e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
303s
max time network
322s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
Size

2.6MB
MD5

41637d74a16e50cafe6cb72974a1cf5c
SHA1

95b4811b5736d7cfba9c71936ecd300ac01336a2
SHA256

9699dda8767ce5afbe2f0130b816b99cb3a35eb6654ab08af65c4c48d95a60c0
SHA512

e6506e549d00cfcbc08e0625b22f3cfe4cd906b5a3750a45cc452918d8494909064534a796f9ff16ea892b6f45224fa50891709c81efc1a33ebe2ca1f0067885
SSDEEP

24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4ea:ObCjPKNqQEfsw43qtmVfq4r

Score

10^/10

collection discovery persistence spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.me.com
Port:
587
Username:
[email protected]
Password:
RICHARD205lord

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2484	jhdfkldfhndfkjdfnbfklfnf.exe
1464	winmgr119.exe
1176	winmgr119.exe
2164	winmgr119.exe
1740	winmgr119.exe

Loads dropped DLL 1 IoCs

pid	Process
2556	[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral24/memory/560-23-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral24/memory/560-24-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral24/memory/560-22-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral24/memory/1696-33-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral24/memory/1696-35-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral24/memory/1696-34-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral24/memory/560-29-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral24/memory/1696-71-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral24/memory/2656-112-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral24/memory/428-121-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	jhdfkldfhndfkjdfnbfklfnf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	icanhazip.com
4	ipinfo.io
15	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral24/files/0x0023000000015c68-2.dat	autoit_exe
behavioral24/files/0x000400000000f6e4-9.dat	autoit_exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2492 set thread context of 560	2492	RegAsm.exe	34
PID 2492 set thread context of 1696	2492	RegAsm.exe	37
PID 2492 set thread context of 2300	2492	RegAsm.exe	41
PID 2484 set thread context of 1396	2484	jhdfkldfhndfkjdfnbfklfnf.exe	92
PID 1396 set thread context of 2656	1396	RegAsm.exe	95
PID 1396 set thread context of 428	1396	RegAsm.exe	97
PID 1396 set thread context of 1072	1396	RegAsm.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File created	C:\Users\Admin\AppData\Local\Temp\[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe:Zone.Identifier:$DATA	[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe
File created	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
2868	schtasks.exe
2220	schtasks.exe
1620	schtasks.exe
800	schtasks.exe
1812	schtasks.exe
2136	schtasks.exe
804	schtasks.exe
2620	schtasks.exe
1664	schtasks.exe
1496	schtasks.exe
1924	schtasks.exe
2408	schtasks.exe
1672	schtasks.exe
2308	schtasks.exe
2668	schtasks.exe
2416	schtasks.exe
1524	schtasks.exe
1820	schtasks.exe
1084	schtasks.exe
900	schtasks.exe
2784	schtasks.exe
2640	schtasks.exe
2828	schtasks.exe
1156	schtasks.exe
1180	schtasks.exe
1340	schtasks.exe
1180	schtasks.exe
3000	schtasks.exe
1988	schtasks.exe
848	schtasks.exe
1076	schtasks.exe
2792	schtasks.exe
1340	schtasks.exe
820	schtasks.exe
1604	schtasks.exe
960	schtasks.exe
1200	schtasks.exe
2452	schtasks.exe
1892	schtasks.exe
2740	schtasks.exe
1360	schtasks.exe
1100	schtasks.exe
2196	schtasks.exe
984	schtasks.exe
1088	schtasks.exe
648	schtasks.exe
2380	schtasks.exe
2504	schtasks.exe
764	schtasks.exe
1440	schtasks.exe
2564	schtasks.exe
1968	schtasks.exe
2520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2492	RegAsm.exe
2492	RegAsm.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
1464	winmgr119.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
1176	winmgr119.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe
2484	jhdfkldfhndfkjdfnbfklfnf.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	RegAsm.exe
Token: SeDebugPrivilege	560	cvtres.exe
Token: SeDebugPrivilege	1696	cvtres.exe
Token: SeDebugPrivilege	2300	cvtres.exe
Token: SeDebugPrivilege	1396	RegAsm.exe
Token: SeDebugPrivilege	2656	cvtres.exe
Token: SeDebugPrivilege	428	cvtres.exe
Token: SeDebugPrivilege	1072	cvtres.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2492	RegAsm.exe
1396	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2484	2556	[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe	30
PID 2556 wrote to memory of 2484	2556	[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe	30
PID 2556 wrote to memory of 2484	2556	[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe	30
PID 2556 wrote to memory of 2484	2556	[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe	30
PID 2484 wrote to memory of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2484 wrote to memory of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2484 wrote to memory of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2484 wrote to memory of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2484 wrote to memory of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2484 wrote to memory of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2484 wrote to memory of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2484 wrote to memory of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2484 wrote to memory of 2492	2484	jhdfkldfhndfkjdfnbfklfnf.exe	31
PID 2484 wrote to memory of 3000	2484	jhdfkldfhndfkjdfnbfklfnf.exe	32
PID 2484 wrote to memory of 3000	2484	jhdfkldfhndfkjdfnbfklfnf.exe	32
PID 2484 wrote to memory of 3000	2484	jhdfkldfhndfkjdfnbfklfnf.exe	32
PID 2484 wrote to memory of 3000	2484	jhdfkldfhndfkjdfnbfklfnf.exe	32
PID 2492 wrote to memory of 560	2492	RegAsm.exe	34
PID 2492 wrote to memory of 560	2492	RegAsm.exe	34
PID 2492 wrote to memory of 560	2492	RegAsm.exe	34
PID 2492 wrote to memory of 560	2492	RegAsm.exe	34
PID 2492 wrote to memory of 560	2492	RegAsm.exe	34
PID 2492 wrote to memory of 560	2492	RegAsm.exe	34
PID 2492 wrote to memory of 560	2492	RegAsm.exe	34
PID 2492 wrote to memory of 560	2492	RegAsm.exe	34
PID 2492 wrote to memory of 1696	2492	RegAsm.exe	37
PID 2492 wrote to memory of 1696	2492	RegAsm.exe	37
PID 2492 wrote to memory of 1696	2492	RegAsm.exe	37
PID 2492 wrote to memory of 1696	2492	RegAsm.exe	37
PID 2492 wrote to memory of 1696	2492	RegAsm.exe	37
PID 2492 wrote to memory of 1696	2492	RegAsm.exe	37
PID 2492 wrote to memory of 1696	2492	RegAsm.exe	37
PID 2492 wrote to memory of 1696	2492	RegAsm.exe	37
PID 2484 wrote to memory of 2452	2484	jhdfkldfhndfkjdfnbfklfnf.exe	39
PID 2484 wrote to memory of 2452	2484	jhdfkldfhndfkjdfnbfklfnf.exe	39
PID 2484 wrote to memory of 2452	2484	jhdfkldfhndfkjdfnbfklfnf.exe	39
PID 2484 wrote to memory of 2452	2484	jhdfkldfhndfkjdfnbfklfnf.exe	39
PID 2492 wrote to memory of 2300	2492	RegAsm.exe	41
PID 2492 wrote to memory of 2300	2492	RegAsm.exe	41
PID 2492 wrote to memory of 2300	2492	RegAsm.exe	41
PID 2492 wrote to memory of 2300	2492	RegAsm.exe	41
PID 2492 wrote to memory of 2300	2492	RegAsm.exe	41
PID 2492 wrote to memory of 2300	2492	RegAsm.exe	41
PID 2492 wrote to memory of 2300	2492	RegAsm.exe	41
PID 2484 wrote to memory of 1180	2484	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 2484 wrote to memory of 1180	2484	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 2484 wrote to memory of 1180	2484	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 2484 wrote to memory of 1180	2484	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 2484 wrote to memory of 2408	2484	jhdfkldfhndfkjdfnbfklfnf.exe	45
PID 2484 wrote to memory of 2408	2484	jhdfkldfhndfkjdfnbfklfnf.exe	45
PID 2484 wrote to memory of 2408	2484	jhdfkldfhndfkjdfnbfklfnf.exe	45
PID 2484 wrote to memory of 2408	2484	jhdfkldfhndfkjdfnbfklfnf.exe	45
PID 2484 wrote to memory of 1892	2484	jhdfkldfhndfkjdfnbfklfnf.exe	47
PID 2484 wrote to memory of 1892	2484	jhdfkldfhndfkjdfnbfklfnf.exe	47
PID 2484 wrote to memory of 1892	2484	jhdfkldfhndfkjdfnbfklfnf.exe	47
PID 2484 wrote to memory of 1892	2484	jhdfkldfhndfkjdfnbfklfnf.exe	47
PID 2484 wrote to memory of 2380	2484	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 2484 wrote to memory of 2380	2484	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 2484 wrote to memory of 2380	2484	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 2484 wrote to memory of 2380	2484	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 2484 wrote to memory of 804	2484	jhdfkldfhndfkjdfnbfklfnf.exe	51
PID 2484 wrote to memory of 804	2484	jhdfkldfhndfkjdfnbfklfnf.exe	51
PID 2484 wrote to memory of 804	2484	jhdfkldfhndfkjdfnbfklfnf.exe	51
PID 2484 wrote to memory of 804	2484	jhdfkldfhndfkjdfnbfklfnf.exe	51

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556
- C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp26F1.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:560
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp27DC.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp3BF2.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2300
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3000
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2452
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1180
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2408
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1892
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2380
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:804
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:984
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2220
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2308
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1988
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1524
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2196
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1620
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1820
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2620
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2504
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2740
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:960
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1664
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1340
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp117E.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp121B.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      Suspicious use of AdjustPrivilegeToken
      PID:428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp12A8.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:800
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1084
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:848
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:764
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1088
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:648
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1812
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1440
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1076
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:900
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2136
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2868
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1360
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1200
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2784
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2640
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2564
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1100
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2828
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1496
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1968
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1340
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2520
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:820
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1156
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1180
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1604
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1924

C:\Windows\system32\taskeng.exe
taskeng.exe {09BD9272-4CF6-4CD5-AC43-0FCA2F0CEA50} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
1⤵
PID:2096
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1176
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:2164
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\khaxFMfI\009276b996b04917a9a60a951037d8a6

Filesize
16B

MD5
0beb14a2172f2c4694f4c4f35ece06fd

SHA1
82a1227f342ce51561608fa826929298f9d7c760

SHA256
65cf08a2ab4467d5769d643b330f36e3b383a865bc8f8994c6c83cbd848f4ab5

SHA512
cc07805a8e9e73dc8f324b1c7eb62dbe99f5ed7fc213690d58c41c1a5d798fd0076069984698307072a7d558f11d95f8bfb92cc62c9eb46a6a4c4869fc8f2e1c

Download Submit
C:\ProgramData\khaxFMfI\189d625f98324bab87032800e1e7f084

Filesize
8B

MD5
f6e914e126ff5db1378713ded0629f32

SHA1
e6948977b8fd45b5eef392b695eb554f8c516c24

SHA256
6c0cb9ba604c0ab4a89485d5aaf9c39e6cefaf2e0f586b7840738aa3fb5398d0

SHA512
34810def00363b40cf60a1252a1274ba501a2e61501137b2ddf01ded624546c11474ffd2a750bfd7c320e895fe58b2e7b3f00e1ecb1b635e74779a963d1d2594

Download Submit
C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

Filesize
8B

MD5
69dfdcf0208e2e66b8a1b1cc656b3d9a

SHA1
1e16e03ca5bd7d819cbaeaa66100ed82466c5e5f

SHA256
005572aeaf372ea6b98fb6363e272dcee690e32ed355597e34d8204f70c36dcf

SHA512
21fc4b1534d08a2b11fd400aae55dd2940eceeee12cffec713c4dd296520d5d0253fa2b8d3a577ad5014ce2fa89aa6c5806f77696c030a9c0d8c5aad91c2536c

