178d720302052767792c9fa6d2569446ea281bc5964c7c155c424ae894124da9

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 07:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe
Size

68KB
MD5

aa0c14da4234e2c9de3fc310da75bddb
SHA1

234beef45a1ccf0814e3229fe08c0e852ba0daa0
SHA256

178d720302052767792c9fa6d2569446ea281bc5964c7c155c424ae894124da9
SHA512

fc395346782bb4f302f91b8049a4494fe884b40da380b31240c80faf999e24e784fa2f510da942e61f56c74f7dd78641903840a6d114240e194d3d531d930588
SSDEEP

1536:dGBvb9fwEB4RHKZQTjXJgMglhY9wdTjJiMnToIfMIOOoVJ2naIa:oBvZflyHKZEJgMOY9wdTYgTBfCOo

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 64 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe

Deletes itself 1 IoCs

pid	Process
1760	taskmgn.exe

Executes dropped EXE 64 IoCs

pid	Process
1760	taskmgn.exe
2148	taskmgn.exe
2820	taskmgn.exe
2308	taskmgn.exe
2772	taskmgn.exe
2832	taskmgn.exe
2860	taskmgn.exe
2636	taskmgn.exe
2744	taskmgn.exe
2888	taskmgn.exe
2968	taskmgn.exe
2796	taskmgn.exe
2628	taskmgn.exe
2660	taskmgn.exe
1228	taskmgn.exe
836	taskmgn.exe
2612	taskmgn.exe
552	taskmgn.exe
2912	taskmgn.exe
1984	taskmgn.exe
1740	taskmgn.exe
2936	taskmgn.exe
2008	taskmgn.exe
2000	taskmgn.exe
2520	taskmgn.exe
2920	taskmgn.exe
764	taskmgn.exe
2940	taskmgn.exe
3064	taskmgn.exe
800	taskmgn.exe
1828	taskmgn.exe
1544	taskmgn.exe
1032	taskmgn.exe
828	taskmgn.exe
1752	taskmgn.exe
2372	taskmgn.exe
1528	taskmgn.exe
2380	taskmgn.exe
2416	taskmgn.exe
1536	taskmgn.exe
1248	taskmgn.exe
2284	taskmgn.exe
2264	taskmgn.exe
1632	taskmgn.exe
3024	taskmgn.exe
1680	taskmgn.exe
2724	taskmgn.exe
532	taskmgn.exe
680	taskmgn.exe
2600	taskmgn.exe
2180	taskmgn.exe
2312	taskmgn.exe
2532	taskmgn.exe
2444	taskmgn.exe
1944	taskmgn.exe
948	taskmgn.exe
2168	taskmgn.exe
1820	taskmgn.exe
1712	taskmgn.exe
1964	taskmgn.exe
428	taskmgn.exe
1308	taskmgn.exe
2116	taskmgn.exe
912	taskmgn.exe

Loads dropped DLL 64 IoCs

pid	Process
2552	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe
2552	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe
1760	taskmgn.exe
1760	taskmgn.exe
2148	taskmgn.exe
2148	taskmgn.exe
2820	taskmgn.exe
2820	taskmgn.exe
2308	taskmgn.exe
2308	taskmgn.exe
2772	taskmgn.exe
2772	taskmgn.exe
2832	taskmgn.exe
2832	taskmgn.exe
2860	taskmgn.exe
2860	taskmgn.exe
2636	taskmgn.exe
2636	taskmgn.exe
2744	taskmgn.exe
2744	taskmgn.exe
2888	taskmgn.exe
2888	taskmgn.exe
2968	taskmgn.exe
2968	taskmgn.exe
2796	taskmgn.exe
2796	taskmgn.exe
2628	taskmgn.exe
2628	taskmgn.exe
2660	taskmgn.exe
2660	taskmgn.exe
1228	taskmgn.exe
1228	taskmgn.exe
836	taskmgn.exe
836	taskmgn.exe
2612	taskmgn.exe
2612	taskmgn.exe
552	taskmgn.exe
552	taskmgn.exe
2912	taskmgn.exe
2912	taskmgn.exe
1984	taskmgn.exe
1984	taskmgn.exe
1740	taskmgn.exe
1740	taskmgn.exe
2936	taskmgn.exe
2936	taskmgn.exe
2008	taskmgn.exe
2008	taskmgn.exe
2000	taskmgn.exe
2000	taskmgn.exe
2520	taskmgn.exe
2520	taskmgn.exe
2920	taskmgn.exe
2920	taskmgn.exe
764	taskmgn.exe
764	taskmgn.exe
2940	taskmgn.exe
2940	taskmgn.exe
3064	taskmgn.exe
3064	taskmgn.exe
800	taskmgn.exe
800	taskmgn.exe
1828	taskmgn.exe
1828	taskmgn.exe

Windows security modification 2 TTPs 64 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	taskmgn.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Task Manager = "c:\\windows\\system32\\taskmgn.exe"	taskmgn.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\taskmgn.exe	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\taskmgn.exe	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe
2552	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe
1760	taskmgn.exe
2148	taskmgn.exe
2820	taskmgn.exe
2308	taskmgn.exe
2772	taskmgn.exe
2832	taskmgn.exe
2860	taskmgn.exe
2636	taskmgn.exe
2636	taskmgn.exe
2744	taskmgn.exe
2744	taskmgn.exe
2888	taskmgn.exe
2968	taskmgn.exe
2796	taskmgn.exe
2628	taskmgn.exe
2660	taskmgn.exe
1228	taskmgn.exe
836	taskmgn.exe
2612	taskmgn.exe
552	taskmgn.exe
2912	taskmgn.exe
1984	taskmgn.exe
1740	taskmgn.exe
2936	taskmgn.exe
2008	taskmgn.exe
2000	taskmgn.exe
2520	taskmgn.exe
2920	taskmgn.exe
764	taskmgn.exe
2940	taskmgn.exe
3064	taskmgn.exe
800	taskmgn.exe
1828	taskmgn.exe
1544	taskmgn.exe
1032	taskmgn.exe
828	taskmgn.exe
1752	taskmgn.exe
2372	taskmgn.exe
1528	taskmgn.exe
2380	taskmgn.exe
2416	taskmgn.exe
1536	taskmgn.exe
1248	taskmgn.exe
2284	taskmgn.exe
2264	taskmgn.exe
1632	taskmgn.exe
3024	taskmgn.exe
1680	taskmgn.exe
2724	taskmgn.exe
532	taskmgn.exe
680	taskmgn.exe
2600	taskmgn.exe
2180	taskmgn.exe
2312	taskmgn.exe
2532	taskmgn.exe
2444	taskmgn.exe
1944	taskmgn.exe
948	taskmgn.exe
2168	taskmgn.exe
1820	taskmgn.exe
1712	taskmgn.exe
1964	taskmgn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe
Token: SeDebugPrivilege	1760	taskmgn.exe
Token: SeDebugPrivilege	2148	taskmgn.exe
Token: SeDebugPrivilege	2820	taskmgn.exe
Token: SeDebugPrivilege	2308	taskmgn.exe
Token: SeDebugPrivilege	2772	taskmgn.exe
Token: SeDebugPrivilege	2832	taskmgn.exe
Token: SeDebugPrivilege	2860	taskmgn.exe
Token: SeDebugPrivilege	2636	taskmgn.exe
Token: SeDebugPrivilege	2744	taskmgn.exe
Token: SeDebugPrivilege	2888	taskmgn.exe
Token: SeDebugPrivilege	2968	taskmgn.exe
Token: SeDebugPrivilege	2796	taskmgn.exe
Token: SeDebugPrivilege	2628	taskmgn.exe
Token: SeDebugPrivilege	2660	taskmgn.exe
Token: SeDebugPrivilege	1228	taskmgn.exe
Token: SeDebugPrivilege	836	taskmgn.exe
Token: SeDebugPrivilege	2612	taskmgn.exe
Token: SeDebugPrivilege	552	taskmgn.exe
Token: SeDebugPrivilege	2912	taskmgn.exe
Token: SeDebugPrivilege	1984	taskmgn.exe
Token: SeDebugPrivilege	1740	taskmgn.exe
Token: SeDebugPrivilege	2936	taskmgn.exe
Token: SeDebugPrivilege	2008	taskmgn.exe
Token: SeDebugPrivilege	2000	taskmgn.exe
Token: SeDebugPrivilege	2520	taskmgn.exe
