eea3f002c7ad4a41bc67a38dacf424d0684a0d2d2
-
SSDEEP
384:OddLj0+4m8YYJc6gn/YRYuuk73eWo8pU:MdLj0uYJhc/YRrDDo8p
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1276 tarkmgr.exe 3352 tarkmgr.exe 2752 tarkmgr.exe 4376 tarkmgr.exe 840 tarkmgr.exe 2664 tarkmgr.exe 3464 tarkmgr.exe 2392 tarkmgr.exe 2748 tarkmgr.exe 4876 tarkmgr.exe 1708 tarkmgr.exe 920 tarkmgr.exe 5032 tarkmgr.exe 4836 tarkmgr.exe 3156 tarkmgr.exe 552 tarkmgr.exe 2628 tarkmgr.exe 3372 tarkmgr.exe 2940 tarkmgr.exe 2688 tarkmgr.exe 4488 tarkmgr.exe 3892 tarkmgr.exe 4208 tarkmgr.exe 4860 tarkmgr.exe 4492 tarkmgr.exe 2092 tarkmgr.exe 4824 tarkmgr.exe 3104 tarkmgr.exe 4460 tarkmgr.exe 1224 tarkmgr.exe 4480 tarkmgr.exe 3680 tarkmgr.exe 4072 tarkmgr.exe 2844 tarkmgr.exe 3640 tarkmgr.exe 3036 tarkmgr.exe 2704 tarkmgr.exe 4564 tarkmgr.exe 3968 tarkmgr.exe 4828 tarkmgr.exe 5076 tarkmgr.exe 3292 tarkmgr.exe 1340 tarkmgr.exe 2624 tarkmgr.exe 2128 tarkmgr.exe 3872 tarkmgr.exe 4592 tarkmgr.exe 4892 tarkmgr.exe 3040 tarkmgr.exe 4668 tarkmgr.exe 2440 tarkmgr.exe 4092 tarkmgr.exe 4512 tarkmgr.exe 4580 tarkmgr.exe 1756 tarkmgr.exe 1796 tarkmgr.exe 4844 tarkmgr.exe 4616 tarkmgr.exe 2752 tarkmgr.exe 4880 tarkmgr.exe 1948 tarkmgr.exe 2284 tarkmgr.exe 940 tarkmgr.exe 3508 tarkmgr.exe -
resource yara_rule behavioral2/memory/3516-0-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00090000000233f8-3.dat upx behavioral2/memory/1276-5-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3516-7-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3352-12-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4376-16-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3464-23-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2392-25-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3156-41-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2688-51-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3292-96-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/4676-409-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/424-515-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/684-571-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3296-751-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe Process not Found File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe Process not Found File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe File created C:\Windows\SysWOW64\tarkmgr.exe tarkmgr.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\FlashFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$ tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\RecentFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles tarkmgr.exe File opened for modification C:\Windows\$NtUninstallKB900727$\LastFiles Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tarkmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3516 wrote to memory of 1276 3516 af670600dee2bf13a68eb962cce8f122_JaffaCakes118.exe 84 PID 3516 wrote to memory of 1276 3516 af670600dee2bf13a68eb962cce8f122_JaffaCakes118.exe 84 PID 3516 wrote to memory of 1276 3516 af670600dee2bf13a68eb962cce8f122_JaffaCakes118.exe 84 PID 1276 wrote to memory of 3352 1276 tarkmgr.exe 92 PID 1276 wrote to memory of 3352 1276 tarkmgr.exe 92 PID 1276 wrote to memory of 3352 1276 tarkmgr.exe 92 PID 3352 wrote to memory of 2752 3352 tarkmgr.exe 93 PID 3352 wrote to memory of 2752 3352 tarkmgr.exe 93 PID 3352 wrote to memory of 2752 3352 tarkmgr.exe 93 PID 2752 wrote to memory of 4376 2752 tarkmgr.exe 94 PID 2752 wrote to memory of 4376 2752 tarkmgr.exe 94 PID 2752 wrote to memory of 4376 2752 tarkmgr.exe 94 PID 4376 wrote to memory of 840 4376 tarkmgr.exe 95 PID 4376 wrote to memory of 840 4376 tarkmgr.exe 95 PID 4376 wrote to memory of 840 4376 tarkmgr.exe 95 PID 840 wrote to memory of 2664 840 tarkmgr.exe 96 PID 840 wrote to memory of 2664 840 tarkmgr.exe 96 PID 840 wrote to memory of 2664 840 tarkmgr.exe 96 PID 2664 wrote to memory of 3464 2664 tarkmgr.exe 97 PID 2664 wrote to memory of 3464 2664 tarkmgr.exe 97 PID 2664 wrote to memory of 3464 2664 tarkmgr.exe 97 PID 3464 wrote to memory of 2392 3464 tarkmgr.exe 98 PID 3464 wrote to memory of 2392 3464 tarkmgr.exe 98 PID 3464 wrote to memory of 2392 3464 tarkmgr.exe 98 PID 2392 wrote to memory of 2748 2392 tarkmgr.exe 99 PID 2392 wrote to memory of 2748 2392 tarkmgr.exe 99 PID 2392 wrote to memory of 2748 2392 tarkmgr.exe 99 PID 2748 wrote to memory of 4876 2748 tarkmgr.exe 100 PID 2748 wrote to memory of 4876 2748 tarkmgr.exe 100 PID 2748 wrote to memory of 4876 2748 tarkmgr.exe 100 PID 4876 wrote to memory of 1708 4876 tarkmgr.exe 101 PID 4876 wrote to memory of 1708 4876 tarkmgr.exe 101 PID 4876 wrote to memory of 1708 4876 tarkmgr.exe 101 PID 1708 wrote to memory of 920 1708 tarkmgr.exe 102 PID 1708 wrote to memory of 920 1708 tarkmgr.exe 102 PID 1708 wrote to memory of 920 1708 tarkmgr.exe 102 PID 920 wrote to memory of 5032 920 tarkmgr.exe 103 PID 920 wrote to memory of 5032 920 tarkmgr.exe 103 PID 920 wrote to memory of 5032 920 tarkmgr.exe 103 PID 5032 wrote to memory of 4836 5032 tarkmgr.exe 104 PID 5032 wrote to memory of 4836 5032 tarkmgr.exe 104 PID 5032 wrote to memory of 4836 5032 tarkmgr.exe 104 PID 4836 wrote to memory of 3156 4836 tarkmgr.exe 105 PID 4836 wrote to memory of 3156 4836 tarkmgr.exe 105 PID 4836 wrote to memory of 3156 4836 tarkmgr.exe 105 PID 3156 wrote to memory of 552 3156 tarkmgr.exe 106 PID 3156 wrote to memory of 552 3156 tarkmgr.exe 106 PID 3156 wrote to memory of 552 3156 tarkmgr.exe 106 PID 552 wrote to memory of 2628 552 tarkmgr.exe 107 PID 552 wrote to memory of 2628 552 tarkmgr.exe 107 PID 552 wrote to memory of 2628 552 tarkmgr.exe 107 PID 2628 wrote to memory of 3372 2628 tarkmgr.exe 108 PID 2628 wrote to memory of 3372 2628 tarkmgr.exe 108 PID 2628 wrote to memory of 3372 2628 tarkmgr.exe 108 PID 3372 wrote to memory of 2940 3372 tarkmgr.exe 109 PID 3372 wrote to memory of 2940 3372 tarkmgr.exe 109 PID 3372 wrote to memory of 2940 3372 tarkmgr.exe 109 PID 2940 wrote to memory of 2688 2940 tarkmgr.exe 110 PID 2940 wrote to memory of 2688 2940 tarkmgr.exe 110 PID 2940 wrote to memory of 2688 2940 tarkmgr.exe 110 PID 2688 wrote to memory of 4488 2688 tarkmgr.exe 111 PID 2688 wrote to memory of 4488 2688 tarkmgr.exe 111 PID 2688 wrote to memory of 4488 2688 tarkmgr.exe 111 PID 4488 wrote to memory of 3892 4488 tarkmgr.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\af670600dee2bf13a68eb962cce8f122_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af670600dee2bf13a68eb962cce8f122_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe23⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3892 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe24⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe25⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe26⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe28⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe29⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe31⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe32⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe34⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe35⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3640 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe37⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe38⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe39⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe41⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe42⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe43⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe44⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe45⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe46⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe47⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe48⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe49⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe50⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe51⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe52⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe53⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe54⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe55⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe56⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe57⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe58⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe59⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe60⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe62⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2284 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:940 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe65⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe66⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe67⤵PID:3348
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe68⤵PID:5024
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe69⤵PID:2528
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe70⤵PID:1616
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe71⤵PID:2688
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe72⤵PID:3960
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe73⤵PID:4652
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe74⤵
- Drops file in Windows directory
PID:4220 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe75⤵PID:3940
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe76⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe77⤵PID:1276
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe78⤵PID:1052
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe79⤵PID:4472
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe80⤵PID:2396
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe81⤵PID:852
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe82⤵
- Drops file in Windows directory
PID:844 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe83⤵PID:1608
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe84⤵PID:1920
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe85⤵PID:4480
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe86⤵PID:2668
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe87⤵PID:4072
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe88⤵PID:508
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe89⤵PID:924
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe90⤵PID:3136
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe91⤵PID:3036
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe92⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe93⤵
- Drops file in Windows directory
PID:5020 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe94⤵PID:2208
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe95⤵PID:1968
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe96⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe97⤵PID:3444
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe98⤵
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe99⤵PID:1340
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe100⤵PID:2916
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe101⤵PID:220
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe102⤵PID:2376
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe103⤵PID:2792
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe104⤵
- Drops file in Windows directory
PID:3040 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe105⤵PID:1972
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe106⤵PID:3344
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe107⤵PID:2924
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe108⤵PID:4092
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe109⤵PID:2956
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe110⤵PID:4580
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe111⤵PID:5012
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe112⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe113⤵PID:4888
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe114⤵PID:2928
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe115⤵PID:3004
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe116⤵PID:3100
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe117⤵PID:764
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe118⤵
- Drops file in System32 directory
PID:3508 -
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe119⤵PID:3124
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe120⤵PID:2772
-
C:\Windows\SysWOW64\tarkmgr.exeC:\Windows\system32\tarkmgr.exe121⤵PID:3420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-