28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18

General

Target

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Size

1.1MB
MD5

44657060c3b9aa17540d648ceebbbb5d
SHA1

23701f8f47348d54cfacfe1c879122f4a267a198
SHA256

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18
SHA512

8d3eafc2ffb604899c1de8b597fb13885a34376e835daf698b0ac6c5be32263c8f4d8c1c29b75fa06a2cf196fe378b606d0222f21a853345b786bff480dbe967
SSDEEP

24576:Ltb20pkECqT5TBWgNQ7a5zSphZJQriY6A:I3g5tQ7a5z0hZSf5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe,explorer.exe"	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1032 netsh.exe

pid	process
1032	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1172	schtasks.exe
2344	schtasks.exe
2384	schtasks.exe
696	schtasks.exe
2268	schtasks.exe
1548	schtasks.exe
1324	schtasks.exe
1940	schtasks.exe
268	schtasks.exe
1348	schtasks.exe
1520	schtasks.exe
1168	schtasks.exe
2144	schtasks.exe
2796	schtasks.exe
1140	schtasks.exe

NTFS ADS 1 IoCs

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe:Zone.Identifier:$DATA	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

pid	process
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

pid	process
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

pid	process
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1300 wrote to memory of 1032	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 1300 wrote to memory of 1032	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 1300 wrote to memory of 1032	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 1300 wrote to memory of 1032	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	netsh.exe
PID 1300 wrote to memory of 596	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 596	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 596	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 596	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1140	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1140	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1140	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1140	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1592	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1592	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1592	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1592	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 696	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 696	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 696	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 696	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1592 wrote to memory of 1748	1592	cmd.exe	at.exe
PID 1592 wrote to memory of 1748	1592	cmd.exe	at.exe
PID 1592 wrote to memory of 1748	1592	cmd.exe	at.exe
PID 1592 wrote to memory of 1748	1592	cmd.exe	at.exe
PID 596 wrote to memory of 848	596	cmd.exe	at.exe
PID 596 wrote to memory of 848	596	cmd.exe	at.exe
PID 596 wrote to memory of 848	596	cmd.exe	at.exe
PID 596 wrote to memory of 848	596	cmd.exe	at.exe
PID 1300 wrote to memory of 964	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 964	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 964	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 964	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1940	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1940	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1940	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1940	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 964 wrote to memory of 1120	964	cmd.exe	at.exe
PID 964 wrote to memory of 1120	964	cmd.exe	at.exe
PID 964 wrote to memory of 1120	964	cmd.exe	at.exe
PID 964 wrote to memory of 1120	964	cmd.exe	at.exe
PID 1300 wrote to memory of 1828	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1828	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1828	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1828	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1548	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1548	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1548	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1548	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1828 wrote to memory of 1224	1828	cmd.exe	at.exe
PID 1828 wrote to memory of 1224	1828	cmd.exe	at.exe
PID 1828 wrote to memory of 1224	1828	cmd.exe	at.exe
PID 1828 wrote to memory of 1224	1828	cmd.exe	at.exe
PID 1300 wrote to memory of 840	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 840	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 840	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 840	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	cmd.exe
PID 1300 wrote to memory of 1172	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1172	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1172	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 1300 wrote to memory of 1172	1300	28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe	schtasks.exe
PID 840 wrote to memory of 956	840	cmd.exe	at.exe
PID 840 wrote to memory of 956	840	cmd.exe	at.exe
PID 840 wrote to memory of 956	840	cmd.exe	at.exe
PID 840 wrote to memory of 956	840	cmd.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe
"C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:848

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:1748

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:1120

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:17 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:1224

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:956

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:916

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:1620

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:1616

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:544

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:836

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:524

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:1892

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:1920

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:972

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:2104

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:2132

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:2192

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:2256

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:2776

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:2332

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:2808

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:2372

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:18 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:2760

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
2⤵
PID:2716

C:\Windows\SysWOW64\at.exe
AT \\127.0.0.1 19:19 "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe"
3⤵
PID:2864

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /tr "C:\Users\Admin\AppData\Local\Temp\28fd5eba31a5186480c31dc8938b3a4fe2678325ee5141fff3bc6bfd3226cf18.exe" /f
2⤵
- Creates scheduled task(s)
PID:2796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-78-0x0000000000000000-mapping.dmp

Download
memory/524-90-0x0000000000000000-mapping.dmp

Download
memory/544-83-0x0000000000000000-mapping.dmp

Download
memory/596-57-0x0000000000000000-mapping.dmp

Download
memory/696-60-0x0000000000000000-mapping.dmp

Download
memory/836-85-0x0000000000000000-mapping.dmp

Download
memory/840-73-0x0000000000000000-mapping.dmp

Download
memory/848-62-0x0000000000000000-mapping.dmp

Download
memory/916-77-0x0000000000000000-mapping.dmp

Download
memory/956-75-0x0000000000000000-mapping.dmp

Download
memory/964-65-0x0000000000000000-mapping.dmp

Download
memory/972-89-0x0000000000000000-mapping.dmp

Download
memory/1032-55-0x0000000000000000-mapping.dmp

Download
memory/1120-67-0x0000000000000000-mapping.dmp

Download
memory/1140-58-0x0000000000000000-mapping.dmp

Download
memory/1168-92-0x0000000000000000-mapping.dmp

Download
memory/1172-74-0x0000000000000000-mapping.dmp

Download
memory/1224-71-0x0000000000000000-mapping.dmp

Download
memory/1300-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1324-88-0x0000000000000000-mapping.dmp

Download
memory/1348-82-0x0000000000000000-mapping.dmp

Download
memory/1520-86-0x0000000000000000-mapping.dmp

Download
memory/1548-70-0x0000000000000000-mapping.dmp

Download
memory/1592-59-0x0000000000000000-mapping.dmp

Download
memory/1616-81-0x0000000000000000-mapping.dmp

Download
memory/1620-79-0x0000000000000000-mapping.dmp

Download
memory/1748-61-0x0000000000000000-mapping.dmp

Download
memory/1828-69-0x0000000000000000-mapping.dmp

Download
memory/1892-87-0x0000000000000000-mapping.dmp

Download
memory/1920-91-0x0000000000000000-mapping.dmp

Download
memory/1940-66-0x0000000000000000-mapping.dmp

Download
memory/2104-95-0x0000000000000000-mapping.dmp

Download
memory/2132-97-0x0000000000000000-mapping.dmp

Download
memory/2144-98-0x0000000000000000-mapping.dmp

Download
memory/2192-99-0x0000000000000000-mapping.dmp

Download
memory/2256-101-0x0000000000000000-mapping.dmp

Download
memory/2268-102-0x0000000000000000-mapping.dmp

Download
memory/2332-103-0x0000000000000000-mapping.dmp

Download
memory/2344-104-0x0000000000000000-mapping.dmp

Download
memory/2372-105-0x0000000000000000-mapping.dmp

Download
memory/2384-106-0x0000000000000000-mapping.dmp

Download
memory/2716-107-0x0000000000000000-mapping.dmp

Download
memory/2760-108-0x0000000000000000-mapping.dmp

Download
memory/2776-109-0x0000000000000000-mapping.dmp

Download
memory/2796-110-0x0000000000000000-mapping.dmp

Download
memory/2808-113-0x0000000000000000-mapping.dmp

Download
memory/2864-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads