Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 12:25
Behavioral task
behavioral1
Sample
da5815229e3549e953f618290ffc6101_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
da5815229e3549e953f618290ffc6101_JaffaCakes118.exe
-
Size
780KB
-
MD5
da5815229e3549e953f618290ffc6101
-
SHA1
91c3e33569519ecd784e638a136648b8a9b8202d
-
SHA256
d193b4b87cfab1cef8c1c6fc1c31be3a2446c864576d70fdc43c5e07d12e8822
-
SHA512
ac0c50b60716300a4a51878ef4d32767cc692221580b5401d9a0f3cd43d258cc6c29fd675d4a206ce6c580801858b27d32a3a2f4124851caa013de6bb96fdb48
-
SSDEEP
12288:HPFdPZdPzPFdPGPFdPZdPzPFdPbPFdPZdPzPFdPkSDyTFtj:oDyTFtj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240627578.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240629375.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240636015.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240627890.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240634593.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240635046.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240636437.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240622593.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240628703.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240622812.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240623031.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240636281.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240623640.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240627187.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240629515.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240623140.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240628546.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240635328.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240636578.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240622203.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240624593.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240626859.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240628828.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240635484.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240622921.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240630593.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240633531.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240634125.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240620750.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240622703.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240623234.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240624390.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240625687.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240633140.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240636671.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240624296.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240625859.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240630093.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240631781.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240622093.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240628953.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240630468.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240630703.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240631562.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240625234.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240628406.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240633000.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240631015.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240632531.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240632781.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240620390.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240621562.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240624046.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240625984.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240628250.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240632125.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240633375.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240634765.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240626093.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240629796.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240622390.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240624156.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240625359.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation tmp240634906.exe -
Executes dropped EXE 64 IoCs
pid Process 3424 tmp240619906.exe 3804 tmp240619921.exe 4516 tmp240620000.exe 220 tmp240620015.exe 1004 tmp240620062.exe 3524 tmp240620078.exe 3784 notpad.exe 1060 tmp240620390.exe 4676 tmp240620406.exe 2700 notpad.exe 4732 tmp240620593.exe 3820 tmp240620609.exe 5048 notpad.exe 3468 tmp240620750.exe 3632 tmp240620765.exe 3428 notpad.exe 744 tmp240620906.exe 2780 tmp240620921.exe 1680 notpad.exe 2280 tmp240621062.exe 60 tmp240621078.exe 1020 notpad.exe 4312 tmp240621250.exe 4100 tmp240621265.exe 4416 notpad.exe 1456 tmp240621390.exe 4720 tmp240621406.exe 2684 notpad.exe 1224 tmp240621562.exe 3340 tmp240621578.exe 1116 notpad.exe 896 tmp240621671.exe 2068 tmp240621703.exe 2344 notpad.exe 1280 tmp240621812.exe 1860 tmp240621828.exe 5100 notpad.exe 4232 tmp240621906.exe 4368 tmp240621921.exe 3012 notpad.exe 2496 tmp240622000.exe 2936 tmp240622015.exe 4744 notpad.exe 2560 tmp240622093.exe 2756 tmp240622109.exe 5048 notpad.exe 428 tmp240622203.exe 2616 tmp240622218.exe 2336 notpad.exe 1996 tmp240622296.exe 4332 tmp240622312.exe 1104 notpad.exe 4184 tmp240622390.exe 2292 tmp240622406.exe 2396 notpad.exe 5084 tmp240622484.exe 3268 tmp240622500.exe 1636 notpad.exe 1388 tmp240622593.exe 1656 tmp240622609.exe 2008 notpad.exe 4416 tmp240622703.exe 3620 tmp240622718.exe 3896 notpad.exe -
resource yara_rule behavioral2/memory/1136-0-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x00070000000234ac-7.dat upx behavioral2/memory/1136-10-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x00070000000234b1-20.dat upx behavioral2/files/0x00080000000234b0-33.dat upx behavioral2/memory/3804-38-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/220-50-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/220-35-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3784-78-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/files/0x00070000000234ae-64.dat upx behavioral2/memory/2700-100-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/5048-122-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3428-144-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1680-166-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1020-188-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4416-210-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2684-231-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1116-251-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2344-267-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/5100-283-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3012-299-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4744-315-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/5048-331-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2336-347-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1104-363-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2396-379-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1636-395-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2008-411-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3896-427-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3508-443-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/896-459-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1920-475-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4436-491-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3012-507-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4744-523-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/428-539-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1996-555-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4184-569-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/5084-573-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/5084-588-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/720-604-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/452-620-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3296-636-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3592-652-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1372-668-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2288-684-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/464-700-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3732-716-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3928-732-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2248-748-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3240-762-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1728-780-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4888-796-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1112-812-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2164-828-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1832-844-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1480-860-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2044-876-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/428-889-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2892-913-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/936-918-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2892-924-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1656-931-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1656-947-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\notpad.exe- tmp240622203.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240622703.exe File created C:\Windows\SysWOW64\notpad.exe tmp240623437.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240628828.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240635703.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240636671.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240620593.exe File created C:\Windows\SysWOW64\notpad.exe tmp240626250.exe File created C:\Windows\SysWOW64\notpad.exe tmp240627578.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240635328.exe File created C:\Windows\SysWOW64\notpad.exe tmp240635859.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240637000.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240620906.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240627187.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240628125.exe File created C:\Windows\SysWOW64\notpad.exe tmp240631562.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240637000.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240621062.exe File created C:\Windows\SysWOW64\notpad.exe tmp240623640.exe File created C:\Windows\SysWOW64\notpad.exe tmp240629515.exe File created C:\Windows\SysWOW64\notpad.exe tmp240631890.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240620390.exe File created C:\Windows\SysWOW64\notpad.exe tmp240622593.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240630093.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240630593.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240631890.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240621250.exe File created C:\Windows\SysWOW64\notpad.exe tmp240621390.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240625859.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240625984.exe File created C:\Windows\SysWOW64\notpad.exe tmp240626671.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240636281.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240621671.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240621671.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240630093.exe File created C:\Windows\SysWOW64\notpad.exe tmp240630093.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240630468.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240632234.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240634125.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240636859.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240623640.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240627578.exe File created C:\Windows\SysWOW64\notpad.exe tmp240628250.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240628828.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240631562.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240633140.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240634406.exe File created C:\Windows\SysWOW64\fsb.tmp tmp240619906.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240621906.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240622203.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240624296.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240626859.exe File created C:\Windows\SysWOW64\notpad.exe tmp240628406.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240629078.exe File created C:\Windows\SysWOW64\notpad.exe tmp240630359.exe File created C:\Windows\SysWOW64\notpad.exe tmp240634765.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240624937.exe File created C:\Windows\SysWOW64\notpad.exe tmp240626093.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240627750.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240629656.exe File created C:\Windows\SysWOW64\notpad.exe- tmp240630593.exe File created C:\Windows\SysWOW64\notpad.exe tmp240625468.exe File created C:\Windows\SysWOW64\notpad.exe tmp240630703.exe File opened for modification C:\Windows\SysWOW64\fsb.tmp tmp240636859.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240624859.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240627484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240627781.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240629328.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240630421.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240630609.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240633375.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240633593.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240634921.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240636484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240626875.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240628156.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240628718.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240630843.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240634546.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240627953.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240628890.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240620593.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240627359.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240631203.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240634000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240626312.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240629078.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240634250.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240634312.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240635359.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240628328.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240630593.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240633640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240636171.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da5815229e3549e953f618290ffc6101_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240622015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240630703.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240630625.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240631609.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240633781.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240635593.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240635906.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240621406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240622812.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240629250.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240629796.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240631718.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240634609.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240634796.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240636593.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240625484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240629671.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240633328.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp240635718.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notpad.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240624390.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240628703.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240633140.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240635703.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240623343.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240627578.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240632671.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240634265.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240634765.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240629796.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240633375.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240633875.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240634125.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240620593.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240621906.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240623234.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240623437.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240626859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240627890.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240626546.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240632890.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240633265.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240633531.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240635859.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240621812.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240631125.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240622296.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240625359.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240628250.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240622093.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240628406.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240632015.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240632781.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240636578.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240637000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240625046.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240629515.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240625687.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240627328.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240629656.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240632234.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240635187.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240635484.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240636140.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240621250.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240624937.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240625234.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240625468.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240626250.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240628828.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240629234.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240630359.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240635046.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240636281.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240634593.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240621390.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240621671.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240622390.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240622921.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240623531.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240623640.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240620750.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240623140.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1" tmp240628546.