c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96

Analysis

max time kernel
116s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe
Size

2.6MB
MD5

f1b9dec32ca1a2cf3a8e82f763f819c0
SHA1

44d2caf5d1d7740ede5395c0a71bc354654a001a
SHA256

c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96
SHA512

e9147651abd5924cec89c22efd2ed1dee69f607374a3b8b0f11d140e6e7e0e1441e3babeb248d670ec83361e4dd5be90c18102e64db6af58d98b7491751ecad3
SSDEEP

24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4e+:ObCjPKNqQEfsw43qtmVfq4F

Score

10^/10

collection credential_access defense_evasion discovery persistence spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.me.com
Port:
587
Username:
[email protected]
Password:
RICHARD205lord

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
976	jhdfkldfhndfkjdfnbfklfnf.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1760-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1760-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1760-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1760-24-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4516-27-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4516-28-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4516-29-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4516-31-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	jhdfkldfhndfkjdfnbfklfnf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	icanhazip.com
24	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023456-3.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 1096	976	jhdfkldfhndfkjdfnbfklfnf.exe	90
PID 1096 set thread context of 1760	1096	RegAsm.exe	93
PID 1096 set thread context of 4516	1096	RegAsm.exe	95
PID 1096 set thread context of 4692	1096	RegAsm.exe	97

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe:Zone.Identifier:$DATA	c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhdfkldfhndfkjdfnbfklfnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe:Zone.Identifier:$DATA	c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4700	schtasks.exe
3684	schtasks.exe
1504	schtasks.exe
4840	schtasks.exe
4848	schtasks.exe
3352	schtasks.exe
5004	schtasks.exe
3096	schtasks.exe
2736	schtasks.exe
3860	schtasks.exe
4864	schtasks.exe
2120	schtasks.exe
3500	schtasks.exe
4248	schtasks.exe
4204	schtasks.exe
2896	schtasks.exe
4032	schtasks.exe
3440	schtasks.exe
3444	schtasks.exe
3284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1964	c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe
1964	c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
1096	RegAsm.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe
976	jhdfkldfhndfkjdfnbfklfnf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	RegAsm.exe
Token: SeDebugPrivilege	1760	cvtres.exe
Token: SeDebugPrivilege	4516	cvtres.exe
Token: SeDebugPrivilege	4692	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1096	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 976	1964	c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe	87
PID 1964 wrote to memory of 976	1964	c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe	87
PID 1964 wrote to memory of 976	1964	c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe	87
PID 976 wrote to memory of 1096	976	jhdfkldfhndfkjdfnbfklfnf.exe	90
PID 976 wrote to memory of 1096	976	jhdfkldfhndfkjdfnbfklfnf.exe	90
PID 976 wrote to memory of 1096	976	jhdfkldfhndfkjdfnbfklfnf.exe	90
PID 976 wrote to memory of 1096	976	jhdfkldfhndfkjdfnbfklfnf.exe	90
PID 976 wrote to memory of 1096	976	jhdfkldfhndfkjdfnbfklfnf.exe	90
PID 976 wrote to memory of 4204	976	jhdfkldfhndfkjdfnbfklfnf.exe	91
PID 976 wrote to memory of 4204	976	jhdfkldfhndfkjdfnbfklfnf.exe	91
PID 976 wrote to memory of 4204	976	jhdfkldfhndfkjdfnbfklfnf.exe	91
PID 1096 wrote to memory of 1760	1096	RegAsm.exe	93
PID 1096 wrote to memory of 1760	1096	RegAsm.exe	93
PID 1096 wrote to memory of 1760	1096	RegAsm.exe	93
PID 1096 wrote to memory of 1760	1096	RegAsm.exe	93
PID 1096 wrote to memory of 1760	1096	RegAsm.exe	93
PID 1096 wrote to memory of 1760	1096	RegAsm.exe	93
PID 1096 wrote to memory of 1760	1096	RegAsm.exe	93
PID 1096 wrote to memory of 4516	1096	RegAsm.exe	95
PID 1096 wrote to memory of 4516	1096	RegAsm.exe	95
PID 1096 wrote to memory of 4516	1096	RegAsm.exe	95
PID 1096 wrote to memory of 4516	1096	RegAsm.exe	95
PID 1096 wrote to memory of 4516	1096	RegAsm.exe	95
PID 1096 wrote to memory of 4516	1096	RegAsm.exe	95
PID 1096 wrote to memory of 4516	1096	RegAsm.exe	95
PID 1096 wrote to memory of 4692	1096	RegAsm.exe	97
PID 1096 wrote to memory of 4692	1096	RegAsm.exe	97
PID 1096 wrote to memory of 4692	1096	RegAsm.exe	97
PID 1096 wrote to memory of 4692	1096	RegAsm.exe	97
PID 1096 wrote to memory of 4692	1096	RegAsm.exe	97
PID 1096 wrote to memory of 4692	1096	RegAsm.exe	97
PID 976 wrote to memory of 4848	976	jhdfkldfhndfkjdfnbfklfnf.exe	99
PID 976 wrote to memory of 4848	976	jhdfkldfhndfkjdfnbfklfnf.exe	99
PID 976 wrote to memory of 4848	976	jhdfkldfhndfkjdfnbfklfnf.exe	99
PID 976 wrote to memory of 3352	976	jhdfkldfhndfkjdfnbfklfnf.exe	102
PID 976 wrote to memory of 3352	976	jhdfkldfhndfkjdfnbfklfnf.exe	102
PID 976 wrote to memory of 3352	976	jhdfkldfhndfkjdfnbfklfnf.exe	102
PID 976 wrote to memory of 2896	976	jhdfkldfhndfkjdfnbfklfnf.exe	104
PID 976 wrote to memory of 2896	976	jhdfkldfhndfkjdfnbfklfnf.exe	104
PID 976 wrote to memory of 2896	976	jhdfkldfhndfkjdfnbfklfnf.exe	104
PID 976 wrote to memory of 4032	976	jhdfkldfhndfkjdfnbfklfnf.exe	107
PID 976 wrote to memory of 4032	976	jhdfkldfhndfkjdfnbfklfnf.exe	107
PID 976 wrote to memory of 4032	976	jhdfkldfhndfkjdfnbfklfnf.exe	107
PID 976 wrote to memory of 4864	976	jhdfkldfhndfkjdfnbfklfnf.exe	109
PID 976 wrote to memory of 4864	976	jhdfkldfhndfkjdfnbfklfnf.exe	109
PID 976 wrote to memory of 4864	976	jhdfkldfhndfkjdfnbfklfnf.exe	109
PID 976 wrote to memory of 5004	976	jhdfkldfhndfkjdfnbfklfnf.exe	111
PID 976 wrote to memory of 5004	976	jhdfkldfhndfkjdfnbfklfnf.exe	111
PID 976 wrote to memory of 5004	976	jhdfkldfhndfkjdfnbfklfnf.exe	111
PID 976 wrote to memory of 4700	976	jhdfkldfhndfkjdfnbfklfnf.exe	113
PID 976 wrote to memory of 4700	976	jhdfkldfhndfkjdfnbfklfnf.exe	113
PID 976 wrote to memory of 4700	976	jhdfkldfhndfkjdfnbfklfnf.exe	113
PID 976 wrote to memory of 3440	976	jhdfkldfhndfkjdfnbfklfnf.exe	115
PID 976 wrote to memory of 3440	976	jhdfkldfhndfkjdfnbfklfnf.exe	115
PID 976 wrote to memory of 3440	976	jhdfkldfhndfkjdfnbfklfnf.exe	115
PID 976 wrote to memory of 3096	976	jhdfkldfhndfkjdfnbfklfnf.exe	117
PID 976 wrote to memory of 3096	976	jhdfkldfhndfkjdfnbfklfnf.exe	117
PID 976 wrote to memory of 3096	976	jhdfkldfhndfkjdfnbfklfnf.exe	117
PID 976 wrote to memory of 3684	976	jhdfkldfhndfkjdfnbfklfnf.exe	119
PID 976 wrote to memory of 3684	976	jhdfkldfhndfkjdfnbfklfnf.exe	119
PID 976 wrote to memory of 3684	976	jhdfkldfhndfkjdfnbfklfnf.exe	119
PID 976 wrote to memory of 3444	976	jhdfkldfhndfkjdfnbfklfnf.exe	121
PID 976 wrote to memory of 3444	976	jhdfkldfhndfkjdfnbfklfnf.exe	121
PID 976 wrote to memory of 3444	976	jhdfkldfhndfkjdfnbfklfnf.exe	121

