Malware Analysis Report

2025-01-18 01:25

Sample ID 240613-ka6ctsvdjr
Target a49e24978c3933b375acd7a4a7c71797_JaffaCakes118
SHA256 82f081c80544c15d8b5a34e73a670c96e5522b160f30c48fcdb610403bb2a19c
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

82f081c80544c15d8b5a34e73a670c96e5522b160f30c48fcdb610403bb2a19c

Threat Level: Shows suspicious behavior

The file a49e24978c3933b375acd7a4a7c71797_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:24

Reported

2024-06-13 08:27

Platform

win7-20240508-en

Max time kernel

137s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2920 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2920 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2920 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2844 wrote to memory of 2864 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2844 wrote to memory of 2864 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2844 wrote to memory of 2864 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2844 wrote to memory of 2864 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2864 wrote to memory of 2496 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2864 wrote to memory of 2496 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2864 wrote to memory of 2496 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2864 wrote to memory of 2496 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2496 wrote to memory of 1800 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2496 wrote to memory of 1800 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2496 wrote to memory of 1800 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2496 wrote to memory of 1800 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1800 wrote to memory of 2840 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1800 wrote to memory of 2840 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1800 wrote to memory of 2840 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1800 wrote to memory of 2840 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2840 wrote to memory of 1324 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2840 wrote to memory of 1324 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2840 wrote to memory of 1324 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2840 wrote to memory of 1324 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1324 wrote to memory of 1040 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1324 wrote to memory of 1040 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1324 wrote to memory of 1040 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1324 wrote to memory of 1040 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1040 wrote to memory of 1060 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1040 wrote to memory of 1060 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1040 wrote to memory of 1060 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1040 wrote to memory of 1060 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1060 wrote to memory of 2508 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1060 wrote to memory of 2508 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1060 wrote to memory of 2508 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1060 wrote to memory of 2508 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2508 wrote to memory of 1936 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2508 wrote to memory of 1936 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2508 wrote to memory of 1936 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2508 wrote to memory of 1936 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 476 "C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 528 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 536 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 544 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 532 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 540 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 552 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 556 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 548 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 560 "C:\Windows\SysWOW64\taskmgnr.exe"

Network

N/A

Files

\Windows\SysWOW64\taskmgnr.exe

MD5 a49e24978c3933b375acd7a4a7c71797
SHA1 013f116fc1490ef6e8cc91cf9c9076bedd44942b
SHA256 82f081c80544c15d8b5a34e73a670c96e5522b160f30c48fcdb610403bb2a19c
SHA512 9e68be5af3740c23b8417c0e12aca67cb755b3c618b97064e0351e75fcaef73bbb8db204943504c6ca005b99f57d05d702020bb2045a62e59a92734f2bc74142

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:24

Reported

2024-06-13 08:27

Platform

win10v2004-20240611-en

Max time kernel

137s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File created C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A
File opened for modification C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 5092 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 5092 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1400 wrote to memory of 1956 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1400 wrote to memory of 1956 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1400 wrote to memory of 1956 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1956 wrote to memory of 2348 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1956 wrote to memory of 2348 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1956 wrote to memory of 2348 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2348 wrote to memory of 4628 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2348 wrote to memory of 4628 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2348 wrote to memory of 4628 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 4628 wrote to memory of 3852 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 4628 wrote to memory of 3852 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 4628 wrote to memory of 3852 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 3852 wrote to memory of 1676 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 3852 wrote to memory of 1676 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 3852 wrote to memory of 1676 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1676 wrote to memory of 3260 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1676 wrote to memory of 3260 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1676 wrote to memory of 3260 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 3260 wrote to memory of 2368 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 3260 wrote to memory of 2368 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 3260 wrote to memory of 2368 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2368 wrote to memory of 1200 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2368 wrote to memory of 1200 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 2368 wrote to memory of 1200 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1200 wrote to memory of 1228 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1200 wrote to memory of 1228 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe
PID 1200 wrote to memory of 1228 N/A C:\Windows\SysWOW64\taskmgnr.exe C:\Windows\SysWOW64\taskmgnr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1032 "C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1152 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1124 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1128 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1140 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1132 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1116 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1148 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1156 "C:\Windows\SysWOW64\taskmgnr.exe"

C:\Windows\SysWOW64\taskmgnr.exe

C:\Windows\system32\taskmgnr.exe 1160 "C:\Windows\SysWOW64\taskmgnr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\taskmgnr.exe

MD5 a49e24978c3933b375acd7a4a7c71797
SHA1 013f116fc1490ef6e8cc91cf9c9076bedd44942b
SHA256 82f081c80544c15d8b5a34e73a670c96e5522b160f30c48fcdb610403bb2a19c
SHA512 9e68be5af3740c23b8417c0e12aca67cb755b3c618b97064e0351e75fcaef73bbb8db204943504c6ca005b99f57d05d702020bb2045a62e59a92734f2bc74142