Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 00:42
Static task
static1
Behavioral task
behavioral1
Sample
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe
-
Size
224KB
-
MD5
049d13b6c7c9eab93bd7885d48fe9b92
-
SHA1
c90da2ea142cf336762fd1c9be1650243356407d
-
SHA256
4278f3fa1b91eda56a94cc9db2819d712aa72e7cf2d95ff1de01c228467b86e0
-
SHA512
9d959f01e955b8716a2bbfb0818ca9f6f096d84e9800df8ef2748193746be019ef227446fc2b8fdb0818bee34d38ecde024fc7c0a51bfc2e945b66a874cca817
-
SSDEEP
3072:nkMlKjJZsePl2xDrKKAMY+9f4w3fwCzlfTi17vjdHCVGg1a15AjeOfX:k+ckdEKAMT4GdzlfOjEgka1OSK
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
taskmn32.exepid process 2760 taskmn32.exe -
Executes dropped EXE 64 IoCs
Processes:
taskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exepid process 1648 taskmn32.exe 2760 taskmn32.exe 2500 taskmn32.exe 2580 taskmn32.exe 2592 taskmn32.exe 2824 taskmn32.exe 1804 taskmn32.exe 1652 taskmn32.exe 2488 taskmn32.exe 2428 taskmn32.exe 2080 taskmn32.exe 2888 taskmn32.exe 284 taskmn32.exe 1484 taskmn32.exe 1132 taskmn32.exe 2312 taskmn32.exe 1096 taskmn32.exe 1052 taskmn32.exe 1552 taskmn32.exe 1748 taskmn32.exe 1996 taskmn32.exe 2684 taskmn32.exe 2808 taskmn32.exe 3040 taskmn32.exe 2640 taskmn32.exe 2676 taskmn32.exe 3000 taskmn32.exe 352 taskmn32.exe 2604 taskmn32.exe 2844 taskmn32.exe 1608 taskmn32.exe 1784 taskmn32.exe 3004 taskmn32.exe 2560 taskmn32.exe 1980 taskmn32.exe 2872 taskmn32.exe 1700 taskmn32.exe 576 taskmn32.exe 1824 taskmn32.exe 2472 taskmn32.exe 1968 taskmn32.exe 1548 taskmn32.exe 632 taskmn32.exe 1660 taskmn32.exe 356 taskmn32.exe 1124 taskmn32.exe 2836 taskmn32.exe 972 taskmn32.exe 2860 taskmn32.exe 2052 taskmn32.exe 2524 taskmn32.exe 2752 taskmn32.exe 2364 taskmn32.exe 344 taskmn32.exe 3028 taskmn32.exe 2892 taskmn32.exe 2972 taskmn32.exe 1236 taskmn32.exe 2636 taskmn32.exe 1712 taskmn32.exe 1448 taskmn32.exe 1528 taskmn32.exe 2280 taskmn32.exe 2944 taskmn32.exe -
Loads dropped DLL 64 IoCs
Processes:
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exepid process 1740 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 1740 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 1648 taskmn32.exe 1648 taskmn32.exe 2760 taskmn32.exe 2760 taskmn32.exe 2500 taskmn32.exe 2500 taskmn32.exe 2580 taskmn32.exe 2580 taskmn32.exe 2592 taskmn32.exe 2592 taskmn32.exe 2824 taskmn32.exe 2824 taskmn32.exe 1804 taskmn32.exe 1804 taskmn32.exe 1652 taskmn32.exe 1652 taskmn32.exe 2488 taskmn32.exe 2488 taskmn32.exe 2428 taskmn32.exe 2428 taskmn32.exe 2080 taskmn32.exe 2080 taskmn32.exe 2888 taskmn32.exe 2888 taskmn32.exe 284 taskmn32.exe 284 taskmn32.exe 1484 taskmn32.exe 1484 taskmn32.exe 1132 taskmn32.exe 1132 taskmn32.exe 2312 taskmn32.exe 2312 taskmn32.exe 1096 taskmn32.exe 1096 taskmn32.exe 1052 taskmn32.exe 1052 taskmn32.exe 1552 taskmn32.exe 1552 taskmn32.exe 1748 taskmn32.exe 1748 taskmn32.exe 1996 taskmn32.exe 1996 taskmn32.exe 2684 taskmn32.exe 2684 taskmn32.exe 2808 taskmn32.exe 2808 taskmn32.exe 3040 taskmn32.exe 3040 taskmn32.exe 2640 taskmn32.exe 2640 taskmn32.exe 2676 taskmn32.exe 2676 taskmn32.exe 3000 taskmn32.exe 3000 taskmn32.exe 352 taskmn32.exe 352 taskmn32.exe 2604 taskmn32.exe 2604 taskmn32.exe 2844 taskmn32.exe 2844 taskmn32.exe 1608 taskmn32.exe 1608 taskmn32.exe -
Processes:
resource yara_rule behavioral1/memory/1740-3-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1740-4-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1740-7-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1740-2-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1740-8-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1740-9-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1740-22-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2760-34-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2760-36-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2760-35-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2760-42-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2580-54-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2580-59-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2824-72-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2824-79-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1652-91-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1652-98-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2428-110-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2428-111-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2428-117-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2888-129-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2888-137-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1484-149-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1484-156-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2312-174-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1052-186-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1052-194-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1748-203-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1748-207-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2684-216-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2684-220-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/3040-229-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