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1136 wrote to memory of 3424 1136 da5815229e3549e953f618290ffc6101_JaffaCakes118.exe 83 PID 1136 wrote to memory of 3424 1136 da5815229e3549e953f618290ffc6101_JaffaCakes118.exe 83 PID 1136 wrote to memory of 3424 1136 da5815229e3549e953f618290ffc6101_JaffaCakes118.exe 83 PID 1136 wrote to memory of 3804 1136 da5815229e3549e953f618290ffc6101_JaffaCakes118.exe 84 PID 1136 wrote to memory of 3804 1136 da5815229e3549e953f618290ffc6101_JaffaCakes118.exe 84 PID 1136 wrote to memory of 3804 1136 da5815229e3549e953f618290ffc6101_JaffaCakes118.exe 84 PID 3804 wrote to memory of 4516 3804 tmp240619921.exe 85 PID 3804 wrote to memory of 4516 3804 tmp240619921.exe 85 PID 3804 wrote to memory of 4516 3804 tmp240619921.exe 85 PID 3804 wrote to memory of 220 3804 tmp240619921.exe 86 PID 3804 wrote to memory of 220 3804 tmp240619921.exe 86 PID 3804 wrote to memory of 220 3804 tmp240619921.exe 86 PID 220 wrote to memory of 1004 220 tmp240620015.exe 87 PID 220 wrote to memory of 1004 220 tmp240620015.exe 87 PID 220 wrote to memory of 1004 220 tmp240620015.exe 87 PID 220 wrote to memory of 3524 220 tmp240620015.exe 88 PID 220 wrote to memory of 3524 220 tmp240620015.exe 88 PID 220 wrote to memory of 3524 220 tmp240620015.exe 88 PID 3424 wrote to memory of 3784 3424 tmp240619906.exe 89 PID 3424 wrote to memory of 3784 3424 tmp240619906.exe 89 PID 3424 wrote to memory of 3784 3424 tmp240619906.exe 89 PID 3784 wrote to memory of 1060 3784 notpad.exe 90 PID 3784 wrote to memory of 1060 3784 notpad.exe 90 PID 3784 wrote to memory of 1060 3784 notpad.exe 90 PID 3784 wrote to memory of 4676 3784 notpad.exe 91 PID 3784 wrote to memory of 4676 3784 notpad.exe 91 PID 3784 wrote to memory of 4676 3784 notpad.exe 91 PID 1060 wrote to memory of 2700 1060 tmp240620390.exe 93 PID 1060 wrote to memory of 2700 1060 tmp240620390.exe 93 PID 1060 wrote to memory of 2700 1060 tmp240620390.exe 93 PID 2700 wrote to memory of 4732 2700 notpad.exe 94 PID 2700 wrote to memory of 4732 2700 notpad.exe 94 PID 2700 wrote to memory of 4732 2700 notpad.exe 94 PID 2700 wrote to memory of 3820 2700 notpad.exe 95 PID 2700 wrote to memory of 3820 2700 notpad.exe 95 PID 2700 wrote to memory of 3820 2700 notpad.exe 95 PID 4732 wrote to memory of 5048 4732 tmp240620593.exe 131 PID 4732 wrote to memory of 5048 4732 tmp240620593.exe 131 PID 4732 wrote to memory of 5048 4732 tmp240620593.exe 131 PID 5048 wrote to memory of 3468 5048 notpad.exe 97 PID 5048 wrote to memory of 3468 5048 notpad.exe 97 PID 5048 wrote to memory of 3468 5048 notpad.exe 97 PID 5048 wrote to memory of 3632 5048 notpad.exe 98 PID 5048 wrote to memory of 3632 5048 notpad.exe 98 PID 5048 wrote to memory of 3632 5048 notpad.exe 98 PID 3468 wrote to memory of 3428 3468 tmp240620750.exe 99 PID 3468 wrote to memory of 3428 3468 tmp240620750.exe 99 PID 3468 wrote to memory of 3428 3468 tmp240620750.exe 99 PID 3428 wrote to memory of 744 3428 notpad.exe 100 PID 3428 wrote to memory of 744 3428 notpad.exe 100 PID 3428 wrote to memory of 744 3428 notpad.exe 100 PID 3428 wrote to memory of 2780 3428 notpad.exe 172 PID 3428 wrote to memory of 2780 3428 notpad.exe 172 PID 3428 wrote to memory of 2780 3428 notpad.exe 172 PID 744 wrote to memory of 1680 744 tmp240620906.exe 102 PID 744 wrote to memory of 1680 744 tmp240620906.exe 102 PID 744 wrote to memory of 1680 744 tmp240620906.exe 102 PID 1680 wrote to memory of 2280 1680 notpad.exe 103 PID 1680 wrote to memory of 2280 1680 notpad.exe 103 PID 1680 wrote to memory of 2280 1680 notpad.exe 103 PID 1680 wrote to memory of 60 1680 notpad.exe 104 PID 1680 wrote to memory of 60 1680 notpad.exe 104 PID 1680 wrote to memory of 60 1680 notpad.exe 104 PID 2280 wrote to memory of 1020 2280 tmp240621062.exe 178
Processes
-
C:\Users\Admin\AppData\Local\Temp\da5815229e3549e953f618290ffc6101_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da5815229e3549e953f618290ffc6101_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\tmp240619906.exeC:\Users\Admin\AppData\Local\Temp\tmp240619906.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\tmp240620390.exeC:\Users\Admin\AppData\Local\Temp\tmp240620390.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\tmp240620593.exeC:\Users\Admin\AppData\Local\Temp\tmp240620593.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\tmp240620750.exeC:\Users\Admin\AppData\Local\Temp\tmp240620750.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\tmp240620906.exeC:\Users\Admin\AppData\Local\Temp\tmp240620906.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\tmp240621062.exeC:\Users\Admin\AppData\Local\Temp\tmp240621062.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"13⤵
- Executes dropped EXE
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\tmp240621250.exeC:\Users\Admin\AppData\Local\Temp\tmp240621250.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"15⤵
- Executes dropped EXE
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\tmp240621390.exeC:\Users\Admin\AppData\Local\Temp\tmp240621390.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"17⤵
- Executes dropped EXE
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\tmp240621562.exeC:\Users\Admin\AppData\Local\Temp\tmp240621562.exe18⤵
- Checks computer location settings
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"19⤵
- Executes dropped EXE
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\tmp240621671.exeC:\Users\Admin\AppData\Local\Temp\tmp240621671.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"21⤵
- Executes dropped EXE
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\tmp240621812.exeC:\Users\Admin\AppData\Local\Temp\tmp240621812.exe22⤵
- Executes dropped EXE
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"23⤵
- Executes dropped EXE
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\tmp240621906.exeC:\Users\Admin\AppData\Local\Temp\tmp240621906.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\tmp240622000.exeC:\Users\Admin\AppData\Local\Temp\tmp240622000.exe26⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\tmp240622093.exeC:\Users\Admin\AppData\Local\Temp\tmp240622093.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"29⤵
- Executes dropped EXE
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\tmp240622203.exeC:\Users\Admin\AppData\Local\Temp\tmp240622203.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:428 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"31⤵
- Executes dropped EXE
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\tmp240622296.exeC:\Users\Admin\AppData\Local\Temp\tmp240622296.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"33⤵
- Executes dropped EXE
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\tmp240622390.exeC:\Users\Admin\AppData\Local\Temp\tmp240622390.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\tmp240622484.exeC:\Users\Admin\AppData\Local\Temp\tmp240622484.exe36⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"37⤵
- Executes dropped EXE
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\tmp240622593.exeC:\Users\Admin\AppData\Local\Temp\tmp240622593.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"39⤵
- Executes dropped EXE
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\tmp240622703.exeC:\Users\Admin\AppData\Local\Temp\tmp240622703.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"41⤵
- Executes dropped EXE
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\tmp240622812.exeC:\Users\Admin\AppData\Local\Temp\tmp240622812.exe42⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3656 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"43⤵
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\tmp240622921.exeC:\Users\Admin\AppData\Local\Temp\tmp240622921.exe44⤵
- Checks computer location settings
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"45⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\tmp240623031.exeC:\Users\Admin\AppData\Local\Temp\tmp240623031.exe46⤵
- Checks computer location settings
PID:1848 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"47⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\tmp240623140.exeC:\Users\Admin\AppData\Local\Temp\tmp240623140.exe48⤵
