e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
298s
max time network
253s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
Size

2.6MB
MD5

4fd60e9aed5ab9ed5326da37806b2502
SHA1

bbffbcbceaf31eff56d803039219dd27582b87cc
SHA256

f3815cc44c53d6a66adf4900df0a52cf3a7bbe2eafeb0f54ff2085b4f8705afe
SHA512

00f1f034c709377f79a2940662064721b0f4e608f88bce3fc6b22296fe6ca2ca1b4cf445b98e3ed9ae269a53915e3d114051a4a26a0ddcce546344d37b946092
SSDEEP

24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4eu:ObCjPKNqQEfsw43qtmVfq4b

Score

10^/10

collection discovery persistence spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.me.com
Port:
587
Username:
[email protected]
Password:
RICHARD205lord

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1884	jhdfkldfhndfkjdfnbfklfnf.exe
476	winmgr119.exe
1516	winmgr119.exe
3036	winmgr119.exe
1868	winmgr119.exe
1548	winmgr119.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral30/memory/2584-22-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral30/memory/2584-24-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral30/memory/2584-23-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral30/memory/2996-35-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral30/memory/2996-36-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral30/memory/2996-34-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral30/memory/2584-31-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral30/memory/2996-77-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral30/memory/2288-129-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral30/memory/2788-136-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	jhdfkldfhndfkjdfnbfklfnf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com
6	ipinfo.io
18	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral30/files/0x000b00000001227d-7.dat	autoit_exe
behavioral30/files/0x00390000000131a5-9.dat	autoit_exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 2664 set thread context of 2584	2664	RegAsm.exe	32
PID 2664 set thread context of 2996	2664	RegAsm.exe	35
PID 2664 set thread context of 1672	2664	RegAsm.exe	39
PID 1884 set thread context of 856	1884	jhdfkldfhndfkjdfnbfklfnf.exe	130
PID 856 set thread context of 2288	856	RegAsm.exe	133
PID 856 set thread context of 2788	856	RegAsm.exe	135
PID 856 set thread context of 2576	856	RegAsm.exe	137