Token: SeDebugPrivilege	2920	taskmgn.exe
Token: SeDebugPrivilege	764	taskmgn.exe
Token: SeDebugPrivilege	2940	taskmgn.exe
Token: SeDebugPrivilege	3064	taskmgn.exe
Token: SeDebugPrivilege	800	taskmgn.exe
Token: SeDebugPrivilege	1828	taskmgn.exe
Token: SeDebugPrivilege	1544	taskmgn.exe
Token: SeDebugPrivilege	1032	taskmgn.exe
Token: SeDebugPrivilege	828	taskmgn.exe
Token: SeDebugPrivilege	1752	taskmgn.exe
Token: SeDebugPrivilege	2372	taskmgn.exe
Token: SeDebugPrivilege	1528	taskmgn.exe
Token: SeDebugPrivilege	2380	taskmgn.exe
Token: SeDebugPrivilege	2416	taskmgn.exe
Token: SeDebugPrivilege	1536	taskmgn.exe
Token: SeDebugPrivilege	1248	taskmgn.exe
Token: SeDebugPrivilege	2284	taskmgn.exe
Token: SeDebugPrivilege	2264	taskmgn.exe
Token: SeDebugPrivilege	1632	taskmgn.exe
Token: SeDebugPrivilege	3024	taskmgn.exe
Token: SeDebugPrivilege	1680	taskmgn.exe
Token: SeDebugPrivilege	2724	taskmgn.exe
Token: SeDebugPrivilege	532	taskmgn.exe
Token: SeDebugPrivilege	680	taskmgn.exe
Token: SeDebugPrivilege	2600	taskmgn.exe
Token: SeDebugPrivilege	2180	taskmgn.exe
Token: SeDebugPrivilege	2312	taskmgn.exe
Token: SeDebugPrivilege	2532	taskmgn.exe
Token: SeDebugPrivilege	2444	taskmgn.exe
Token: SeDebugPrivilege	1944	taskmgn.exe
Token: SeDebugPrivilege	948	taskmgn.exe
Token: SeDebugPrivilege	2168	taskmgn.exe
Token: SeDebugPrivilege	1820	taskmgn.exe
Token: SeDebugPrivilege	1712	taskmgn.exe
Token: SeDebugPrivilege	1964	taskmgn.exe
Token: SeDebugPrivilege	428	taskmgn.exe
Token: SeDebugPrivilege	1308	taskmgn.exe
Token: SeDebugPrivilege	2116	taskmgn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1760	2552	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe	29
PID 2552 wrote to memory of 1760	2552	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe	29
PID 2552 wrote to memory of 1760	2552	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe	29
PID 2552 wrote to memory of 1760	2552	aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe	29
PID 1760 wrote to memory of 2148	1760	taskmgn.exe	30
PID 1760 wrote to memory of 2148	1760	taskmgn.exe	30
PID 1760 wrote to memory of 2148	1760	taskmgn.exe	30
PID 1760 wrote to memory of 2148	1760	taskmgn.exe	30
PID 2148 wrote to memory of 2820	2148	taskmgn.exe	31
PID 2148 wrote to memory of 2820	2148	taskmgn.exe	31
PID 2148 wrote to memory of 2820	2148	taskmgn.exe	31
PID 2148 wrote to memory of 2820	2148	taskmgn.exe	31
PID 2820 wrote to memory of 2308	2820	taskmgn.exe	32
PID 2820 wrote to memory of 2308	2820	taskmgn.exe	32
PID 2820 wrote to memory of 2308	2820	taskmgn.exe	32
PID 2820 wrote to memory of 2308	2820	taskmgn.exe	32
PID 2308 wrote to memory of 2772	2308	taskmgn.exe	33
PID 2308 wrote to memory of 2772	2308	taskmgn.exe	33
PID 2308 wrote to memory of 2772	2308	taskmgn.exe	33
PID 2308 wrote to memory of 2772	2308	taskmgn.exe	33
PID 2772 wrote to memory of 2832	2772	taskmgn.exe	34
PID 2772 wrote to memory of 2832	2772	taskmgn.exe	34
PID 2772 wrote to memory of 2832	2772	taskmgn.exe	34
PID 2772 wrote to memory of 2832	2772	taskmgn.exe	34
PID 2832 wrote to memory of 2860	2832	taskmgn.exe	35
PID 2832 wrote to memory of 2860	2832	taskmgn.exe	35
PID 2832 wrote to memory of 2860	2832	taskmgn.exe	35
PID 2832 wrote to memory of 2860	2832	taskmgn.exe	35
PID 2860 wrote to memory of 2636	2860	taskmgn.exe	36
PID 2860 wrote to memory of 2636	2860	taskmgn.exe	36
PID 2860 wrote to memory of 2636	2860	taskmgn.exe	36
PID 2860 wrote to memory of 2636	2860	taskmgn.exe	36
PID 2636 wrote to memory of 2744	2636	taskmgn.exe	37
PID 2636 wrote to memory of 2744	2636	taskmgn.exe	37
PID 2636 wrote to memory of 2744	2636	taskmgn.exe	37
PID 2636 wrote to memory of 2744	2636	taskmgn.exe	37
PID 2744 wrote to memory of 2888	2744	taskmgn.exe	38
PID 2744 wrote to memory of 2888	2744	taskmgn.exe	38
PID 2744 wrote to memory of 2888	2744	taskmgn.exe	38
PID 2744 wrote to memory of 2888	2744	taskmgn.exe	38
PID 2888 wrote to memory of 2968	2888	taskmgn.exe	39
PID 2888 wrote to memory of 2968	2888	taskmgn.exe	39
PID 2888 wrote to memory of 2968	2888	taskmgn.exe	39
PID 2888 wrote to memory of 2968	2888	taskmgn.exe	39
PID 2968 wrote to memory of 2796	2968	taskmgn.exe	40
PID 2968 wrote to memory of 2796	2968	taskmgn.exe	40
PID 2968 wrote to memory of 2796	2968	taskmgn.exe	40
PID 2968 wrote to memory of 2796	2968	taskmgn.exe	40
PID 2796 wrote to memory of 2628	2796	taskmgn.exe	41
PID 2796 wrote to memory of 2628	2796	taskmgn.exe	41
PID 2796 wrote to memory of 2628	2796	taskmgn.exe	41
PID 2796 wrote to memory of 2628	2796	taskmgn.exe	41
PID 2628 wrote to memory of 2660	2628	taskmgn.exe	42
PID 2628 wrote to memory of 2660	2628	taskmgn.exe	42
PID 2628 wrote to memory of 2660	2628	taskmgn.exe	42
PID 2628 wrote to memory of 2660	2628	taskmgn.exe	42
PID 2660 wrote to memory of 1228	2660	taskmgn.exe	43
PID 2660 wrote to memory of 1228	2660	taskmgn.exe	43
PID 2660 wrote to memory of 1228	2660	taskmgn.exe	43
PID 2660 wrote to memory of 1228	2660	taskmgn.exe	43
PID 1228 wrote to memory of 836	1228	taskmgn.exe	44
PID 1228 wrote to memory of 836	1228	taskmgn.exe	44
PID 1228 wrote to memory of 836	1228	taskmgn.exe	44
PID 1228 wrote to memory of 836	1228	taskmgn.exe	44

C:\Users\Admin\AppData\Local\Temp\aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa0c14da4234e2c9de3fc310da75bddb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- \??\c:\windows\SysWOW64\taskmgn.exe
  c:\windows\system32\taskmgn.exe
  2⤵
  - Windows security bypass
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- - \??\c:\windows\SysWOW64\taskmgn.exe
    c:\windows\system32\taskmgn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - \??\c:\windows\SysWOW64\taskmgn.exe
      c:\windows\system32\taskmgn.exe
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        6⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        10⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        15⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        20⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        22⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        25⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        26⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        27⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        30⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        32⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        35⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        37⤵
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        41⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        43⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        44⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        46⤵
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        47⤵
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        48⤵
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        49⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        50⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        51⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        52⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        53⤵
        Windows security bypass
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        54⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        55⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        56⤵
        Windows security bypass
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        57⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        58⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        59⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        60⤵
        Windows security bypass
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        61⤵
        Windows security bypass
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        62⤵
        Executes dropped EXE
        Windows security modification
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        63⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        65⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        
        PID:912
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        66⤵
        
        PID:2808
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        67⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        
        PID:1668
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        69⤵
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        70⤵
        Windows security bypass
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        71⤵
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        73⤵
        
        PID:2548
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        74⤵
        Windows security bypass
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:544
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        75⤵
        Windows security bypass
        
        PID:1504
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        76⤵
        Windows security modification
        Adds Run key to start application
        
        PID:864
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        77⤵
        Windows security modification
        
        PID:3000
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        78⤵
        Windows security bypass
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:688
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        81⤵
        Windows security bypass
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        82⤵
        Windows security bypass
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        83⤵
        Windows security modification
        
        PID:1304
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        84⤵
        Windows security bypass
        Windows security modification
        
        PID:1760
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        85⤵
        Adds Run key to start application
        
        PID:2040
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        86⤵
        Windows security bypass
        Adds Run key to start application
        
        PID:2156
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        87⤵
        Windows security bypass
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        88⤵
        Windows security modification
        Adds Run key to start application
        
        PID:2472
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        89⤵
        Windows security bypass
        
        PID:2320
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        90⤵
        
        PID:2756
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        91⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        92⤵
        
        PID:2864
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        93⤵
        Adds Run key to start application
        
        PID:2780
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        94⤵
        Adds Run key to start application
        
        PID:2860
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        95⤵
        
        PID:2884
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        97⤵
        Windows security modification
        Adds Run key to start application
        
        PID:2812
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        98⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        99⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        100⤵
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        101⤵
        Windows security bypass
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        102⤵
        Windows security bypass
        Adds Run key to start application
        
        PID:2672
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        103⤵
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        104⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        105⤵
        Windows security bypass
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        106⤵
        Windows security bypass
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        107⤵
        Adds Run key to start application
        
        PID:2684
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        108⤵
        Windows security bypass
        Windows security modification
        
        PID:2676
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        109⤵
        Windows security bypass
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        110⤵
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        111⤵
        
        PID:2512
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        112⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        113⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        
        PID:1364
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        114⤵
        Adds Run key to start application
        
        PID:1168
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        115⤵
        Windows security bypass
        
        PID:1808
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        116⤵
        Windows security bypass
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        118⤵
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        119⤵
        Windows security modification
        
        PID:1588
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        120⤵
        Windows security bypass
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        121⤵
        Windows security bypass
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        122⤵
        Windows security bypass
        
        PID:2404
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        123⤵
        Windows security modification
        
        PID:1720
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        124⤵
        Windows security modification
        
        PID:2204
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        125⤵
        Adds Run key to start application
        
        PID:2328
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        126⤵
        Windows security bypass
        Adds Run key to start application
        
        PID:2984
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        127⤵
        Adds Run key to start application
        
        PID:1344
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        128⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        129⤵
        Adds Run key to start application
        
        PID:1792
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        130⤵
        Windows security bypass
        Adds Run key to start application
        
        PID:1568
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        131⤵
        Windows security bypass
        Windows security modification
        
        PID:944
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        132⤵
        Windows security modification
        
        PID:1844
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        133⤵
        Windows security bypass
        Windows security modification
        
        PID:2072
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        134⤵
        
        PID:2448
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        135⤵
        Adds Run key to start application
        
        PID:928
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        136⤵
        Windows security bypass
        Adds Run key to start application
        
        PID:1372
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        137⤵
        Windows security modification
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        \??\c:\windows\SysWOW64\taskmgn.exe
        
        c:\windows\system32\taskmgn.exe
        138⤵
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\taskmgn.exe

Filesize
68KB

MD5
aa0c14da4234e2c9de3fc310da75bddb

SHA1
234beef45a1ccf0814e3229fe08c0e852ba0daa0

SHA256
178d720302052767792c9fa6d2569446ea281bc5964c7c155c424ae894124da9

SHA512
fc395346782bb4f302f91b8049a4494fe884b40da380b31240c80faf999e24e784fa2f510da942e61f56c74f7dd78641903840a6d114240e194d3d531d930588

Download Submit