/3040-233-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2676-242-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2676-246-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/352-255-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/352-259-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2844-268-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2844-272-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1784-282-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1784-285-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2560-294-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2560-298-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2872-307-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2872-311-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/576-320-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/576-324-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2472-333-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2472-337-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1548-346-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1548-350-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1660-359-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1660-363-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1124-372-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/1124-376-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/972-385-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/972-389-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2052-399-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2052-402-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2752-411-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2752-415-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/344-424-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/344-428-0x0000000000400000-0x0000000000467000-memory.dmp upx behavioral1/memory/2892-437-0x0000000000400000-0x0000000000467000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
taskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exe049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 taskmn32.exe -
Drops file in System32 directory 64 IoCs
Processes:
taskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exe049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File created C:\Windows\SysWOW64\taskmn32.exe taskmn32.exe File opened for modification C:\Windows\SysWOW64\ taskmn32.exe -
Suspicious use of SetThreadContext 36 IoCs
Processes:
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription pid process target process PID 1284 set thread context of 1740 1284 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 1648 set thread context of 2760 1648 taskmn32.exe taskmn32.exe PID 2500 set thread context of 2580 2500 taskmn32.exe taskmn32.exe PID 2592 set thread context of 2824 2592 taskmn32.exe taskmn32.exe PID 1804 set thread context of 1652 1804 taskmn32.exe taskmn32.exe PID 2488 set thread context of 2428 2488 taskmn32.exe taskmn32.exe PID 2080 set thread context of 2888 2080 taskmn32.exe taskmn32.exe PID 284 set thread context of 1484 284 taskmn32.exe taskmn32.exe PID 1132 set thread context of 2312 1132 taskmn32.exe taskmn32.exe PID 1096 set thread context of 1052 1096 taskmn32.exe taskmn32.exe PID 1552 set thread context of 1748 1552 taskmn32.exe taskmn32.exe PID 1996 set thread context of 2684 1996 taskmn32.exe taskmn32.exe PID 2808 set thread context of 3040 2808 taskmn32.exe taskmn32.exe PID 2640 set thread context of 2676 2640 taskmn32.exe taskmn32.exe PID 3000 set thread context of 352 3000 taskmn32.exe taskmn32.exe PID 2604 set thread context of 2844 2604 taskmn32.exe taskmn32.exe PID 1608 set thread context of 1784 1608 taskmn32.exe taskmn32.exe PID 3004 set thread context of 2560 3004 taskmn32.exe taskmn32.exe PID 1980 set thread context of 2872 1980 taskmn32.exe taskmn32.exe PID 1700 set thread context of 576 1700 taskmn32.exe taskmn32.exe PID 1824 set thread context of 2472 1824 taskmn32.exe taskmn32.exe PID 1968 set thread context of 1548 1968 taskmn32.exe taskmn32.exe PID 632 set thread context of 1660 632 taskmn32.exe taskmn32.exe PID 356 set thread context of 1124 356 taskmn32.exe taskmn32.exe PID 2836 set thread context of 972 2836 taskmn32.exe taskmn32.exe PID 2860 set thread context of 2052 2860 taskmn32.exe taskmn32.exe PID 2524 set thread context of 2752 2524 taskmn32.exe taskmn32.exe PID 2364 set thread context of 344 2364 taskmn32.exe taskmn32.exe PID 3028 set thread context of 2892 3028 taskmn32.exe taskmn32.exe PID 2972 set thread context of 1236 2972 taskmn32.exe taskmn32.exe PID 2636 set thread context of 1712 2636 taskmn32.exe taskmn32.exe PID 1448 set thread context of 1528 1448 taskmn32.exe taskmn32.exe PID 2280 set thread context of 2944 2280 taskmn32.exe taskmn32.exe PID 1028 set thread context of 284 1028 taskmn32.exe taskmn32.exe PID 1488 set thread context of 1572 1488 taskmn32.exe taskmn32.exe PID 660 set thread context of 1304 660 taskmn32.exe taskmn32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exepid process 1740 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 1740 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 2760 taskmn32.exe 2760 taskmn32.exe 2580 taskmn32.exe 