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File created	C:\Users\Admin\AppData\Local\Temp\[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe:Zone.Identifier:$DATA	[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe
File created	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
1252	schtasks.exe
2440	schtasks.exe
2904	schtasks.exe
2076	schtasks.exe
2212	schtasks.exe
1640	schtasks.exe
1132	schtasks.exe
832	schtasks.exe
340	schtasks.exe
2948	schtasks.exe
2620	schtasks.exe
1776	schtasks.exe
2428	schtasks.exe
1048	schtasks.exe
2824	schtasks.exe
1800	schtasks.exe
1716	schtasks.exe
1784	schtasks.exe
1576	schtasks.exe
2900	schtasks.exe
1096	schtasks.exe
1316	schtasks.exe
2816	schtasks.exe
2560	schtasks.exe
2272	schtasks.exe
3036	schtasks.exe
2116	schtasks.exe
1356	schtasks.exe
1632	schtasks.exe
2608	schtasks.exe
836	schtasks.exe
2928	schtasks.exe
2884	schtasks.exe
2264	schtasks.exe
1484	schtasks.exe
1300	schtasks.exe
2192	schtasks.exe
1660	schtasks.exe
2980	schtasks.exe
2720	schtasks.exe
856	schtasks.exe
2368	schtasks.exe
556	schtasks.exe
1204	schtasks.exe
1560	schtasks.exe
1636	schtasks.exe
1736	schtasks.exe
1152	schtasks.exe
2500	schtasks.exe
2680	schtasks.exe
1792	schtasks.exe
2484	schtasks.exe
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2980	[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
2664	RegAsm.exe
2664	RegAsm.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
476	winmgr119.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
1516	winmgr119.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
2664	RegAsm.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe
1884	jhdfkldfhndfkjdfnbfklfnf.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	RegAsm.exe
Token: SeDebugPrivilege	2584	cvtres.exe
Token: SeDebugPrivilege	2996	cvtres.exe
Token: SeDebugPrivilege	1672	cvtres.exe
Token: SeDebugPrivilege	856	RegAsm.exe
Token: SeDebugPrivilege	2288	cvtres.exe
Token: SeDebugPrivilege	2788	cvtres.exe
Token: SeDebugPrivilege	2576	cvtres.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	RegAsm.exe
856	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1884	2980	[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe	28
PID 2980 wrote to memory of 1884	2980	[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe	28
PID 2980 wrote to memory of 1884	2980	[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe	28
PID 2980 wrote to memory of 1884	2980	[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe	28
PID 1884 wrote to memory of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 1884 wrote to memory of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 1884 wrote to memory of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 1884 wrote to memory of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 1884 wrote to memory of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 1884 wrote to memory of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 1884 wrote to memory of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 1884 wrote to memory of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 1884 wrote to memory of 2664	1884	jhdfkldfhndfkjdfnbfklfnf.exe	29
PID 1884 wrote to memory of 2680	1884	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 1884 wrote to memory of 2680	1884	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 1884 wrote to memory of 2680	1884	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 1884 wrote to memory of 2680	1884	jhdfkldfhndfkjdfnbfklfnf.exe	30
PID 2664 wrote to memory of 2584	2664	RegAsm.exe	32
PID 2664 wrote to memory of 2584	2664	RegAsm.exe	32
PID 2664 wrote to memory of 2584	2664	RegAsm.exe	32
PID 2664 wrote to memory of 2584	2664	RegAsm.exe	32
PID 2664 wrote to memory of 2584	2664	RegAsm.exe	32
PID 2664 wrote to memory of 2584	2664	RegAsm.exe	32
PID 2664 wrote to memory of 2584	2664	RegAsm.exe	32
PID 2664 wrote to memory of 2584	2664	RegAsm.exe	32
PID 2664 wrote to memory of 2996	2664	RegAsm.exe	35
PID 2664 wrote to memory of 2996	2664	RegAsm.exe	35
PID 2664 wrote to memory of 2996	2664	RegAsm.exe	35
PID 2664 wrote to memory of 2996	2664	RegAsm.exe	35
PID 2664 wrote to memory of 2996	2664	RegAsm.exe	35
PID 2664 wrote to memory of 2996	2664	RegAsm.exe	35
PID 2664 wrote to memory of 2996	2664	RegAsm.exe	35
PID 2664 wrote to memory of 2996	2664	RegAsm.exe	35
PID 1884 wrote to memory of 2816	1884	jhdfkldfhndfkjdfnbfklfnf.exe	37
PID 1884 wrote to memory of 2816	1884	jhdfkldfhndfkjdfnbfklfnf.exe	37
PID 1884 wrote to memory of 2816	1884	jhdfkldfhndfkjdfnbfklfnf.exe	37
PID 1884 wrote to memory of 2816	1884	jhdfkldfhndfkjdfnbfklfnf.exe	37
PID 2664 wrote to memory of 1672	2664	RegAsm.exe	39
PID 2664 wrote to memory of 1672	2664	RegAsm.exe	39
PID 2664 wrote to memory of 1672	2664	RegAsm.exe	39
PID 2664 wrote to memory of 1672	2664	RegAsm.exe	39
PID 2664 wrote to memory of 1672	2664	RegAsm.exe	39
PID 2664 wrote to memory of 1672	2664	RegAsm.exe	39
PID 2664 wrote to memory of 1672	2664	RegAsm.exe	39
PID 1884 wrote to memory of 1560	1884	jhdfkldfhndfkjdfnbfklfnf.exe	41
PID 1884 wrote to memory of 1560	1884	jhdfkldfhndfkjdfnbfklfnf.exe	41
PID 1884 wrote to memory of 1560	1884	jhdfkldfhndfkjdfnbfklfnf.exe	41
PID 1884 wrote to memory of 1560	1884	jhdfkldfhndfkjdfnbfklfnf.exe	41
PID 1884 wrote to memory of 2076	1884	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 1884 wrote to memory of 2076	1884	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 1884 wrote to memory of 2076	1884	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 1884 wrote to memory of 2076	1884	jhdfkldfhndfkjdfnbfklfnf.exe	43
PID 2296 wrote to memory of 476	2296	taskeng.exe	48
PID 2296 wrote to memory of 476	2296	taskeng.exe	48
PID 2296 wrote to memory of 476	2296	taskeng.exe	48
PID 2296 wrote to memory of 476	2296	taskeng.exe	48
PID 1884 wrote to memory of 1484	1884	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 1884 wrote to memory of 1484	1884	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 1884 wrote to memory of 1484	1884	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 1884 wrote to memory of 1484	1884	jhdfkldfhndfkjdfnbfklfnf.exe	49
PID 1884 wrote to memory of 1800	1884	jhdfkldfhndfkjdfnbfklfnf.exe	51
PID 1884 wrote to memory of 1800	1884	jhdfkldfhndfkjdfnbfklfnf.exe	51
PID 1884 wrote to memory of 1800	1884	jhdfkldfhndfkjdfnbfklfnf.exe	51
PID 1884 wrote to memory of 1800	1884	jhdfkldfhndfkjdfnbfklfnf.exe	51

