Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
25-03-2024 08:50
General
-
Target
dd9a2edf17f5be8c871b7391a6739f89.exe
-
Size
967KB
-
MD5
dd9a2edf17f5be8c871b7391a6739f89
-
SHA1
cebd20ebdc923133ca26babec4375aa859e0c09b
-
SHA256
216f78a4be6357c2990ff1db5c359457d140ff27e71e9dcb374d119046e053f7
-
SHA512
e273d6f46beede6ab43523b49b1db3461374e17952e89bef451c1cd46ed9a8d7b894b19b3d4f28bf345f198f71fc54dc625151573c1e83bfca52a51545252f2f
-
SSDEEP
24576:hNxsglIPAtgV+rnEQBg2AdqgwGd9OCPltP0gxkR3dCqJO5VxQ75SY1:J7uKrnEQi2Ad/wQPLP0gx1qt5SY1
Malware Config
Signatures
-
PlagueBot
PlagueBot is an open source Bot written in Pascal.
-
PlagueBot Executable 2 IoCs
-
Checks computer location settings 2 TTPs 53 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 55 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 53 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd9a2edf17f5be8c871b7391a6739f89.exe"C:\Users\Admin\AppData\Local\Temp\dd9a2edf17f5be8c871b7391a6739f89.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait8⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"9⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait9⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"10⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait10⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"11⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait11⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"12⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait12⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"13⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait13⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"14⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"14⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait14⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"15⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"16⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait16⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"17⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait17⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"18⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait18⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"19⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait19⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"20⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait20⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"21⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait21⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"22⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait22⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"23⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait23⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"24⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait24⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"25⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"25⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait25⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"26⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait26⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exeC:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait6⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait7⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait8⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"9⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait9⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"10⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait10⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"11⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait11⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"12⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait12⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"13⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait13⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"14⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"14⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait14⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"15⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"16⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait16⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"17⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait17⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"18⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait18⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"19⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait19⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"20⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait20⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exeC:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait6⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait7⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait8⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"9⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait9⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"10⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Query /FO "LIST" /TN "WinManager"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe"C:\Users\Admin\AppData\Local\Temp\Plague\winmgr.exe" /wait10⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ce1abde750fec35c5fa5d1461c03f87
SHA15ed3fe68ce7231f52ba477b214c1d05f409224be
SHA256f646b9e402fc6ae2a9283797e2e449d9ce1e64dbbc0463ad7fb2627aa491b58d
SHA51281703d6c3aa90849b910ac549185edfd9c0b5a2f8e140bf2edb9e303f407885de37443b4e8464f0ef37f178342e02b76d859e7173eb57697820b3d556cdabf96
-
Filesize
1KB
MD58822b243d31a8643b4747b127d01afe1
SHA1982acee88f85d5e8b4d53de0a31745de6b6e742a
SHA256ec227ef0b479bdc9aee152eabf88793346077f62811390bd70fd2096ab28c072
SHA5125ac0888c857db60984b857b3b0debca4c6f981d21e6a4e3ab5ae491d6d6ee438291b34454777516e32f6ffa84aab6bf40ab03a69a0b37b860b792ef6ba699db1
-
Filesize
1KB
MD55238bf4ca68f5edf438d588ec5569ef9
SHA15715715b08eeb9d6d767c6d1a3864c0ef98a7fdb
SHA256db04798cef1ca48a7559eb7b05bf09f4abb442aeee58d0226d31a2338d462d56
SHA512d05858eeb16bdf891b7b99a602541bca6ca2050725cc049ba7248d268540fb9440b66907f49d89f6f924de12e4f8b1b39b434667349e2b08d6a994bee3e51af4
-
Filesize
1KB
MD5cf819ab7cf05cd4d87a2dbb4a83e07d0
SHA1e8dcfa9dc44bd7e34864bfac1c355edbd00a3856
SHA25694545d6efb11d211a88b96311f847eaa85e9f4dfa7a830a05d9f79fc5bc9f7ea
SHA5124d70c72955957dcce0cbb31289af1182fbe5534131aaba7f5c5040bce16cfbb5909b510c6bb8f3a3142dc455856570457825dd12eccf0a758fdb5663a001408a
-
Filesize
1KB
MD53706d6a565ae41318cf8334f94996c41
SHA1c16f37d83b4a3e99281b2519006bbcdc2c527302
SHA256a61b0301950751b7ba1c7fe37cc39f12d9bdd786171d1e5960653d0508769645
SHA5125fb6372a2584b5cd5612595ffaf2d16925b06cdbbbe61390b5aab92ad366f51008107244e1efc9e026ef1177a66876655c90769d782e539102fb523f51a9a703
-
Filesize
1KB
MD524355b8f7764a360fc05cf35304f1e5c
SHA16c638077256f2b8c56c221fa307aa26408b16f7b
SHA256da581f662ba00e101cb12f809d89c8ea3fb6eba2076b5fc0f608853ae995e749
SHA512afdffa193e6cb3234959b77356ea1569583dfa08c2174ac284438834b5a1c55a29b7bbfaa6705ba71982e2218041ee0af2f8d7d68a8213b0a1675d84d452ad62
-
Filesize
1KB
MD52721c23d88caba1c0ced696663f57fec
SHA153b1f6cd1fc332362c0ce109619deb27851ab5b6
SHA256f83547e1a0725aff40d173b7d96a724f6f1bd9341820f50fb0d840b17a069403
