Overview
overview
10Static
static
70b42c766b0...32.exe
windows7-x64
1011f9bb7186...6b.exe
windows7-x64
3childmoney.exe
windows7-x64
31c281ece6f...2a.exe
windows7-x64
332bb88fa59...4b.exe
windows7-x64
35056cbe553...3d.exe
windows7-x64
350e0f20cb3...69.exe
windows7-x64
657bbc27030...7b.exe
windows7-x64
365a84ff98e...02.exe
windows7-x64
106db6ac1ce8...be.exe
windows7-x64
1072745efc42...46.exe
windows7-x64
10751fb51baa...fe.exe
windows7-x64
1095e95a5be0...63.exe
windows7-x64
3a935725900...07.exe
windows7-x64
3c190931380...74.dll
windows7-x64
3dafc6c03ef...19.exe
windows7-x64
1e3c6c48ba7...87.exe
windows7-x64
10edbb453cc0...46.exe
windows7-x64
5f633e6f255...4b.exe
windows7-x64
fda537bc5e...ad.exe
windows7-x64
3Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 19:18
Behavioral task
behavioral1
Sample
0b42c766b056ee3a04b2e0b833c4f42e1520516e047330df3c5640dfcc492232.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
300 seconds
Behavioral task
behavioral2
Sample
11f9bb7186adbefb2633904f1626b20f3f8d0d3ecb98e55a3a81e6a17039786b.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral3
Sample
childmoney.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
300 seconds
Behavioral task
behavioral4
Sample
1c281ece6f6be8983f6f858636ddf9169dcb00ec2c0a98d0797bf8d3619cb22a.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral5
Sample
32bb88fa592ba0f338d58730d224728823684134157afe5892f5bbd8c042d54b.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral6
Sample
5056cbe5539d0e171c81451306f2a970b43a6039dd847316a96f24be7b19453d.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral7
Sample
50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
300 seconds
Behavioral task
behavioral8
Sample
57bbc27030a7c47b62aa08d6d05b6c7eee36010246260924ed6b85ff7e53917b.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
300 seconds
Behavioral task
behavioral9
Sample
65a84ff98e09a002d01b1c2935ca603125c8ddcb5c5824da9cc60787594a5202.exe
Resource
win7-20240708-en
windows7-x64
32 signatures
300 seconds
Behavioral task
behavioral10
Sample
6db6ac1ce8f946e0b441c1a1be1b0f094cef331231ae4f9d58b30e3e353145be.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
300 seconds
Behavioral task
behavioral11
Sample
72745efc423d4adb76434360755cfbc3cfe8fa47ba8e5fa2920ada7dc9ceb146.exe
Resource
win7-20241010-en
windows7-x64
4 signatures
300 seconds
Behavioral task
behavioral12
Sample
751fb51baa5a4ed44c9c2bb45b824831914025e87d4d866e5861a38f734d8bfe.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral13
Sample
95e95a5be0b57cee969c5d9f616be2e973bc08a77482c75570936faaaaa35063.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
300 seconds
Behavioral task
behavioral14
Sample
a935725900d1ad19b92bcda1c0d612bccccd8bba53dd6e13cabe6d59d7874607.exe
Resource
win7-20241010-en
windows7-x64
1 signatures
300 seconds
Behavioral task
behavioral15
Sample
c19093138028ea6a6a6665e270c36558757931f1d7f6f88910b08e39903a1774.dll
Resource
win7-20240729-en
windows7-x64
2 signatures
300 seconds
Behavioral task
behavioral16
Sample
dafc6c03ef671f66ddbe47e6eee600d2dfa894eee1c1b67d51d3a24532f58e19.exe
Resource
win7-20240903-en
windows7-x64
0 signatures
300 seconds
Behavioral task
behavioral17
Sample
e3c6c48ba7d213e5c5c31f43d70dc4ca1709fc29e06883f64487ad049a520b87.exe
Resource
win7-20241010-en
windows7-x64
4 signatures
300 seconds
Behavioral task
behavioral18
Sample
edbb453cc08e8ac79d0c60c0f1ca3803060e8c3a4dd2e2a7b40c50ec3fb0dd46.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral19
Sample
f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
300 seconds
Behavioral task
behavioral20
Sample
fda537bc5e4051c8c69491089041df58483e31f410f180c5767901a53a67f9ad.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
300 seconds
General
-
Target
50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe
-
Size
564KB
-
MD5
31aa278085c235260fb64311532b1893
-
SHA1
2fdbb2ad8abdc69d7d4d1115287f3513c31446a1
-
SHA256
50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869
-
SHA512
b761774f02c3814d8d965ad4e70a3bda31184abbf3f7293c6885904ca192f9406c27ba4c2f0b9ecc1920534a4a01353a8213f880449aa5aa1dc54bfe80357f2d
-
SSDEEP
12288:bwla+aTeq8Rg1yVkzES8RZTOy0fl+rsuNkabtW:kM+Z3S1uJSCvCwrsqr
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pietro = "C:\\pietro.bat" 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe -
resource yara_rule behavioral7/memory/2380-0-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral7/memory/2380-15-0x0000000000400000-0x000000000048E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmgr.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 taskmgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 2940 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 2940 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 2940 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 2940 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 2940 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 2940 taskmgr.exe 996 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 2940 taskmgr.exe 2124 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 2940 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
pid Process 2332 taskmgr.exe 1664 taskmgr.exe 2124 taskmgr.exe 2324 taskmgr.exe 996 taskmgr.exe 2940 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2332 taskmgr.exe Token: SeDebugPrivilege 996 taskmgr.exe Token: SeDebugPrivilege 1664 taskmgr.exe Token: SeDebugPrivilege 2940 taskmgr.exe Token: SeDebugPrivilege 2124 taskmgr.exe Token: SeDebugPrivilege 2324 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 996 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 996 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 1664 taskmgr.exe 2332 taskmgr.exe 1664 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2332 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 29 PID 2380 wrote to memory of 2332 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 29 PID 2380 wrote to memory of 2332 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 29 PID 2380 wrote to memory of 2332 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 29 PID 2380 wrote to memory of 2352 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 30 PID 2380 wrote to memory of 2352 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 30 PID 2380 wrote to memory of 2352 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 30 PID 2380 wrote to memory of 2352 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 30 PID 2380 wrote to memory of 2856 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 31 PID 2380 wrote to memory of 2856 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 31 PID 2380 wrote to memory of 2856 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 31 PID 2380 wrote to memory of 2856 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 31 PID 2380 wrote to memory of 2900 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 32 PID 2380 wrote to memory of 2900 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 32 PID 2380 wrote to memory of 2900 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 32 PID 2380 wrote to memory of 2900 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 32 PID 2380 wrote to memory of 2744 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 33 PID 2380 wrote to memory of 2744 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 33 PID 2380 wrote to memory of 2744 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 33 PID 2380 wrote to memory of 2744 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 33 PID 2380 wrote to memory of 2764 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 34 PID 2380 wrote to memory of 2764 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 34 PID 2380 wrote to memory of 2764 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 34 PID 2380 wrote to memory of 2764 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 34 PID 2380 wrote to memory of 2772 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 35 PID 2380 wrote to memory of 2772 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 35 PID 2380 wrote to memory of 2772 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 35 PID 2380 wrote to memory of 2772 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 35 PID 2380 wrote to memory of 2696 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 37 PID 2380 wrote to memory of 2696 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 37 PID 2380 wrote to memory of 2696 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 37 PID 2380 wrote to memory of 2696 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 37 PID 2380 wrote to memory of 2752 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 38 PID 2380 wrote to memory of 2752 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 38 PID 2380 wrote to memory of 2752 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 38 PID 2380 wrote to memory of 2752 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 38 PID 2380 wrote to memory of 2644 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 39 PID 2380 wrote to memory of 2644 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 39 PID 2380 wrote to memory of 2644 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 39 PID 2380 wrote to memory of 2644 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 39 PID 2380 wrote to memory of 2652 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 40 PID 2380 wrote to memory of 2652 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 40 PID 2380 wrote to memory of 2652 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 40 PID 2380 wrote to memory of 2652 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 40 PID 2380 wrote to memory of 2660 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 41 PID 2380 wrote to memory of 2660 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 41 PID 2380 wrote to memory of 2660 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 41 PID 2380 wrote to memory of 2660 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 41 PID 2380 wrote to memory of 2692 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 42 PID 2380 wrote to memory of 2692 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 42 PID 2380 wrote to memory of 2692 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 42 PID 2380 wrote to memory of 2692 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 42 PID 2380 wrote to memory of 2716 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 43 PID 2380 wrote to memory of 2716 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 43 PID 2380 wrote to memory of 2716 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 43 PID 2380 wrote to memory of 2716 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 43 PID 2380 wrote to memory of 2760 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 44 PID 2380 wrote to memory of 2760 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 44 PID 2380 wrote to memory of 2760 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 44 PID 2380 wrote to memory of 2760 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 44 PID 2380 wrote to memory of 2288 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 45 PID 2380 wrote to memory of 2288 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 45 PID 2380 wrote to memory of 2288 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 45 PID 2380 wrote to memory of 2288 2380 50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe"C:\Users\Admin\AppData\Local\Temp\50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2332
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2352
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:2856
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2744
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2752
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:2644
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:2652
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2288
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:996
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:924
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1632
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2496
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2492
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2472
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:956
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:2504
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:1056
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1332
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1112
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1064
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1664
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:1268
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2940
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1172
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2008
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:2004
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1152
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1784
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1308
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:2620
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:2624
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:940
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:1496
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2448
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2992
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1648
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1060
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2596
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:352
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1936
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:376
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:780
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:1832
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1840
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:936
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:932
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵PID:1600
-