- Checks computer location settings
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"49⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\tmp240623234.exeC:\Users\Admin\AppData\Local\Temp\tmp240623234.exe50⤵
- Checks computer location settings
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"51⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\tmp240623343.exeC:\Users\Admin\AppData\Local\Temp\tmp240623343.exe52⤵
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"53⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\tmp240623437.exeC:\Users\Admin\AppData\Local\Temp\tmp240623437.exe54⤵
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"55⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\tmp240623531.exeC:\Users\Admin\AppData\Local\Temp\tmp240623531.exe56⤵
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"57⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\tmp240623640.exeC:\Users\Admin\AppData\Local\Temp\tmp240623640.exe58⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"59⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\tmp240623750.exeC:\Users\Admin\AppData\Local\Temp\tmp240623750.exe60⤵PID:1376
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"61⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\tmp240623890.exeC:\Users\Admin\AppData\Local\Temp\tmp240623890.exe62⤵PID:5112
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"63⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\tmp240624046.exeC:\Users\Admin\AppData\Local\Temp\tmp240624046.exe64⤵
- Checks computer location settings
PID:4004 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"65⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\tmp240624156.exeC:\Users\Admin\AppData\Local\Temp\tmp240624156.exe66⤵
- Checks computer location settings
PID:1444 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"67⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\tmp240624296.exeC:\Users\Admin\AppData\Local\Temp\tmp240624296.exe68⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"69⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\tmp240624390.exeC:\Users\Admin\AppData\Local\Temp\tmp240624390.exe70⤵
- Checks computer location settings
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"71⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\tmp240624484.exeC:\Users\Admin\AppData\Local\Temp\tmp240624484.exe72⤵PID:4992
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"73⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\tmp240624593.exeC:\Users\Admin\AppData\Local\Temp\tmp240624593.exe74⤵
- Checks computer location settings
PID:4432 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"75⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\tmp240624671.exeC:\Users\Admin\AppData\Local\Temp\tmp240624671.exe76⤵PID:3080
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"77⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\tmp240624781.exeC:\Users\Admin\AppData\Local\Temp\tmp240624781.exe78⤵PID:2324
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"79⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\tmp240624937.exeC:\Users\Admin\AppData\Local\Temp\tmp240624937.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"81⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\tmp240625046.exeC:\Users\Admin\AppData\Local\Temp\tmp240625046.exe82⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"83⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\tmp240625140.exeC:\Users\Admin\AppData\Local\Temp\tmp240625140.exe84⤵PID:2492
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"85⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\tmp240625234.exeC:\Users\Admin\AppData\Local\Temp\tmp240625234.exe86⤵
- Checks computer location settings
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"87⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\tmp240625359.exeC:\Users\Admin\AppData\Local\Temp\tmp240625359.exe88⤵
- Checks computer location settings
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"89⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\tmp240625468.exeC:\Users\Admin\AppData\Local\Temp\tmp240625468.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"91⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\tmp240625578.exeC:\Users\Admin\AppData\Local\Temp\tmp240625578.exe92⤵PID:1280
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"93⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\tmp240625687.exeC:\Users\Admin\AppData\Local\Temp\tmp240625687.exe94⤵
- Checks computer location settings
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"95⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\tmp240625859.exeC:\Users\Admin\AppData\Local\Temp\tmp240625859.exe96⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"97⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\tmp240625984.exeC:\Users\Admin\AppData\Local\Temp\tmp240625984.exe98⤵
- Checks computer location settings
- Drops file in System32 directory
PID:464 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"99⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\tmp240626093.exeC:\Users\Admin\AppData\Local\Temp\tmp240626093.exe100⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"101⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\tmp240626250.exeC:\Users\Admin\AppData\Local\Temp\tmp240626250.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"103⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\tmp240626375.exeC:\Users\Admin\AppData\Local\Temp\tmp240626375.exe104⤵PID:1760
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"105⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\tmp240626546.exeC:\Users\Admin\AppData\Local\Temp\tmp240626546.exe106⤵
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"107⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\tmp240626671.exeC:\Users\Admin\AppData\Local\Temp\tmp240626671.exe108⤵
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"109⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\tmp240626859.exeC:\Users\Admin\AppData\Local\Temp\tmp240626859.exe110⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"111⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\tmp240627015.exeC:\Users\Admin\AppData\Local\Temp\tmp240627015.exe112⤵PID:2560
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"113⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\tmp240627187.exeC:\Users\Admin\AppData\Local\Temp\tmp240627187.exe114⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"115⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\tmp240627328.exeC:\Users\Admin\AppData\Local\Temp\tmp240627328.exe116⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"117⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\tmp240627453.exeC:\Users\Admin\AppData\Local\Temp\tmp240627453.exe118⤵PID:2424
-
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"119⤵
- System Location Discovery: System Language Discovery
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\tmp240627578.exeC:\Users\Admin\AppData\Local\Temp\tmp240627578.exe120⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\notpad.exe"C:\Windows\system32\notpad.exe"121⤵PID:3576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-