2580 taskmn32.exe 2824 taskmn32.exe 2824 taskmn32.exe 1652 taskmn32.exe 1652 taskmn32.exe 2428 taskmn32.exe 2428 taskmn32.exe 2888 taskmn32.exe 2888 taskmn32.exe 1484 taskmn32.exe 1484 taskmn32.exe 2312 taskmn32.exe 2312 taskmn32.exe 1052 taskmn32.exe 1052 taskmn32.exe 1748 taskmn32.exe 1748 taskmn32.exe 2684 taskmn32.exe 2684 taskmn32.exe 3040 taskmn32.exe 3040 taskmn32.exe 2676 taskmn32.exe 2676 taskmn32.exe 352 taskmn32.exe 352 taskmn32.exe 2844 taskmn32.exe 2844 taskmn32.exe 1784 taskmn32.exe 1784 taskmn32.exe 2560 taskmn32.exe 2560 taskmn32.exe 2872 taskmn32.exe 2872 taskmn32.exe 576 taskmn32.exe 576 taskmn32.exe 2472 taskmn32.exe 2472 taskmn32.exe 1548 taskmn32.exe 1548 taskmn32.exe 1660 taskmn32.exe 1660 taskmn32.exe 1124 taskmn32.exe 1124 taskmn32.exe 972 taskmn32.exe 972 taskmn32.exe 2052 taskmn32.exe 2052 taskmn32.exe 2752 taskmn32.exe 2752 taskmn32.exe 344 taskmn32.exe 344 taskmn32.exe 2892 taskmn32.exe 2892 taskmn32.exe 1236 taskmn32.exe 1236 taskmn32.exe 1712 taskmn32.exe 1712 taskmn32.exe 1528 taskmn32.exe 1528 taskmn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exetaskmn32.exedescription pid process target process PID 1284 wrote to memory of 1740 1284 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 1284 wrote to memory of 1740 1284 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 1284 wrote to memory of 1740 1284 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 1284 wrote to memory of 1740 1284 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 1284 wrote to memory of 1740 1284 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 1284 wrote to memory of 1740 1284 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 1284 wrote to memory of 1740 1284 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe PID 1740 wrote to memory of 1648 1740 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe taskmn32.exe PID 1740 wrote to memory of 1648 1740 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe taskmn32.exe PID 1740 wrote to memory of 1648 1740 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe taskmn32.exe PID 1740 wrote to memory of 1648 1740 049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe taskmn32.exe PID 1648 wrote to memory of 2760 1648 taskmn32.exe taskmn32.exe PID 1648 wrote to memory of 2760 1648 taskmn32.exe taskmn32.exe PID 1648 wrote to memory of 2760 1648 taskmn32.exe taskmn32.exe PID 1648 wrote to memory of 2760 1648 taskmn32.exe taskmn32.exe PID 1648 wrote to memory of 2760 1648 taskmn32.exe taskmn32.exe PID 1648 wrote to memory of 2760 1648 taskmn32.exe taskmn32.exe PID 1648 wrote to memory of 2760 1648 taskmn32.exe taskmn32.exe PID 2760 wrote to memory of 2500 2760 taskmn32.exe taskmn32.exe PID 2760 wrote to memory of 2500 2760 taskmn32.exe taskmn32.exe PID 2760 wrote to memory of 2500 2760 taskmn32.exe taskmn32.exe PID 2760 wrote to memory of 2500 2760 taskmn32.exe taskmn32.exe PID 2500 wrote to memory of 2580 2500 taskmn32.exe taskmn32.exe PID 2500 wrote to memory of 2580 2500 taskmn32.exe taskmn32.exe PID 2500 wrote to memory of 2580 2500 taskmn32.exe taskmn32.exe PID 2500 wrote to memory of 2580 2500 taskmn32.exe taskmn32.exe PID 2500 wrote to memory of 2580 2500 taskmn32.exe taskmn32.exe PID 2500 wrote to memory of 2580 2500 taskmn32.exe taskmn32.exe PID 2500 wrote to memory of 2580 2500 taskmn32.exe taskmn32.exe PID 2580 wrote to memory of 2592 2580 taskmn32.exe taskmn32.exe PID 2580 wrote to memory of 2592 2580 taskmn32.exe taskmn32.exe PID 2580 wrote to memory of 2592 2580 taskmn32.exe taskmn32.exe PID 2580 wrote to memory of 2592 2580 taskmn32.exe taskmn32.exe PID 2592 wrote to memory of 2824 2592 taskmn32.exe taskmn32.exe PID 2592 wrote to memory of 2824 2592 taskmn32.exe taskmn32.exe PID 2592 wrote to memory of 2824 2592 taskmn32.exe taskmn32.exe PID 2592 wrote to memory of 2824 2592 taskmn32.exe taskmn32.exe PID 2592 wrote to memory of 2824 2592 taskmn32.exe taskmn32.exe PID 2592 wrote to memory of 2824 2592 taskmn32.exe taskmn32.exe PID 2592 wrote to memory of 2824 2592 taskmn32.exe taskmn32.exe PID 2824 wrote to memory of 1804 2824 taskmn32.exe taskmn32.exe PID 2824 wrote to memory of 1804 2824 taskmn32.exe taskmn32.exe PID 2824 wrote to memory of 1804 2824 taskmn32.exe taskmn32.exe PID 2824 wrote to memory of 1804 2824 taskmn32.exe taskmn32.exe PID 1804 wrote to memory of 1652 1804 taskmn32.exe taskmn32.exe PID 1804 wrote to memory of 1652 1804 taskmn32.exe taskmn32.exe PID 1804 wrote to memory of 1652 1804 taskmn32.exe taskmn32.exe PID 1804 wrote to memory of 1652 1804 taskmn32.exe taskmn32.exe PID 1804 wrote to memory of 1652 1804 taskmn32.exe taskmn32.exe PID 1804 wrote to memory of 1652 1804 taskmn32.exe taskmn32.exe PID 1804 wrote to memory of 1652 1804 taskmn32.exe taskmn32.exe PID 1652 wrote to memory of 2488 1652 taskmn32.exe taskmn32.exe PID 1652 wrote to memory of 2488 1652 taskmn32.exe taskmn32.exe PID 1652 wrote to memory of 2488 1652 taskmn32.exe taskmn32.exe PID 1652 wrote to memory of 2488 1652 taskmn32.exe taskmn32.exe PID 2488 wrote to memory of 2428 2488 taskmn32.exe taskmn32.exe PID 2488 wrote to memory of 2428 2488 taskmn32.exe taskmn32.exe PID 2488 wrote to memory of 2428 2488 taskmn32.exe taskmn32.exe PID 2488 wrote to memory of 2428 2488 taskmn32.exe taskmn32.exe PID 2488 wrote to memory of 2428 2488 taskmn32.exe taskmn32.exe PID 2488 wrote to memory of 2428 2488 taskmn32.exe taskmn32.exe PID 2488 wrote to memory of 2428 2488 taskmn32.exe taskmn32.exe PID 2428 wrote to memory of 2080 2428 taskmn32.exe taskmn32.exe PID 2428 wrote to memory of 2080 2428 taskmn32.exe taskmn32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\049d13b6c7c9eab93bd7885d48fe9b92_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Users\Admin\AppData\Local\Temp\049D13~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Users\Admin\AppData\Local\Temp\049D13~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2080 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2888 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:284 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1484 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1132 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2312 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1096 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1052 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1552 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1748 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1996 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2684 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2808 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3040 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2640 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2676 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3000 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:352 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2604 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2844 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1608 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1784 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3004 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1980 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe38⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2872 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1700 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe40⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:576 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1824 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe42⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2472 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1968 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe44⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1548 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:632 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe46⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1660 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:356 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe48⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1124 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2836 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:972 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2860 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe52⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2524 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe54⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2752 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2364 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe56⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:344 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3028 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe58⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2892 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2972 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe60⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1236 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2636 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe62⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1448 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe64⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2280 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe66⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe67⤵
- Suspicious use of SetThreadContext
PID:1028 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe68⤵
- Maps connected drives based on registry
- Drops file in System32 directory
PID:284 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe69⤵
- Suspicious use of SetThreadContext
PID:1488 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe70⤵
- Maps connected drives based on registry
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe71⤵
- Suspicious use of SetThreadContext
PID:660 -
C:\Windows\SysWOW64\taskmn32.exe"C:\Windows\system32\taskmn32.exe" C:\Windows\SysWOW64\taskmn32.exe72⤵
- Maps connected drives based on registry
PID:1304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
224KB
MD5049d13b6c7c9eab93bd7885d48fe9b92
SHA1c90da2ea142cf336762fd1c9be1650243356407d
SHA2564278f3fa1b91eda56a94cc9db2819d712aa72e7cf2d95ff1de01c228467b86e0
SHA5129d959f01e955b8716a2bbfb0818ca9f6f096d84e9800df8ef2748193746be019ef227446fc2b8fdb0818bee34d38ecde024fc7c0a51bfc2e945b66a874cca817