C:\Users\Admin\AppData\Local\Temp\c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe
"C:\Users\Admin\AppData\Local\Temp\c774b844dba3b18a317a0a962b7a27aa64668554ad0d0bb9432f0ddc9c35de96N.exe"
1⤵
- Adds Run key to start application
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964
- C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpF30B.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpF59C.tmp"
      4⤵
      Accesses Microsoft Outlook accounts
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpF5EB.tmp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4692
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4204
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4848
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3352
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2896
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4032
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4864
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5004
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4700
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3440
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3096
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3684
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3444
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3284
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2736
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1504
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4840
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2120
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3860
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3500
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

Filesize
2.6MB

MD5
be8908633e29b6ff28dfd200e8e92b31

SHA1
a039009384f0d8fac2bf51a3b6ddc8c606339423

SHA256
22af9ccd913f9b3a1d82d8e7aa433af6b27cc0d0954449c48954c3c82e5d8362

SHA512
b3c54a5de6b1e98b57d6ab3fb8bf38f9c7b50d3c7e71726ba6d9e64c6d516918a3722aa963727430284988b4b4e0f36bdede1d07009a91b0da4015f5b0f9cd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF30B.tmp

Filesize
1KB

MD5
b0cc2e6f2d8036c9b5fef218736fa9c9

SHA1
64fd3017625979c95ba09d7cbea201010a82f73f

SHA256
997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50

SHA512
a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF59C.tmp

Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF5EB.tmp

Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
memory/1096-10-0x0000000073220000-0x00000000737D1000-memory.dmp

Filesize
5.7MB

Download
memory/1096-11-0x0000000073220000-0x00000000737D1000-memory.dmp

Filesize
5.7MB

Download
memory/1096-9-0x0000000073222000-0x0000000073223000-memory.dmp

Filesize
4KB

Download
memory/1096-44-0x0000000073220000-0x00000000737D1000-memory.dmp

Filesize
5.7MB

Download
memory/1096-43-0x0000000073220000-0x00000000737D1000-memory.dmp

Filesize
5.7MB

Download
memory/1096-8-0x0000000000A10000-0x0000000000ADA000-memory.dmp

Filesize
808KB

Download
memory/1096-42-0x0000000073222000-0x0000000073223000-memory.dmp

Filesize
4KB

Download
memory/1760-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1760-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1760-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1760-24-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4516-27-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4516-31-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4516-29-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4516-28-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4692-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4692-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4692-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download