Download Submit
C:\ProgramData\khaxFMfI\47928f366bbf48c9ad07f8d6a7670eaf

Filesize
88B

MD5
066fd33911bacfa53173ec9694d38337

SHA1
224dc019bae9e6614e9ccfe7471e971345db99e9

SHA256
37a619fe6f9811b3ba7973546e2c3b6a8f628e19c49a73eeaaaa06b9a36a87d9

SHA512
bdb3ebccb4f9669f42cc35322ed39f8a2b185a185b7e150496ddeee5e04bcd56bab351114123e111810a39bc1ea22ca8b99e2638a770301cbf4435d58f3dda26

Download Submit
C:\ProgramData\winmgr119.exe

Filesize
2.6MB

MD5
95e835b467f0091b3686c08df79152e8

SHA1
5a85b7459b1cd86c63c6d431612567b9e43da0d8

SHA256
ad041bf96736918cc7559840c1170e63ee9eb3a94f38d7895f28c55a22442862

SHA512
d21e2d9bba3643c3b8403dec844557738a78c912cce249ea6bd18a18804c97c9be3dac7d9ef34b06ed78c2c34ec521b8da5a405857886c327977a99cd7274e81

Download Submit
C:\ProgramData\winmgr119.exe:Zone.Identifier

Filesize
24B

MD5
6c72a5fcdb3c81dcc440e3616f704c5d

SHA1
6198b674ca75562852ea27ebb0f36249c6d0fbb6

SHA256
ccc0133d8f43d3021eb667f86ae939f7f8ec83e727b8334f9e0facccd6d01063

SHA512
5b549f5a550e9b8857643c0d223c591e8b59f43a4899a5d7a8f045d5df00e165d8cd1faead61b8f57c3f846c360e8852c9be8b28a9b5d51ffe9a40b4837d5aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2FAC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar300D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp26F1.tmp

Filesize
399B

MD5
e4bf4f7accc657622fe419c0d62419ab

SHA1
c2856936dd3de05bad0da5ca94d6b521e40ab5a2

SHA256
b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e

SHA512
85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27DC.tmp

Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3BF2.tmp

Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

Filesize
2.6MB

MD5
0a5ade9b605a7d24f0cc96c2e4eb7c19

SHA1
a50a2626d62482fc2b495cdfa7fc32f94f2d1242

SHA256
f196a72c34f93d2fa94eb85c23e11d8048ba62c5cda5348f8bca78118f97871c

SHA512
15e1449a8698bbfaa93fa9520cc1114941952f7c623b182de4669b389501bd43c138c1a7e8999b4a2728d9a2856dd360e72ca5c868d85abf042a598446bd109f

Download Submit
memory/428-121-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/560-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/560-29-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/560-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/560-23-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1072-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1396-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1396-98-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download
memory/1396-97-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download
memory/1396-99-0x00000000001B0000-0x000000000027A000-memory.dmp

Filesize
808KB

Download
memory/1696-35-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1696-33-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1696-34-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1696-71-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2300-76-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2300-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2300-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2492-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-82-0x0000000074172000-0x0000000074174000-memory.dmp

Filesize
8KB

Download
memory/2492-13-0x0000000000090000-0x000000000015A000-memory.dmp

Filesize
808KB

Download
memory/2492-18-0x0000000074172000-0x0000000074174000-memory.dmp

Filesize
8KB

Download
memory/2492-16-0x0000000000090000-0x000000000015A000-memory.dmp

Filesize
808KB

Download
memory/2492-17-0x0000000000090000-0x000000000015A000-memory.dmp

Filesize
808KB

Download
memory/2492-10-0x0000000000090000-0x000000000015A000-memory.dmp

Filesize
808KB

Download
memory/2656-112-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download