Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 11:14
Static task
static1
Behavioral task
behavioral1
Sample
cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
cf280305bfeb9c9d4c0d6f479ad12840
-
SHA1
7b6b2ae638196065cf6bf87ab59710ef9ade42f5
-
SHA256
d7d771d27ed3aeeced41548568292535d6c9d06fb1ce557fcbea21233880a653
-
SHA512
65edeca3f63b6d40ee1eae8728809a557580e0b57463bf15f824e4bb7ef121d74b4e2a975e6f555cd6e55925d2b03fed75ce6a1639fbc035e931bbcd90d73cec
-
SSDEEP
24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4e7:ObCjPKNqQEfsw43qtmVfq40
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.me.com - Port:
587 - Username:
[email protected] - Password:
RICHARD205lord
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1584 jhdfkldfhndfkjdfnbfklfnf.exe 3620 winmgr119.exe 3260 winmgr119.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3248-15-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/3248-16-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/3248-17-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/3248-22-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/2492-26-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2492-30-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2492-28-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/2492-27-0x0000000000400000-0x0000000000491000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" jhdfkldfhndfkjdfnbfklfnf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ipinfo.io 19 icanhazip.com -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0009000000022990-3.dat autoit_exe behavioral2/files/0x0005000000022ac0-44.dat autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1584 set thread context of 1856 1584 jhdfkldfhndfkjdfnbfklfnf.exe 88 PID 1856 set thread context of 3248 1856 RegAsm.exe 91 PID 1856 set thread context of 2492 1856 RegAsm.exe 93 PID 1856 set thread context of 1988 1856 RegAsm.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 25 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5096 schtasks.exe 384 schtasks.exe 3976 schtasks.exe 1612 schtasks.exe 2720 schtasks.exe 1996 schtasks.exe 4432 schtasks.exe 4376 schtasks.exe 1340 schtasks.exe 1740 schtasks.exe 552 schtasks.exe 1628 schtasks.exe 3348 schtasks.exe 1560 schtasks.exe 1176 schtasks.exe 4588 schtasks.exe 4976 schtasks.exe 1524 schtasks.exe 3688 schtasks.exe 4332 schtasks.exe 1656 schtasks.exe 2320 schtasks.exe 4476 schtasks.exe 2824 schtasks.exe 2440 schtasks.exe -
NTFS ADS 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe:Zone.Identifier:$DATA cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA jhdfkldfhndfkjdfnbfklfnf.exe File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA winmgr119.exe File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA winmgr119.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 2692 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 3620 winmgr119.exe 3620 winmgr119.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1856 RegAsm.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1584 jhdfkldfhndfkjdfnbfklfnf.exe 1856 RegAsm.exe 1856 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1856 RegAsm.exe Token: SeDebugPrivilege 3248 cvtres.exe Token: SeDebugPrivilege 2492 cvtres.exe Token: SeDebugPrivilege 1988 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1856 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 1584 2692 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 87 PID 2692 wrote to memory of 1584 2692 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 87 PID 2692 wrote to memory of 1584 2692 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 87 PID 1584 wrote to memory of 1856 1584 jhdfkldfhndfkjdfnbfklfnf.exe 88 PID 1584 wrote to memory of 1856 1584 jhdfkldfhndfkjdfnbfklfnf.exe 88 PID 1584 wrote to memory of 1856 1584 jhdfkldfhndfkjdfnbfklfnf.exe 88 PID 1584 wrote to memory of 1856 1584 jhdfkldfhndfkjdfnbfklfnf.exe 88 PID 1584 wrote to memory of 1856 1584 jhdfkldfhndfkjdfnbfklfnf.exe 88 PID 1584 wrote to memory of 1176 1584 jhdfkldfhndfkjdfnbfklfnf.exe 89 PID 1584 wrote to memory of 1176 1584 jhdfkldfhndfkjdfnbfklfnf.exe 89 PID 1584 wrote to memory of 1176 1584 jhdfkldfhndfkjdfnbfklfnf.exe 89 PID 1856 wrote to memory of 3248 1856 RegAsm.exe 91 PID 1856 wrote to memory of 3248 1856 RegAsm.exe 91 PID 1856 wrote to memory of 3248 1856 RegAsm.exe 91 PID 1856 wrote to memory of 3248 1856 RegAsm.exe 91 PID 1856 wrote to memory of 3248 1856 RegAsm.exe 91 PID 1856 wrote to memory of 3248 1856 RegAsm.exe 91 PID 1856 wrote to memory of 3248 1856 RegAsm.exe 91 PID 1856 wrote to memory of 2492 1856 RegAsm.exe 93 PID 1856 wrote to memory of 2492 1856 RegAsm.exe 93 PID 1856 wrote to memory of 2492 1856 RegAsm.exe 93 PID 1856 wrote to memory of 2492 1856 RegAsm.exe 93 PID 1856 wrote to memory of 2492 1856 RegAsm.exe 93 PID 1856 wrote to memory of 2492 1856 RegAsm.exe 93 PID 1856 wrote to memory of 2492 1856 RegAsm.exe 93 PID 1856 wrote to memory of 1988 1856 RegAsm.exe 95 PID 1856 wrote to memory of 1988 1856 RegAsm.exe 95 PID 1856 wrote to memory of 1988 1856 RegAsm.exe 95 PID 1856 wrote to memory of 1988 1856 RegAsm.exe 95 PID 1856 wrote to memory of 1988 1856 RegAsm.exe 95 PID 1856 wrote to memory of 1988 1856 RegAsm.exe 95 PID 1584 wrote to memory of 1996 1584 jhdfkldfhndfkjdfnbfklfnf.exe 99 PID 1584 wrote to memory of 1996 1584 jhdfkldfhndfkjdfnbfklfnf.exe 99 PID 1584 wrote to memory of 1996 1584 jhdfkldfhndfkjdfnbfklfnf.exe 99 PID 1584 wrote to memory of 4588 1584 jhdfkldfhndfkjdfnbfklfnf.exe 102 PID 1584 wrote to memory of 4588 1584 jhdfkldfhndfkjdfnbfklfnf.exe 102 PID 1584 wrote to memory of 4588 1584 jhdfkldfhndfkjdfnbfklfnf.exe 102 PID 1584 wrote to memory of 4476 1584 jhdfkldfhndfkjdfnbfklfnf.exe 104 PID 1584 wrote to memory of 4476 1584 jhdfkldfhndfkjdfnbfklfnf.exe 104 PID 1584 wrote to memory of 4476 1584 jhdfkldfhndfkjdfnbfklfnf.exe 104 PID 1584 wrote to memory of 4332 1584 jhdfkldfhndfkjdfnbfklfnf.exe 106 PID 1584 wrote to memory of 4332 1584 jhdfkldfhndfkjdfnbfklfnf.exe 106 PID 1584 wrote to memory of 4332 1584 jhdfkldfhndfkjdfnbfklfnf.exe 106 PID 1584 wrote to memory of 1656 1584 jhdfkldfhndfkjdfnbfklfnf.exe 109 PID 1584 wrote to memory of 1656 1584 jhdfkldfhndfkjdfnbfklfnf.exe 109 PID 1584 wrote to memory of 1656 1584 jhdfkldfhndfkjdfnbfklfnf.exe 109 PID 1584 wrote to memory of 2824 1584 jhdfkldfhndfkjdfnbfklfnf.exe 111 PID 1584 wrote to memory of 2824 1584 jhdfkldfhndfkjdfnbfklfnf.exe 111 PID 1584 wrote to memory of 2824 1584 jhdfkldfhndfkjdfnbfklfnf.exe 111 PID 1584 wrote to memory of 4976 1584 jhdfkldfhndfkjdfnbfklfnf.exe 113 PID 1584 wrote to memory of 4976 1584 jhdfkldfhndfkjdfnbfklfnf.exe 113 PID 1584 wrote to memory of 4976 1584 jhdfkldfhndfkjdfnbfklfnf.exe 113 PID 1584 wrote to memory of 2720 1584 jhdfkldfhndfkjdfnbfklfnf.exe 115 PID 1584 wrote to memory of 2720 1584 jhdfkldfhndfkjdfnbfklfnf.exe 115 PID 1584 wrote to memory of 2720 1584 jhdfkldfhndfkjdfnbfklfnf.exe 115 PID 1584 wrote to memory of 1524 1584 jhdfkldfhndfkjdfnbfklfnf.exe 117 PID 1584 wrote to memory of 1524 1584 jhdfkldfhndfkjdfnbfklfnf.exe 117 PID 1584 wrote to memory of 1524 1584 jhdfkldfhndfkjdfnbfklfnf.exe 117 PID 1584 wrote to memory of 1340 1584 jhdfkldfhndfkjdfnbfklfnf.exe 119 PID 1584 wrote to memory of 1340 1584 jhdfkldfhndfkjdfnbfklfnf.exe 119 PID 1584 wrote to memory of 1340 1584 jhdfkldfhndfkjdfnbfklfnf.exe 119 PID 1584 wrote to memory of 5096 1584 jhdfkldfhndfkjdfnbfklfnf.exe 121 PID 1584 wrote to memory of 5096 1584 jhdfkldfhndfkjdfnbfklfnf.exe 121 PID 1584 wrote to memory of 5096 1584 jhdfkldfhndfkjdfnbfklfnf.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exeC:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe03⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpAA98.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpAD58.tmp"4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpADB7.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1176
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1996
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4588
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4476
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4332
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1656
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2824
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4976
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2720
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1524
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1340
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:5096
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:552
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1628
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2440
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3976
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1612
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3348
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4432
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2320
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4376
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:384
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3688
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1560
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1740
-
-
-
C:\ProgramData\winmgr119.exeC:\ProgramData\winmgr119.exe1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3620
-
C:\ProgramData\winmgr119.exeC:\ProgramData\winmgr119.exe1⤵
- Executes dropped EXE
- NTFS ADS
PID:3260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD58361e83ce29232b96d733f7fdd222199
SHA17868db4b3c3dcd1194e8ef134e13038590e65207
SHA256ec0eb87c09d5c94c118be14fe83cd9f7c71650cbf9e87d78b2df6467ac4f39b6
SHA512d3b508fb544d24cd1485a79a5fd3e96d355d33ab604646f82ea1ecfa48afc9a7a55dec6fddd84b5f91649955cebe68c28ed9f5d4f60a687f2e91fbd5506e81bf
-
Filesize
8B
MD56c2a4bf975328060d16847051806715c
SHA136d15b081a52240bb8d8eb73b3a28d9a1a1f9dab
SHA2568edfbbb65d300eeda13fb22735a237a959451d96635a6cb31f1f7041f4363668
SHA512ea40ab3be267025a04807923f876fe3c6025200d3f22d4d567d12f520f51a427d3131542a96e62c50ec4c952140f5b1f0f6e0cc3391b1e3c2c6c4ba2042cf0e8
-
Filesize
2.6MB
MD59bf3c49aa8d5d7011adaab003d656644
SHA14d93749808d8a8f2618d7d163f5a3c5de292f02e
SHA256e383de0680963a52877eb1596788e951068d5620f7d2fd5f95d7020c5dc0df9e
SHA512ec2d2458034a488d41689c4d7a2c7746e2eb5127ca19833a292f1815284c0c5b6acb30dacb8c54ebc378c151d7e07d65709837b2d2cf31921bda7f92046998a7
-
Filesize
1KB
MD5b0cc2e6f2d8036c9b5fef218736fa9c9
SHA164fd3017625979c95ba09d7cbea201010a82f73f
SHA256997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b
-
Filesize
400B
MD5de4e5ff058882957cf8a3b5f839a031f
SHA10b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72
-
Filesize
391B
MD53525ea58bba48993ea0d01b65ea71381
SHA11b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA5125aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986