a1cd9af8ffb092238de353938e359e3c248c4f56a6ed382463da2b5d27c93d63

Analysis

max time kernel
149s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 05:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae03292852b2e71aab152d244d339018_JaffaCakes118.exe
Size

144KB
MD5

ae03292852b2e71aab152d244d339018
SHA1

fa51c1fa58832b8a4e4d6e15c75ca3f30f3e788d
SHA256

a1cd9af8ffb092238de353938e359e3c248c4f56a6ed382463da2b5d27c93d63
SHA512

be8538b684b6a660455b3b559ea4f83e2f8e2a93591ee63e6a9b718d76d930d751997fbaaed4a77071466f747f20056fd13d88b5d3b0c71051823e3bfb35c133
SSDEEP

768:MOEXmptsprwuiFYmvLEMwafYfIvI7d7eQbOUNIBF4tVWV+/S9QEuiFYmvLEMwafY:MOE2p4qAflzVqQ6Afl

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ae03292852b2e71aab152d244d339018_JaffaCakes118.exe"	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2228	taskkill.exe
2344	taskkill.exe
2972	taskkill.exe
2024	taskkill.exe
2008	taskkill.exe
1812	taskkill.exe
2268	taskkill.exe
2144	taskkill.exe
1000	taskkill.exe
2512	taskkill.exe
1132	taskkill.exe
1496	taskkill.exe
2288	taskkill.exe
1824	taskkill.exe
2728	taskkill.exe
820	taskkill.exe
2276	taskkill.exe
444	taskkill.exe
1732	taskkill.exe
1748	taskkill.exe
1496	taskkill.exe
2904	taskkill.exe
2040	taskkill.exe
2632	taskkill.exe
268	taskkill.exe
1648	taskkill.exe
2628	taskkill.exe
2700	taskkill.exe
2792	taskkill.exe
960	taskkill.exe
2464	taskkill.exe
2576	taskkill.exe
1232	taskkill.exe
2868	taskkill.exe
1816	taskkill.exe
844	taskkill.exe
1712	taskkill.exe
860	taskkill.exe
560	taskkill.exe
1712	taskkill.exe
2376	taskkill.exe
1200	taskkill.exe
1828	taskkill.exe
2624	taskkill.exe
2884	taskkill.exe
2688	taskkill.exe
1752	taskkill.exe
2436	taskkill.exe
2100	taskkill.exe
1508	taskkill.exe
1316	taskkill.exe
2220	taskkill.exe
1372	taskkill.exe
1880	taskkill.exe
2880	taskkill.exe
2056	taskkill.exe
1600	taskkill.exe
1844	taskkill.exe
2544	taskkill.exe
3036	taskkill.exe
2060	taskkill.exe
2396	taskkill.exe
1712	taskkill.exe
2292	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	492	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe
2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe
2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2728	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2728	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2728	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2728	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2848	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2848	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2848	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2848	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2612	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2612	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2612	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2612	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2644	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	36
PID 2532 wrote to memory of 2644	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	36
PID 2532 wrote to memory of 2644	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	36
PID 2532 wrote to memory of 2644	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	36
PID 2532 wrote to memory of 2640	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	38
PID 2532 wrote to memory of 2640	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	38
PID 2532 wrote to memory of 2640	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	38
PID 2532 wrote to memory of 2640	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	38
PID 2532 wrote to memory of 1940	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	40
PID 2532 wrote to memory of 1940	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	40
PID 2532 wrote to memory of 1940	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	40
PID 2532 wrote to memory of 1940	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	40
PID 2532 wrote to memory of 1820	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	42
PID 2532 wrote to memory of 1820	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	42
PID 2532 wrote to memory of 1820	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	42
PID 2532 wrote to memory of 1820	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	42
PID 2532 wrote to memory of 2460	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	44
PID 2532 wrote to memory of 2460	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	44
PID 2532 wrote to memory of 2460	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	44
PID 2532 wrote to memory of 2460	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	44
PID 2532 wrote to memory of 1496	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	46
PID 2532 wrote to memory of 1496	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	46
PID 2532 wrote to memory of 1496	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	46
PID 2532 wrote to memory of 1496	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	46
PID 2532 wrote to memory of 2876	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	48
PID 2532 wrote to memory of 2876	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	48
PID 2532 wrote to memory of 2876	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	48
PID 2532 wrote to memory of 2876	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	48
PID 2532 wrote to memory of 1600	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	50
PID 2532 wrote to memory of 1600	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	50
PID 2532 wrote to memory of 1600	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	50
PID 2532 wrote to memory of 1600	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	50
PID 2532 wrote to memory of 2796	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	52
PID 2532 wrote to memory of 2796	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	52
PID 2532 wrote to memory of 2796	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	52
PID 2532 wrote to memory of 2796	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	52
PID 2532 wrote to memory of 2932	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	54
PID 2532 wrote to memory of 2932	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	54
PID 2532 wrote to memory of 2932	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	54
PID 2532 wrote to memory of 2932	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	54
PID 2532 wrote to memory of 2072	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	56
PID 2532 wrote to memory of 2072	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	56
PID 2532 wrote to memory of 2072	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	56
PID 2532 wrote to memory of 2072	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	56
PID 2532 wrote to memory of 1508	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	58
PID 2532 wrote to memory of 1508	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	58
PID 2532 wrote to memory of 1508	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	58
PID 2532 wrote to memory of 1508	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	58
PID 2532 wrote to memory of 1196	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	60
PID 2532 wrote to memory of 1196	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	60
PID 2532 wrote to memory of 1196	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	60
PID 2532 wrote to memory of 1196	2532	ae03292852b2e71aab152d244d339018_JaffaCakes118.exe	60

C:\Users\Admin\AppData\Local\Temp\ae03292852b2e71aab152d244d339018_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae03292852b2e71aab152d244d339018_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:492
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2144
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2352
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2132
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2072
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2092
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2760
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2352
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2132
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2100
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2244
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im YahooMessenger.exe
  2⤵
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ypager.exe
  2⤵
  PID:1656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1448
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1748
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2248
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2220
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1244
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:596
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1200
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:560
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2324
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:492
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2188
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2276
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2908
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2308
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1496
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2064
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2544
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1200
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1464
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1980
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1456
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2288
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2344
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2624
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2452
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2312
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2392
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:280
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2376
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:1200
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1464
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2004
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2428
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1032
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1372
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2544
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1260
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2284
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1220
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2204
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2852
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2868
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2624
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2516
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1136
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2972
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1132
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2244
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2164
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1828
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2032
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1448
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:3040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:2040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2504
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:2508
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:444
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  PID:1840
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2532-6-0x0000000005620000-0x0000000005967000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads