Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 17:52
Static task
static1
Behavioral task
behavioral1
Sample
11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
11d5d0e3b01a9af1db9a5f9e653b2ef0
-
SHA1
bb533f397c8fbe7f61f58d162f875d78b74034af
-
SHA256
aaa6e04bbbc7b6df02648da93524a190bd796dc17b2160a5e10a94b24b7d8e5d
-
SHA512
20c6621d184db520bba367815fc90480cc2e2bcd5143704c37ec7abb2d2c7c412d6b546aafed92878cac25b2cb3c9238a35a1268706666825491c81e1466fc70
-
SSDEEP
24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4ei:ObCjPKNqQEfsw43qtmVfq4/
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.me.com - Port:
587 - Username:
[email protected] - Password:
RICHARD205lord
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4244 winmgr119.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3048-15-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/3048-17-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/3048-16-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/3048-24-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral2/memory/4052-27-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4052-28-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4052-29-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral2/memory/4052-31-0x0000000000400000-0x0000000000491000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" jhdfkldfhndfkjdfnbfklfnf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 icanhazip.com 32 ipinfo.io -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023430-3.dat autoit_exe behavioral2/files/0x0011000000023431-49.dat autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4536 set thread context of 512 4536 jhdfkldfhndfkjdfnbfklfnf.exe 93 PID 512 set thread context of 3048 512 RegAsm.exe 96 PID 512 set thread context of 4052 512 RegAsm.exe 98 PID 512 set thread context of 3724 512 RegAsm.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 25 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 428 schtasks.exe 4392 schtasks.exe 4632 schtasks.exe 3996 schtasks.exe 4860 schtasks.exe 1860 schtasks.exe 1372 schtasks.exe 932 schtasks.exe 872 schtasks.exe 4420 schtasks.exe 2400 schtasks.exe 64 schtasks.exe 2096 schtasks.exe 208 schtasks.exe 2804 schtasks.exe 4788 schtasks.exe 2096 schtasks.exe 1864 schtasks.exe 4500 schtasks.exe 452 schtasks.exe 4056 schtasks.exe 3512 schtasks.exe 1612 schtasks.exe 1780 schtasks.exe 2060 schtasks.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe:Zone.Identifier:$DATA 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA jhdfkldfhndfkjdfnbfklfnf.exe File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA winmgr119.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3640 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 3640 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 4244 winmgr119.exe 4244 winmgr119.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 512 RegAsm.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe 4536 jhdfkldfhndfkjdfnbfklfnf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 512 RegAsm.exe Token: SeDebugPrivilege 3048 cvtres.exe Token: SeDebugPrivilege 4052 cvtres.exe Token: SeDebugPrivilege 3724 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 512 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3640 wrote to memory of 4536 3640 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 92 PID 3640 wrote to memory of 4536 3640 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 92 PID 3640 wrote to memory of 4536 3640 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 92 PID 4536 wrote to memory of 512 4536 jhdfkldfhndfkjdfnbfklfnf.exe 93 PID 4536 wrote to memory of 512 4536 jhdfkldfhndfkjdfnbfklfnf.exe 93 PID 4536 wrote to memory of 512 4536 jhdfkldfhndfkjdfnbfklfnf.exe 93 PID 4536 wrote to memory of 512 4536 jhdfkldfhndfkjdfnbfklfnf.exe 93 PID 4536 wrote to memory of 512 4536 jhdfkldfhndfkjdfnbfklfnf.exe 93 PID 4536 wrote to memory of 2060 4536 jhdfkldfhndfkjdfnbfklfnf.exe 94 PID 4536 wrote to memory of 2060 4536 jhdfkldfhndfkjdfnbfklfnf.exe 94 PID 4536 wrote to memory of 2060 4536 jhdfkldfhndfkjdfnbfklfnf.exe 94 PID 512 wrote to memory of 3048 512 RegAsm.exe 96 PID 512 wrote to memory of 3048 512 RegAsm.exe 96 PID 512 wrote to memory of 3048 512 RegAsm.exe 96 PID 512 wrote to memory of 3048 512 RegAsm.exe 96 PID 512 wrote to memory of 3048 512 RegAsm.exe 96 PID 512 wrote to memory of 3048 512 RegAsm.exe 96 PID 512 wrote to memory of 3048 512 RegAsm.exe 96 PID 512 wrote to memory of 4052 512 RegAsm.exe 98 PID 512 wrote to memory of 4052 512 RegAsm.exe 98 PID 512 wrote to memory of 4052 512 RegAsm.exe 98 PID 512 wrote to memory of 4052 512 RegAsm.exe 98 PID 512 wrote to memory of 4052 512 RegAsm.exe 98 PID 512 wrote to memory of 4052 512 RegAsm.exe 98 PID 512 wrote to memory of 4052 512 RegAsm.exe 98 PID 512 wrote to memory of 3724 512 RegAsm.exe 100 PID 512 wrote to memory of 3724 512 RegAsm.exe 100 PID 512 wrote to memory of 3724 512 RegAsm.exe 100 PID 512 wrote to memory of 3724 512 RegAsm.exe 100 PID 512 wrote to memory of 3724 512 RegAsm.exe 100 PID 512 wrote to memory of 3724 512 RegAsm.exe 100 PID 4536 wrote to memory of 208 4536 jhdfkldfhndfkjdfnbfklfnf.exe 103 PID 4536 wrote to memory of 208 4536 jhdfkldfhndfkjdfnbfklfnf.exe 103 PID 4536 wrote to memory of 208 4536 jhdfkldfhndfkjdfnbfklfnf.exe 103 PID 4536 wrote to memory of 452 4536 jhdfkldfhndfkjdfnbfklfnf.exe 106 PID 4536 wrote to memory of 452 4536 jhdfkldfhndfkjdfnbfklfnf.exe 106 PID 4536 wrote to memory of 452 4536 jhdfkldfhndfkjdfnbfklfnf.exe 106 PID 4536 wrote to memory of 4420 4536 jhdfkldfhndfkjdfnbfklfnf.exe 108 PID 4536 wrote to memory of 4420 4536 jhdfkldfhndfkjdfnbfklfnf.exe 108 PID 4536 wrote to memory of 4420 4536 jhdfkldfhndfkjdfnbfklfnf.exe 108 PID 4536 wrote to memory of 3512 4536 jhdfkldfhndfkjdfnbfklfnf.exe 110 PID 4536 wrote to memory of 3512 4536 jhdfkldfhndfkjdfnbfklfnf.exe 110 PID 4536 wrote to memory of 3512 4536 jhdfkldfhndfkjdfnbfklfnf.exe 110 PID 4536 wrote to memory of 4788 4536 jhdfkldfhndfkjdfnbfklfnf.exe 112 PID 4536 wrote to memory of 4788 4536 jhdfkldfhndfkjdfnbfklfnf.exe 112 PID 4536 wrote to memory of 4788 4536 jhdfkldfhndfkjdfnbfklfnf.exe 112 PID 4536 wrote to memory of 2400 4536 jhdfkldfhndfkjdfnbfklfnf.exe 114 PID 4536 wrote to memory of 2400 4536 jhdfkldfhndfkjdfnbfklfnf.exe 114 PID 4536 wrote to memory of 2400 4536 jhdfkldfhndfkjdfnbfklfnf.exe 114 PID 4536 wrote to memory of 1612 4536 jhdfkldfhndfkjdfnbfklfnf.exe 116 PID 4536 wrote to memory of 1612 4536 jhdfkldfhndfkjdfnbfklfnf.exe 116 PID 4536 wrote to memory of 1612 4536 jhdfkldfhndfkjdfnbfklfnf.exe 116 PID 4536 wrote to memory of 2804 4536 jhdfkldfhndfkjdfnbfklfnf.exe 118 PID 4536 wrote to memory of 2804 4536 jhdfkldfhndfkjdfnbfklfnf.exe 118 PID 4536 wrote to memory of 2804 4536 jhdfkldfhndfkjdfnbfklfnf.exe 118 PID 4536 wrote to memory of 428 4536 jhdfkldfhndfkjdfnbfklfnf.exe 121 PID 4536 wrote to memory of 428 4536 jhdfkldfhndfkjdfnbfklfnf.exe 121 PID 4536 wrote to memory of 428 4536 jhdfkldfhndfkjdfnbfklfnf.exe 121 PID 4536 wrote to memory of 2096 4536 jhdfkldfhndfkjdfnbfklfnf.exe 123 PID 4536 wrote to memory of 2096 4536 jhdfkldfhndfkjdfnbfklfnf.exe 123 PID 4536 wrote to memory of 2096 4536 jhdfkldfhndfkjdfnbfklfnf.exe 123 PID 4536 wrote to memory of 64 4536 jhdfkldfhndfkjdfnbfklfnf.exe 125 PID 4536 wrote to memory of 64 4536 jhdfkldfhndfkjdfnbfklfnf.exe 125 PID 4536 wrote to memory of 64 4536 jhdfkldfhndfkjdfnbfklfnf.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exeC:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe03⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpB9BB.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpBC9A.tmp"4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpBD47.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2060
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:208
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:452
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4420
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3512
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4788
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2400
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1612
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2804
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:428
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2096
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:64
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4392
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1864
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4500
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4860
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1780
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4056
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1860
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2096
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3996
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1372
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:932
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:4632
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:872
-
-
-
C:\ProgramData\winmgr119.exeC:\ProgramData\winmgr119.exe1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5351169fa81e8ee758fce45270f1919df
SHA195df6a219aad60b853d67d88dd1fb106bec2a50f
SHA2561b37371d8c49865d2c29a57d18b32b8606ac58453137410f15295a8a57154cd8
SHA512fb01062807f20d0a8bc02a82218d38d1aeaf822499f10040096ce9e1edfe2e12af967ea93cb2f9b0154b10b0245f0717ce3e830bc047a7e62d14f612f3251e7a
-
Filesize
2.6MB
MD5279e87bfbd3c0c7e6281297ea51ea70c
SHA1660040ac00699c8a449fb2b6d76e0a0a47d8ed71
SHA2565d6c55c1f2daceb0f18b416200acc95e0bbf7fe67ea81ae1895945a50ba2cbf4
SHA5122ab7fa2b08806786bd732682fc778d17966897b446d4aa16e72e797d211fa2cf640305c71bcb38fdf0014a4d930c1fdb4fbeb0ec1c1eb998d84b7e0135f8868a
-
Filesize
1KB
MD5b0cc2e6f2d8036c9b5fef218736fa9c9
SHA164fd3017625979c95ba09d7cbea201010a82f73f
SHA256997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b
-
Filesize
400B
MD5de4e5ff058882957cf8a3b5f839a031f
SHA10b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72
-
Filesize
391B
MD53525ea58bba48993ea0d01b65ea71381
SHA11b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA5125aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986