7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238

Analysis

max time kernel
50s
max time network
114s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
06-08-2022 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Size

772KB
MD5

47e5d3b307c550fe4a259d4aa2d49885
SHA1

74e3b820e62e96c19d797dd145f31684b84ef749
SHA256

7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238
SHA512

3ed7062d4e76f8e566b1b7e3dddc854da3cb135d910546e699fc577dbe413b6910287c29720231ba2ac06f7b1cd5dc1af2797d55c65d6e10b164eb56631f4d9d

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

160 544 WerFault.exe 7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4604 schtasks.exe
3196 schtasks.exe
1644 schtasks.exe
1488 schtasks.exe
1668 schtasks.exe
4348 schtasks.exe
4912 schtasks.exe
2200 schtasks.exe

pid	pid_target	process	target process
160	544	WerFault.exe	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe

pid	process
4604	schtasks.exe
3196	schtasks.exe
1644	schtasks.exe
1488	schtasks.exe
1668	schtasks.exe
4348	schtasks.exe
4912	schtasks.exe
2200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe

pid	process
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe

description pid process

Token: SeDebugPrivilege 544 7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe

description	pid	process
Token: SeDebugPrivilege	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 544 wrote to memory of 4836	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4836	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4836	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4848	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4848	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4848	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 5032	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 5032	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 5032	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 5116	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 5116	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 5116	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 3996	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 3996	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 3996	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 1904	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 1904	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 1904	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 1012	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 1012	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 1012	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 2028	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 2028	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 2028	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4224	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4224	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4224	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4888	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4888	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 4888	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 3372	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 3372	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 3372	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 3500	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 3500	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 544 wrote to memory of 3500	544	7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe	cmd.exe
PID 5116 wrote to memory of 2200	5116	cmd.exe	schtasks.exe
PID 5116 wrote to memory of 2200	5116	cmd.exe	schtasks.exe
PID 5116 wrote to memory of 2200	5116	cmd.exe	schtasks.exe
PID 4836 wrote to memory of 4912	4836	cmd.exe	schtasks.exe
PID 4836 wrote to memory of 4912	4836	cmd.exe	schtasks.exe
PID 4836 wrote to memory of 4912	4836	cmd.exe	schtasks.exe
PID 4224 wrote to memory of 4348	4224	cmd.exe	schtasks.exe
PID 4224 wrote to memory of 4348	4224	cmd.exe	schtasks.exe
PID 4224 wrote to memory of 4348	4224	cmd.exe	schtasks.exe
PID 3996 wrote to memory of 1488	3996	cmd.exe	schtasks.exe
PID 3996 wrote to memory of 1488	3996	cmd.exe	schtasks.exe
PID 3996 wrote to memory of 1488	3996	cmd.exe	schtasks.exe
PID 4848 wrote to memory of 1668	4848	cmd.exe	schtasks.exe
PID 4848 wrote to memory of 1668	4848	cmd.exe	schtasks.exe
PID 4848 wrote to memory of 1668	4848	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 1644	1012	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 1644	1012	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 1644	1012	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 3196	2028	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 3196	2028	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 3196	2028	cmd.exe	schtasks.exe
PID 5032 wrote to memory of 4604	5032	cmd.exe	schtasks.exe
PID 5032 wrote to memory of 4604	5032	cmd.exe	schtasks.exe
PID 5032 wrote to memory of 4604	5032	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe
"C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
3⤵
- Creates scheduled task(s)
PID:4912

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
3⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
3⤵
- Creates scheduled task(s)
PID:4604

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1414" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2421" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8660" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1439" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1439" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
3⤵
- Creates scheduled task(s)
PID:4348

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
3⤵
- Creates scheduled task(s)
PID:3196

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
3⤵
- Creates scheduled task(s)
PID:1644

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
3⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\7ba4117223f1df63fec82b3b3bf3b14d12ce31677d6b3b8eee4845785f669238.exe"
3⤵
- Creates scheduled task(s)
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1360
2⤵
- Program crash
PID:160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-162-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-143-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-120-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-121-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-122-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-124-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-123-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-125-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-126-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-127-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-128-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-129-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-130-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-131-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-132-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-133-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-134-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-135-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-136-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-160-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-138-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-139-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-140-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-141-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-142-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-161-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-144-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-145-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-146-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-147-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-148-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-149-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-150-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-151-0x0000000000EE0000-0x0000000000F90000-memory.dmp

Filesize
704KB

Download
memory/544-152-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-153-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-154-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-155-0x0000000005C50000-0x000000000614E000-memory.dmp

Filesize
5.0MB

Download
memory/544-156-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/544-157-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-158-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-159-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-137-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-119-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-118-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-163-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-164-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-165-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-166-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-167-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-168-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-169-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-170-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-171-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/544-172-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/1012-193-0x0000000000000000-mapping.dmp

Download
memory/1488-243-0x0000000000000000-mapping.dmp

Download
memory/1644-245-0x0000000000000000-mapping.dmp

Download
memory/1668-244-0x0000000000000000-mapping.dmp

Download
memory/1904-188-0x0000000000000000-mapping.dmp

Download
memory/2028-198-0x0000000000000000-mapping.dmp

Download
memory/2200-240-0x0000000000000000-mapping.dmp

Download
memory/3196-246-0x0000000000000000-mapping.dmp

Download
memory/3372-213-0x0000000000000000-mapping.dmp

Download
memory/3500-217-0x0000000000000000-mapping.dmp

Download
memory/3996-183-0x0000000000000000-mapping.dmp

Download
memory/4224-203-0x0000000000000000-mapping.dmp

Download
memory/4348-242-0x0000000000000000-mapping.dmp

Download
memory/4604-255-0x0000000000000000-mapping.dmp

Download
memory/4836-178-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4836-187-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4836-175-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4836-173-0x0000000000000000-mapping.dmp

Download
memory/4836-182-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-177-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-190-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-181-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-185-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4848-174-0x0000000000000000-mapping.dmp

Download
memory/4888-208-0x0000000000000000-mapping.dmp

Download
memory/4912-241-0x0000000000000000-mapping.dmp

Download
memory/5032-184-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/5032-176-0x0000000000000000-mapping.dmp

Download
memory/5032-180-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/5032-189-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-191-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-186-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-179-0x0000000000000000-mapping.dmp

Download