Overview
overview
10Static
static
1036.exe
windows7-x64
336.exe
windows10-2004-x64
3Enalib.exe
windows7-x64
10Enalib.exe
windows10-2004-x64
10RDriver.exe
windows7-x64
8RDriver.exe
windows10-2004-x64
8SDriver.exe
windows7-x64
3SDriver.exe
windows10-2004-x64
3T.exe
windows7-x64
10T.exe
windows10-2004-x64
10autoruns.exe
windows7-x64
3autoruns.exe
windows10-2004-x64
3e.exe
windows7-x64
10e.exe
windows10-2004-x64
10fake jpg shit.lnk
windows7-x64
10fake jpg shit.lnk
windows10-2004-x64
10fake photo.lnk
windows7-x64
3fake photo.lnk
windows10-2004-x64
7noyjhoadw.exe
windows7-x64
10noyjhoadw.exe
windows10-2004-x64
10unins000.exe
windows7-x64
3unins000.exe
windows10-2004-x64
3use for by...ck.exe
windows7-x64
8use for by...ck.exe
windows10-2004-x64
8Analysis
-
max time kernel
30s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 13:13
Behavioral task
behavioral1
Sample
36.exe
Resource
win7-20241023-en
windows7-x64
3 signatures
30 seconds
Behavioral task
behavioral2
Sample
36.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
30 seconds
Behavioral task
behavioral3
Sample
Enalib.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
30 seconds
Behavioral task
behavioral4
Sample
Enalib.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
30 seconds
Behavioral task
behavioral5
Sample
RDriver.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
30 seconds
Behavioral task
behavioral6
Sample
RDriver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
30 seconds
Behavioral task
behavioral7
Sample
SDriver.exe
Resource
win7-20240903-en
windows7-x64
1 signatures
30 seconds
Behavioral task
behavioral8
Sample
SDriver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
30 seconds
Behavioral task
behavioral9
Sample
T.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
30 seconds
Behavioral task
behavioral10
Sample
T.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
30 seconds
Behavioral task
behavioral11
Sample
autoruns.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
30 seconds
Behavioral task
behavioral12
Sample
autoruns.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
5 signatures
30 seconds
Behavioral task
behavioral13
Sample
e.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
30 seconds
Behavioral task
behavioral14
Sample
e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
30 seconds
Behavioral task
behavioral15
Sample
fake jpg shit.lnk
Resource
win7-20241010-en
windows7-x64
7 signatures
30 seconds
Behavioral task
behavioral16
Sample
fake jpg shit.lnk
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
30 seconds
Behavioral task
behavioral17
Sample
fake photo.lnk
Resource
win7-20240729-en
windows7-x64
4 signatures
30 seconds
Behavioral task
behavioral18
Sample
fake photo.lnk
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
30 seconds
Behavioral task
behavioral19
Sample
noyjhoadw.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
30 seconds
Behavioral task
behavioral20
Sample
noyjhoadw.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
30 seconds
Behavioral task
behavioral21
Sample
unins000.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
30 seconds
Behavioral task
behavioral22
Sample
unins000.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
30 seconds
Behavioral task
behavioral23
Sample
use for bypassing taskmgr block.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
30 seconds
Behavioral task
behavioral24
Sample
use for bypassing taskmgr block.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
16 signatures
30 seconds
General
-
Target
use for bypassing taskmgr block.exe
-
Size
4.3MB
-
MD5
94c60e6704b5dd11a139f2ffebde9135
-
SHA1
cd89f1cf9428a3eab554a3eb9ff6ca869e5bc368
-
SHA256
106bf123359d03963b1df1011fb8560aaf1c5e811de775dce1d8a53758a69102
-
SHA512
586bf326eae890379fcc7ad60e0a70384d069898aea46da32baf6bd60854df97b461019beaf17744ba3dfc0e70eb75970b977c30f035d296ae89763605d4ff6d
-
SSDEEP
49152:cGNq7FBhpRWa3viMRIcDdxw6dXF3W1QrL1UDq3P8mlp4DOXUxm:cGejpRWafEkRW6OHmrZXt
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\Drivers\PROCEXP152.SYS use for bypassing taskmgr block64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS" use for bypassing taskmgr block64.exe -
Executes dropped EXE 1 IoCs
pid Process 5100 use for bypassing taskmgr block64.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: use for bypassing taskmgr block64.exe File opened (read-only) \??\H: use for bypassing taskmgr block64.exe File opened (read-only) \??\M: use for bypassing taskmgr block64.exe File opened (read-only) \??\K: use for bypassing taskmgr block64.exe File opened (read-only) \??\O: use for bypassing taskmgr block64.exe File opened (read-only) \??\Q: use for bypassing taskmgr block64.exe File opened (read-only) \??\S: use for bypassing taskmgr block64.exe File opened (read-only) \??\V: use for bypassing taskmgr block64.exe File opened (read-only) \??\Z: use for bypassing taskmgr block64.exe File opened (read-only) \??\A: use for bypassing taskmgr block64.exe File opened (read-only) \??\J: use for bypassing taskmgr block64.exe File opened (read-only) \??\P: use for bypassing taskmgr block64.exe File opened (read-only) \??\T: use for bypassing taskmgr block64.exe File opened (read-only) \??\W: use for bypassing taskmgr block64.exe File opened (read-only) \??\I: use for bypassing taskmgr block64.exe File opened (read-only) \??\L: use for bypassing taskmgr block64.exe File opened (read-only) \??\G: use for bypassing taskmgr block64.exe File opened (read-only) \??\N: use for bypassing taskmgr block64.exe File opened (read-only) \??\R: use for bypassing taskmgr block64.exe File opened (read-only) \??\U: use for bypassing taskmgr block64.exe File opened (read-only) \??\X: use for bypassing taskmgr block64.exe File opened (read-only) \??\B: use for bypassing taskmgr block64.exe File opened (read-only) \??\E: use for bypassing taskmgr block64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language use for bypassing taskmgr block.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 use for bypassing taskmgr block64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz use for bypassing taskmgr block64.exe -
Modifies system certificate store 2 TTPs 6 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 use for bypassing taskmgr block64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 use for bypassing taskmgr block64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 use for bypassing taskmgr block64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a use for bypassing taskmgr block64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a use for bypassing taskmgr block64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 use for bypassing taskmgr block64.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5100 use for bypassing taskmgr block64.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeBackupPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeSecurityPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeLoadDriverPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeShutdownPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeCreatePagefilePrivilege 5100 use for bypassing taskmgr block64.exe Token: SeShutdownPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeCreatePagefilePrivilege 5100 use for bypassing taskmgr block64.exe Token: SeDebugPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeImpersonatePrivilege 5100 use for bypassing taskmgr block64.exe Token: SeSecurityPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeDebugPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeBackupPrivilege 5100 use for bypassing taskmgr block64.exe Token: SeRestorePrivilege 5100 use for bypassing taskmgr block64.exe Token: SeDebugPrivilege 5100 use for bypassing taskmgr block64.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe 5100 use for bypassing taskmgr block64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5100 use for bypassing taskmgr block64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2556 wrote to memory of 5100 2556 use for bypassing taskmgr block.exe 82 PID 2556 wrote to memory of 5100 2556 use for bypassing taskmgr block.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\use for bypassing taskmgr block.exe"C:\Users\Admin\AppData\Local\Temp\use for bypassing taskmgr block.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\use for bypassing taskmgr block64.exe"C:\Users\Admin\AppData\Local\Temp\use for bypassing taskmgr block.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5100
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5dfeea73e421c76deb18d5ca0800dccf2
SHA10497eba0b24d0f4500faad5ae96dbebab9c64608
SHA2568158dc0569972c10056f507cf9e72f4946600ce163c4c659a610480585cd4935
SHA51223ddc9f28314d4cf3b05d88b9e0b6fd69f9804f5e9c3f7703258ff2c5786721061321379fde53e21048d3c7cce1ff71e2872d48dcc580d059397fa0692335630