1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TaskMan.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_danish.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\ordina.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\taskman_fr.chm	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\taskman_de.chm	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\taskman_fr.chm	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\ascode.dll	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\bestell.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_russian.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\sqlite3.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\psapi_.dll	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\TaskMan.exe	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_french.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_korean.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_norwegian_bokmaal.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_turkish.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\manual_de.pdf	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\order.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\file_id.diz	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_ukrainian.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_ukrainian.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\liesmich.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\psapi_.dll	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\readme.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\taskman_ru.chm	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\uninstal.exe	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\file_id.diz	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\Formulaire.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\manual_en.pdf	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\manual_fr.pdf	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_swedish.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\manual_en.pdf	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\SpyProDll.dll	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\Formulaire.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_danish.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_english.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_polish.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\SpyProtector.exe	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_bulgarian.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_deutsch.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\manual_de.pdf	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\order.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\ascode.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_norwegian_bokmaal.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_swedish.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\LisezMoi.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\ordina.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\Setup.exe	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\Setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\SpyProDll.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\bestell.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_hungarian.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_italiano.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_portuguese (Brasil).txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\taskman_en.chm	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\taskman_ru.chm	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_portuguese (Brasil).txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_czech.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_finnish.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_italiano.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_polish.txt	setup.exe
File created	C:\Program Files (x86)\Security Task Manager\lgs_russian.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\lgs_spanish.txt	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\sqlite3.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Security Task Manager\TaskMan.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	TaskMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	TaskMan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	TaskMan.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
8	TaskMan.exe
8	TaskMan.exe
8	TaskMan.exe
8	TaskMan.exe
8	TaskMan.exe
8	TaskMan.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	TaskMan.exe
Token: SeBackupPrivilege	3800	vssvc.exe
Token: SeRestorePrivilege	3800	vssvc.exe
Token: SeAuditPrivilege	3800	vssvc.exe
Token: SeDebugPrivilege	8	TaskMan.exe
Token: SeDebugPrivilege	8	TaskMan.exe
Token: SeBackupPrivilege	3980	vssvc.exe
Token: SeRestorePrivilege	3980	vssvc.exe
Token: SeAuditPrivilege	3980	vssvc.exe
Token: SeBackupPrivilege	1076	srtasks.exe
Token: SeRestorePrivilege	1076	srtasks.exe
Token: SeSecurityPrivilege	1076	srtasks.exe
Token: SeTakeOwnershipPrivilege	1076	srtasks.exe
Token: SeBackupPrivilege	1076	srtasks.exe
Token: SeRestorePrivilege	1076	srtasks.exe
Token: SeSecurityPrivilege	1076	srtasks.exe
Token: SeTakeOwnershipPrivilege	1076	srtasks.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
8	TaskMan.exe
8	TaskMan.exe
8	TaskMan.exe
8	TaskMan.exe
8	TaskMan.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 3796	1052	SecurityTaskManager_Setup.exe	76
PID 1052 wrote to memory of 3796	1052	SecurityTaskManager_Setup.exe	76
PID 1052 wrote to memory of 3796	1052	SecurityTaskManager_Setup.exe	76
PID 3796 wrote to memory of 496	3796	setup.exe	82
PID 3796 wrote to memory of 496	3796	setup.exe	82
PID 3796 wrote to memory of 496	3796	setup.exe	82
PID 2596 wrote to memory of 8	2596	explorer.exe	84
PID 2596 wrote to memory of 8	2596	explorer.exe	84
PID 2596 wrote to memory of 8	2596	explorer.exe	84

C:\Users\Admin\AppData\Local\Temp\SecurityTaskManager_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\SecurityTaskManager_Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\setup.exe
  ".\setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" "C:\Program Files (x86)\Security Task Manager\taskman.exe"
    3⤵
    PID:496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files (x86)\Security Task Manager\TaskMan.exe
  "C:\Program Files (x86)\Security Task Manager\TaskMan.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:8

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3036

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-204-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-310-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-203-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-552-0x0000000006690000-0x000000000669A000-memory.dmp

Filesize
40KB

Download
memory/8-205-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-206-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-207-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-208-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-209-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-210-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-212-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-211-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-213-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-214-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-216-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-215-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-217-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-218-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-219-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-221-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-220-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-222-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-223-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-224-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-225-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-226-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-227-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-228-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-229-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-230-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-254-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-300-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-301-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-302-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-303-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-304-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-305-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-306-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-307-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-308-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-309-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-202-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-311-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-312-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-313-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-314-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-315-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-316-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-317-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-318-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-319-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-320-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-321-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-323-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-201-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-200-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-199-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-198-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-197-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-196-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-195-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-194-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-193-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-192-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-191-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-190-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-189-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-188-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-187-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-186-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-185-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/8-121-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/8-57-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/8-485-0x0000000006CA0000-0x0000000006DAA000-memory.dmp

Filesize
1.0MB

Download
memory/8-497-0x0000000006CA0000-0x0000000006DAA000-memory.dmp

Filesize
1.0MB

Download
memory/8-501-0x0000000006CA0000-0x0000000006DAA000-memory.dmp

Filesize
1.0MB

Download
memory/8-505-0x0000000006CA0000-0x0000000006DAA000-memory.dmp

Filesize
1.0MB

Download
memory/8-549-0x0000000007A50000-0x0000000007A54000-memory.dmp

Filesize
16KB

Download
memory/8-541-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/8-542-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/8-546-0x0000000007A50000-0x0000000007A54000-memory.dmp

Filesize
16KB

Download