Analysis
-
max time kernel
149s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 17:57
Static task
static1
Behavioral task
behavioral1
Sample
b59e14046324524903d77687b3477d04.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
b59e14046324524903d77687b3477d04.exe
-
Size
6.5MB
-
MD5
b59e14046324524903d77687b3477d04
-
SHA1
8596c6b591cfee14ee3dfd1abccc9c1cbacb1df5
-
SHA256
99e3d7fbbc0313a026f831c5304f4eee5b022e646416d8347d547ada3addb21f
-
SHA512
a8a8cc7640207fc628d92b9ee21c1536c19d277a81c4c4925966efff1e52f6c76798f056871266f9c2243d9fdd3b86c435645801e1834324e1c760e48e31e103
Malware Config
Signatures
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4712-2-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig behavioral2/memory/4712-4-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig -
Processes:
yara_rule upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
b59e14046324524903d77687b3477d04.exedescription ioc process File created C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini b59e14046324524903d77687b3477d04.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 1075 IoCs
Processes:
b59e14046324524903d77687b3477d04.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\be.txt b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\elevation_service.exe b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.ini b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\zh-CN.pak b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\System\DirectDB.dll b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoDev.png b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyDrop32x32.gif b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\System\ado\msadomd28.tlb b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\sawindbg.dll b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\System\msadc\msaddsr.dll b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301 b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfr.dll b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\System\ado\msadrh15.dll b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\pt-BR.pak b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui b59e14046324524903d77687b3477d04.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe b59e14046324524903d77687b3477d04.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui b59e14046324524903d77687b3477d04.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Modifies Internet Explorer start page 1 TTPs 3 IoCs
Processes:
b59e14046324524903d77687b3477d04.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.wLBJYFypeE.com" b59e14046324524903d77687b3477d04.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.hUyFxiGJBP.com" b59e14046324524903d77687b3477d04.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.KIjoQkZryY.com" b59e14046324524903d77687b3477d04.exe -
Processes:
b59e14046324524903d77687b3477d04.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e b59e14046324524903d77687b3477d04.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 b59e14046324524903d77687b3477d04.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e b59e14046324524903d77687b3477d04.exe -
Suspicious behavior: EnumeratesProcesses 79 IoCs
Processes:
taskmgr.exepid process 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
b59e14046324524903d77687b3477d04.exetaskmgr.exedescription pid process Token: SeLockMemoryPrivilege 4712 b59e14046324524903d77687b3477d04.exe Token: SeLockMemoryPrivilege 4712 b59e14046324524903d77687b3477d04.exe Token: SeDebugPrivilege 792 taskmgr.exe Token: SeSystemProfilePrivilege 792 taskmgr.exe Token: SeCreateGlobalPrivilege 792 taskmgr.exe -
Suspicious use of FindShellTrayWindow 91 IoCs
Processes:
taskmgr.exepid process 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe -
Suspicious use of SendNotifyMessage 91 IoCs
Processes:
taskmgr.exepid process 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe 792 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b59e14046324524903d77687b3477d04.exe"C:\Users\Admin\AppData\Local\Temp\b59e14046324524903d77687b3477d04.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage