Analysis
-
max time kernel
86s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 15:32
Static task
static1
Behavioral task
behavioral1
Sample
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe
Resource
win10v2004-20220812-en
General
-
Target
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe
-
Size
1.2MB
-
MD5
7132076fe70278fbe2dda128cc366475
-
SHA1
2f855ab609d76ad9a0e82b57e7989a9a1860dd77
-
SHA256
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9
-
SHA512
162f6eec3460c6fdcb78be5f0ca4a54e29894c1afae606e7e8e6a73e42f4a84185648ebcda8ae0ba09ede694418a44513e099c20403df0a8cb1522e780413b51
-
SSDEEP
24576:Dtb20pkACqT5TBWgNQ7ar+P2ZPGhv05szsKp6A:Arg5tQ7ar+TvBf5
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr112.exe,explorer.exe" 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exedescription pid process target process PID 1504 set thread context of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2312 schtasks.exe 2660 schtasks.exe 1904 schtasks.exe 2016 schtasks.exe 2472 schtasks.exe 2548 schtasks.exe 2988 schtasks.exe 3020 schtasks.exe 924 schtasks.exe 664 schtasks.exe 2036 schtasks.exe 2408 schtasks.exe 2568 schtasks.exe 300 schtasks.exe 2576 schtasks.exe 2756 schtasks.exe 1288 schtasks.exe 1036 schtasks.exe 1896 schtasks.exe 888 schtasks.exe 556 schtasks.exe 3104 schtasks.exe 2152 schtasks.exe 2216 schtasks.exe 2440 schtasks.exe 2384 schtasks.exe 2656 schtasks.exe 584 schtasks.exe 572 schtasks.exe 2088 schtasks.exe 2676 schtasks.exe 2512 schtasks.exe 3004 schtasks.exe 1500 schtasks.exe 768 schtasks.exe 2376 schtasks.exe 1896 schtasks.exe 1488 schtasks.exe 2344 schtasks.exe 1920 schtasks.exe 2604 schtasks.exe 1940 schtasks.exe 1668 schtasks.exe 1560 schtasks.exe 3252 schtasks.exe 1976 schtasks.exe 628 schtasks.exe 2120 schtasks.exe 2644 schtasks.exe 2708 schtasks.exe 2948 schtasks.exe 3276 schtasks.exe 316 schtasks.exe 2056 schtasks.exe 2184 schtasks.exe 2248 schtasks.exe 3160 schtasks.exe 1180 schtasks.exe 1648 schtasks.exe 1352 schtasks.exe 2280 schtasks.exe 2504 schtasks.exe 3132 schtasks.exe 3184 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exepid process 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exedescription pid process target process PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 848 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe RegAsm.exe PID 1504 wrote to memory of 1044 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1044 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1044 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1044 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 2016 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 2016 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 2016 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 2016 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1976 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1976 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1976 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1976 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 888 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 888 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 888 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 888 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1180 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1180 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1180 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1180 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 556 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 556 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 556 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 556 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1896 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1896 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1896 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1896 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1288 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1288 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1288 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1288 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1648 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1648 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1648 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1648 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1644 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1644 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1644 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1644 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1940 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1940 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1940 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1940 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1668 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1668 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1668 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 1668 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 584 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 584 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 584 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe PID 1504 wrote to memory of 584 1504 3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"C:\Users\Admin\AppData\Local\Temp\3595580527a7739a0a96f70bd805d1e89b77c6bfd239a17b6e63ba604885dfe9.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:848
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1044
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2016 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1976 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:888 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1180 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:556 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1896 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1288 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1648 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:1644
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1940 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1668 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:584 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:300 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1500 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:664 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:572 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1560 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2036 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1488 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1036 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:768 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1352 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1920 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:316 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:628 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2056 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2088 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2120 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2152 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2184 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2216 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2248 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2280 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2312 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2344 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2376 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2408 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2440 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2472 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2504 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2548 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2576 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2604 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2644 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2676 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2708 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵PID:2740
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2948 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2988 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3020 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2384 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2512 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2660 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2756 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3004 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1904 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2568 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:1896 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:924 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:2656 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3104 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3132 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3160 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3184 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3252 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr112.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr112.exe" /f2⤵
- Creates scheduled task(s)
PID:3276