SHA5124a4f4007e824a6e31bf96f90aebf4b4b5c93b07eb47f7ab96f72872a125dead7614e29bcad2ae69435c08a7ba70046ba2ed0f5247f4bd3a59416a7ab8c727ab2
-
Filesize
1KB
MD59ba97d15f1b45f2304a199aa51c6d01d
SHA19ca697f6f0281593bff47f99972f691ac4a876f7
SHA256039302b4e1d0db52a3627e590abe5f4991f57e21a59ed739780d54cb160e4cab
SHA512c54a96bfd04620fb22b6ebfafc7efa9ad0f74b9019a2988c1699e04171fd0d07263353f530505ec461695b3063126d6dadf1f0d5510cc831dd947327133f4245
-
Filesize
1KB
MD5d8db74296a8da5ee6250033d9922674d
SHA1c5fd4ac104cc3510db5c8237fe59870f939ab1b4
SHA2569cc5a28f56e014f8f5df1b8125e5d81e8b24ba3ee16593c4b3b53cf69aede1de
SHA512bb838a7330e6f4c41dc478d589c21be6d3be3d6daf33b57ca68f2121495a7518e21188f2a17cd2769f5ce2a372ebb287b89ce9744f0e953287f439ca62a08c81
-
Filesize
1KB
MD56cee1216b03bf11f3215969b0197f8db
SHA110aacb877aeb0dd4328ebd26dedad9af1246a1ce
SHA2568c56ba5f6843fe36bf6b918f82fdbca411728d1e88fc5d8501109eec628e842a
SHA512d5defbf111b8eb4bed04cd8bb6afd90c7c5ef6e08cb0b068646a2714f2ef979d406638dbcb7a41550211f9d7dee9f336aa227dd0dabe016cab401872b7411313
-
Filesize
1KB
MD52e0a127bf1c538a6f1af27e7864cecb0
SHA16173a5b686afb51a525345136f82aeb57b5da11b
SHA25669556fd0a3b2bc48d6a6f995cf3224314fea8069967c3821576aa10bdf0beea4
SHA512a6f4e3a1cd4b7092dc152c94548f0715503e9967cf87db10c42ea2261e18cd1329afa1b93952c2404cdfa7a083a64fa3a6c48be4168efd44c9d27c03ea0780b1
-
Filesize
1KB
MD5d41980ea626e85f916125fb6eef2191f
SHA1887e31bd8e54b1ea29622a0d67fe40303f91c977
SHA25634f17298690041ff56a9e89836d5a619f908d281cc3f81dd1ddd26770e7c3010
SHA512232eab5016db0a02e27ea47d2d5203138501ecbed7afb91665a4d70cafd605a009ff2e829a918faa0870647b6fe8fe48366bff9b912ce7c6be9a7bcd5048d6b2
-
Filesize
1KB
MD55f172fe0e5ddf1623206660b4b68c321
SHA1f8524ba962b428a41fd91fe8925ba092bd5d8918
SHA2561e23bc6b0b9c738599aeb166d98c14cda577f52e38a292fcd59bce244a4a9fa2
SHA512c8f7fc045137977869a0e5385f977f2ad81c25d1a2119818b87c038eb544bcf2b8d0c545ef0d78dafb5faeab9a0fb5c860828cde288d634aca4363502a22e8d0
-
Filesize
1KB
MD5d8e218b50fb49858a19a900d7d256e70
SHA17f58a84b22b6dbcce0e793dbba5ec9a34fce99f5
SHA2565db2116df6ee42b811b93561a9489c298a391de6708bd52b5c44285c046d5a3f
SHA5121f36b07cbdf31254b858edd89a5d2e8a7a1f46defc6e586422811d64097f1f23660bd65b56727e190bff9a913b95e7af243eb2ffa8dc1115aaad6ba280a7359e
-
Filesize
1KB
MD5121d2cd2070968b84fa474f55eef7d82
SHA1b78621f20a316ab9c722179c1c08c1cbffec1cb1
SHA25645f7536513413de1a99e6fc669b5d0a2b865f7cac92dc6f71627207e64e6aab4
SHA512c28ae89e1122a7f6577718cd23b3bb38fb6755318684af745afe9a8ac0c4b2be398ce5de518d849754afb78a713a6bd33fd1f1a5a5661baa8bc13a9fd8a978d8
-
Filesize
1KB
MD5d44e790869b9db6d95f1da2c60ade2de
SHA1e0c365ee8ba47b9c47dbee44c9ceb58f6b5ff51d
SHA256945a077e47c4d1fc3c729901d9619a99eefe3584c6ecd51ef914ecee02b30f3e
SHA512f2a3a565d8e6d3378cb3d4e31b944fa3674f0d6fd8d54da5cb9e64d2117a7b27084ffccbb4fee1f5d3f34685e99811ee6c967b7852e453b8cdce71d02d4699d5
-
Filesize
1KB
MD521ec2f96c031610d1cda26109d92d5cb
SHA16bb278390bb06cbe2c298a69efedf27449f77188
SHA2561452827082cfa3755710bae70aa4fe571e3546c51f09ec38584277ed1b307deb
SHA5122ed30d6890674076816a3b6ea285e13d573e20d621611761b8ee85d807439e2cc2195e9b28e8d473df1c28716d92d7c63f65e626ceb7238053bfbd61950ee420
-
Filesize
1KB
MD577f0b29f90d0c8d09c8d9c36b461faf0
SHA181b59e0d1ec2098c39f66f290d1c04f4bfef66e4
SHA2565bb767ede3dcd14ed787fe71d7048101e478b1236243f8b102bce947d65c6b3a
SHA51261990e59abe796148e7e503cc19191572d12491e8d8f793d6d95f195906eab572c8b2184df3e036996c3347207b64f8746b9e0b1d7e855b2e491146d763cec73
-
Filesize
1KB
MD5aeceff850d2e4c8440f2b8645ee521da
SHA1bf8c44aeebbbd923b40130f133a09efbc96a600a
SHA2560560cd502ce538e4e498d3033da51423a9d30394d432d89c1551646a5856a631
SHA51204de26517ec82d0ca37b0e8c1916394d3222133e001b93ae8c912fb625f685a1464c6fe056b4629f5d5c04e596dd9469f5184596c27946c0d9a717adbcd51646
-
Filesize
1KB
MD5bec7d6a98896e3e0cc3d1d4aeb4b1145
SHA1870ed6240caa98b05f0422717d25dd6cf7e0b9c1
SHA256f5ab23d1cf1b322c0748637410db3d46e6ef75756afeb826a374e0abe6a019a7
SHA512b0b6d7a8ae3a38ec842a1c8520bca4ecb69693d1a4b1adfaa9518f3238b5cb7d063296a36a334118b9a8d7b1a739a02a807be38f7bb9caac8bfbaa60007f7305
-
Filesize
1KB
MD568770431d3dd85a585f96d159350b6ff
SHA10f3d06531ef061b3544383a244841e72aaea66cd
SHA256ef79b14bd8131842e818549a5b191bafc4a1a95498670a399de2a4be6c17750c
SHA512992cbcfdc450a0145dae9c7a9414232474c67c8e838ccd52f9b4ed3b45194b580f2a21632b27d941ea96383eecd17ba8ba60ead536ec8bc492862a5fc749b432
-
Filesize
1KB
MD57f2046d70bbf5c89899875ac9ffc6123
SHA10991ef84744449733229d95d970abab405ea2610
SHA25668a7b8237a54aa050ff683e2f2e845a6fb199e15d7e7f0fc8d9bd7872e67ccb8
SHA512f3c41d7d16127eef8f342d84e5156feb814c058b30f462eaa00ac41ffd0eda29f01e94a483b739ef42e9c0b9dad7e749a055e225875729b54d0c36fccf2bc9e1
-
Filesize
1KB
MD51def712ae9047673022a13fc94413435
SHA14a810ef84adcea2f1a5f52b5e895c0dab3ba0acc
SHA25605b8a4119d45a6f1683586b57603d97af7d92585a39e1cd4310b809171b33c49
SHA5127befad2d386384261f16463dde5f7a1c3edb9beeebede0d00a75694adf217528869ac6f8658d5a3fcd7bb2f0df01180396f1a18c0695eb865933318f2e57fd60
-
Filesize
1KB
MD5e12cff8bcb2b4961215013acea9afeb2
SHA1164880db04dbb902b18678e42ae70dadbad12996
SHA256c23adbe70377c3278c412147e312e3e702df5a39a796edc36a47c6d3781453fb
SHA512a41dc9c885dc9d7833aa4087b36edb56824c5279f0c4d23e57de314fd46fd5e9f25d4f006e28c98563503f77a0fd9575741f7a0e2d6e4d88b2ba3bc2981fa037
-
Filesize
1KB
MD533bb4d9f6ba1a2117785107296a9b961
SHA120a206c4f4df8824e2e69c65f9ab4f1fbbda15e5
SHA2568fdb9fb92263e027c9133b3d8165323d5df77cc68298483404d9bcbc30a2fa66
SHA51222f4d8bdcb52d5475a266d8211cfbdc2b270475d26fb5d8d617fb2a53afc4adb580e77b5aaf67e009439599b8d78ddd8c32466072178357cc2470ed800cdcbb8
-
Filesize
1KB
MD5a9a23ee333d778d4ee2e7f213969de99
SHA184154a87856def190cba46142b0571e7c74bd87a
SHA256affaccd3018ad514bcdb250b4e8bdc10693bf434d7b6c11a0fdf24bcbf26f9d8
SHA512fce95f0e6a642947ce72bbfb16009776754d0f16109eda3ac1e9c0e2869b514770eae8be9da239fb99505ae32b11c00416a67e6b5423dd25ca6c8f6cb8b6eef4
-
Filesize
1KB
MD58f3235cf0cc86f8aab9bb0323ab4472f
SHA1d81a0efbcfca5a81cac12fb6847f766bc1a0c712
SHA256eb4e474b15b260efc02e97d8331df6ce7892ca3f1a2dbdba141ee7b56011e77e
SHA512a1c3d5fe9a94c9f41ad33e049751a891338f8a93a0e6d50875e0fd05997f403399c23e14d7dd341b6403f329318cb175f9bc1b9a8b5e8591b41d654dbb3d328c
-
Filesize
1KB
MD51ce7f077ab02f068fc68077b32fb372a
SHA1d2edaa28644d8f16b948a7db6019a86f794e32e4
SHA256499b8b5b95d1c885da2ca7b634b43e11597dc25a7f26eee288745e02a5b7a40c
SHA51274137a625100d5a0a0738f940d926af4bb2a17182607709a5604254d456db524792b6713102fb93cf1378045e2fefdc3ec2d5bfb8afe96b9ee5aeed34362cc2f
-
Filesize
1KB
MD5a48ba37d50ee79bd924c756089d79db6
SHA1f51cbc8027c57f83c10441f7d32efd8971cb7bfd
SHA256c46c6a5d56a7b603659659870e438951140a3bbb44fd2d1a319674b29cad6bac
SHA5123a8c2f815a94572a5063b90cb98937f2609fa4d76c07abd5754bd009adf83621b7fdb8f4547809fa6b7ca838cdd716656c525187a28d7ab052e571cae77af9b1
-
Filesize
967KB
MD5c01481cc14f98455d7d815b260213893
SHA1c1781719d8d64e3f3c4a755e8f46ca83b9803edf
SHA256266a173350354b2831a2cf32849e664421c5ed2c2bf0b0254e6aea690dcbeadf
SHA5127954ef5c54c68e3904888f9ea0928e44640ba0c2f2b1f21f775993b114104fbe5b85f76a0aa80469e131d9cafadcfbb820a443124484c7caeb8ee48557b9b6b5
-
Filesize
967KB
MD5dd9a2edf17f5be8c871b7391a6739f89
SHA1cebd20ebdc923133ca26babec4375aa859e0c09b
SHA256216f78a4be6357c2990ff1db5c359457d140ff27e71e9dcb374d119046e053f7
SHA512e273d6f46beede6ab43523b49b1db3461374e17952e89bef451c1cd46ed9a8d7b894b19b3d4f28bf345f198f71fc54dc625151573c1e83bfca52a51545252f2f