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980
- C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA41C.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA47A.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      Suspicious use of AdjustPrivilegeToken
      PID:2996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpB871.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2680
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2816
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1560
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2076
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1484
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1800
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:832
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1716
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1784
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1636
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2504
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1356
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:836
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1736
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:856
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1576
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2980
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2720
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2928
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1792
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2620
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2884
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2900
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1640
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2608
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1152
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2368
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1632
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2484
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2500
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1096
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:556
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2948
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1300
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2264
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1132
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1204
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1776
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1252
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2440
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2428
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2212
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpEEE1.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2288
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpF049.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpF0B7.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2576
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2272
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2560
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:340
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1048
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1660
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1316
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2904
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2824
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3036
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2116

C:\Windows\system32\taskeng.exe
taskeng.exe {EE69F93E-CF00-461C-B9CF-75D63ECF4401} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2296
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:476
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:3036
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:1868
- C:\ProgramData\winmgr119.exe
  C:\ProgramData\winmgr119.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

Filesize
2.6MB

MD5
c35029c265492e0d331baba3396be27e

SHA1
1fdcc2df6028355b05a290eb511cabe250e8d62d

SHA256
9193df5d456368956f054cb4f98f963130b2cc04bf5b06a4dcc299c94d5c8a45

SHA512
da5ba0725f8e87131effeffff1de6cc866a4198fef1da2225de2b44e7b534f6cdefd4778b11baf9cdefc92bfca6abdf7e13d950e179a0111147e50a7dd064312

Download Submit
C:\ProgramData\khaxFMfI\009276b996b04917a9a60a951037d8a6

Filesize
16B

MD5
8a2d81b20f72c27e6f8f340ea038491c

SHA1
dbd23baff0216e65daf7768ef934ecb9cf49e91a

SHA256
97a210e6f89d0feb9fad9aaf86f97a6c24a34585ec6a76052e60a70d54e19763

SHA512
cfc5a3895b470d436f8a0854f6217de92c2fcdd0c87ab39592e6b3aa025a411bf0d8851d65483fb694bb2e4d99a686c1e15c5dc21c49f80a7f5b0691ae94bbfd

Download Submit
C:\ProgramData\khaxFMfI\189d625f98324bab87032800e1e7f084

Filesize
8B

MD5
4d2afd10efb39d7f0d01578ead5348c2

SHA1
d238c4303043546df6e102609371bdc61fad0e06

SHA256
89f6b8efcc415a13c4ec6bcac33caaa888aa004f969210ca97ba8ec52d997fb8

SHA512
39bf8347a94ddb91e5336fe8a1d34ee2171c1dd5abbb95f68facc2b2162e3ced6a27ab09891c5b7db49312167c32533d357c85c359873558c9a4caba4b75fb5b

Download Submit
C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

Filesize
8B

MD5
1a1d59cffd808aa7959f3b6e05223c8a

SHA1
369c16cb0b18de635d9c5c52ed57137e9264041b

SHA256
858bae83117b1bd74442d5e1dbe06e13253d2b532de548f7650a6b8eac94c41a

SHA512
11d536b31b5e2f1ad098a011c9572302ace73e5899f382e9c8e1fe742807184d0539def96b7911355e7deb564a6059d5f11992ac6f6da2ee51d80200536723dd

Download Submit
C:\ProgramData\khaxFMfI\47928f366bbf48c9ad07f8d6a7670eaf

Filesize
88B

MD5
ea05f1377a6cc4061876c7baee6bb1e6

SHA1
5645cf5ec60035dd0beb023b71975bbcbce26d90

SHA256
55c80df6c98df0d5faab4ec3b3876a55de7cafd7e4d4801cf9b2930feed0e58c

SHA512
464a3d6a9fffe9715f89629f7363dbe08df6c67ad838beef8f20edbb96e99b3b339fa94c48634820e45cf787a795fa504a4c169a198f0b3cef05232943a5250c

Download Submit
C:\ProgramData\winmgr119.exe

Filesize
2.6MB

MD5
66ffc4798b9a77599762599179017ca1

SHA1
0565eb53a03f2328dbf63b835aea30cc8c140aa7

SHA256
feb4e121b32691f44e920c7df19e03b0529a08dff6d58dfbe5c2712597f3eda8

SHA512
60bbd5a071df67b859bb44725d1ebd4749a4fe14f97afbf7f8a6470f21cac1f15e126dd4d3359e127cd4cb7e9487b314654ff8d7ad8f04a30b4a304a45826202

Download Submit
C:\ProgramData\winmgr119.exe:Zone.Identifier

Filesize
24B

MD5
6c72a5fcdb3c81dcc440e3616f704c5d

SHA1
6198b674ca75562852ea27ebb0f36249c6d0fbb6

SHA256
ccc0133d8f43d3021eb667f86ae939f7f8ec83e727b8334f9e0facccd6d01063

SHA512
5b549f5a550e9b8857643c0d223c591e8b59f43a4899a5d7a8f045d5df00e165d8cd1faead61b8f57c3f846c360e8852c9be8b28a9b5d51ffe9a40b4837d5aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAAE8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA41C.tmp

Filesize
399B

MD5
e4bf4f7accc657622fe419c0d62419ab

SHA1
c2856936dd3de05bad0da5ca94d6b521e40ab5a2

SHA256
b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e

SHA512
85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA47A.tmp

Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB871.tmp

Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
memory/856-115-0x00000000001F0000-0x00000000002BA000-memory.dmp

Filesize
808KB

Download
memory/856-116-0x00000000001F0000-0x00000000002BA000-memory.dmp

Filesize
808KB

Download
memory/856-114-0x00000000001F0000-0x00000000002BA000-memory.dmp

Filesize
808KB

Download
memory/1672-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-83-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-129-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2576-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2584-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2584-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2584-23-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2584-31-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2664-18-0x0000000073F92000-0x0000000073F94000-memory.dmp

Filesize
8KB

Download
memory/2664-89-0x0000000073F92000-0x0000000073F94000-memory.dmp

Filesize
8KB

Download
memory/2664-10-0x00000000002A0000-0x000000000036A000-memory.dmp

Filesize
808KB

Download
memory/2664-15-0x00000000002A0000-0x000000000036A000-memory.dmp

Filesize
808KB

Download
memory/2664-17-0x00000000002A0000-0x000000000036A000-memory.dmp

Filesize
808KB

Download
memory/2664-13-0x00000000002A0000-0x000000000036A000-memory.dmp

Filesize
808KB

Download
memory/2664-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-136-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2996-35-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2996-77-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2996-36-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2996-34-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download