5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1

Analysis

max time kernel
55s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
06-08-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Size

772KB
MD5

a5c9d6edaa8d5822f8b65cdf36fa5cce
SHA1

01464bddffc00c281ff8ce6e1adafba80cb24d51
SHA256

5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1
SHA512

d6a9a7d088cf3e607203e428ae87c86a058501f948446025e0b2c44ad826b1db5c1f157f0afef255fd46c30e4c7e4a17263c99f6193802c35e027544d6a0034d

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1544 1084 WerFault.exe 5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3788 schtasks.exe
2444 schtasks.exe
968 schtasks.exe
2268 schtasks.exe
3816 schtasks.exe
3840 schtasks.exe

pid	pid_target	process	target process
1544	1084	WerFault.exe	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe

pid	process
3788	schtasks.exe
2444	schtasks.exe
968	schtasks.exe
2268	schtasks.exe
3816	schtasks.exe
3840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe

pid	process
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe

description pid process

Token: SeDebugPrivilege 1084 5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe

description	pid	process
Token: SeDebugPrivilege	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1084 wrote to memory of 3904	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3904	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3904	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 4016	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 4016	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 4016	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3960	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3960	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3960	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3916	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3916	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3916	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 1444	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 1444	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 1444	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 2740	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 2740	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 2740	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3548	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3548	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3548	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 996	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 996	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 996	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 4048	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 4048	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 4048	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3216	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3216	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3216	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 2148	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 2148	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 2148	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3640	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3640	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 1084 wrote to memory of 3640	1084	5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe	cmd.exe
PID 3904 wrote to memory of 3840	3904	cmd.exe	schtasks.exe
PID 3904 wrote to memory of 3840	3904	cmd.exe	schtasks.exe
PID 3904 wrote to memory of 3840	3904	cmd.exe	schtasks.exe
PID 1444 wrote to memory of 3788	1444	cmd.exe	schtasks.exe
PID 1444 wrote to memory of 3788	1444	cmd.exe	schtasks.exe
PID 1444 wrote to memory of 3788	1444	cmd.exe	schtasks.exe
PID 4016 wrote to memory of 3816	4016	cmd.exe	schtasks.exe
PID 4016 wrote to memory of 3816	4016	cmd.exe	schtasks.exe
PID 4016 wrote to memory of 3816	4016	cmd.exe	schtasks.exe
PID 3960 wrote to memory of 2268	3960	cmd.exe	schtasks.exe
PID 3960 wrote to memory of 2268	3960	cmd.exe	schtasks.exe
PID 3960 wrote to memory of 2268	3960	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 2444	3548	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 2444	3548	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 2444	3548	cmd.exe	schtasks.exe
PID 996 wrote to memory of 968	996	cmd.exe	schtasks.exe
PID 996 wrote to memory of 968	996	cmd.exe	schtasks.exe
PID 996 wrote to memory of 968	996	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe
"C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
3⤵
- Creates scheduled task(s)
PID:3816

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk402" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1676" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
3⤵
- Creates scheduled task(s)
PID:968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
3⤵
- Creates scheduled task(s)
PID:2444

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2594" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3835" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1316
2⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
1⤵
- Creates scheduled task(s)
PID:3788

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
1⤵
- Creates scheduled task(s)
PID:2268

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\5aa350874436675d2076a7c442528189d749dd486dd437a9a075603e60bc3ae1.exe"
1⤵
- Creates scheduled task(s)
PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-267-0x0000000000000000-mapping.dmp

Download
memory/996-197-0x0000000000000000-mapping.dmp

Download
memory/1084-159-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-148-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-121-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-122-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-123-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-124-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-125-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-127-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-128-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-130-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-129-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-131-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-126-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-132-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-133-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-134-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-135-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-136-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-138-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-139-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-141-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-142-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-143-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-117-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-137-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-144-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-145-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-146-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-147-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-157-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-149-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-150-0x00000000009D0000-0x0000000000A80000-memory.dmp

Filesize
704KB

Download
memory/1084-151-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-152-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-153-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-154-0x0000000005870000-0x0000000005D6E000-memory.dmp

Filesize
5.0MB

Download
memory/1084-155-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/1084-158-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-161-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-160-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-140-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-120-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-118-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-163-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-164-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-156-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-165-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-167-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-166-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-168-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-169-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-170-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-171-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/1084-162-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1084-119-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/1444-183-0x0000000000000000-mapping.dmp

Download
memory/2148-211-0x0000000000000000-mapping.dmp

Download
memory/2268-247-0x0000000000000000-mapping.dmp

Download
memory/2444-253-0x0000000000000000-mapping.dmp

Download
memory/2740-188-0x0000000000000000-mapping.dmp

Download
memory/3216-206-0x0000000000000000-mapping.dmp

Download
memory/3548-193-0x0000000000000000-mapping.dmp

Download
memory/3640-217-0x0000000000000000-mapping.dmp

Download
memory/3788-243-0x0000000000000000-mapping.dmp

Download
memory/3816-245-0x0000000000000000-mapping.dmp

Download
memory/3840-242-0x0000000000000000-mapping.dmp

Download
memory/3904-186-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/3904-174-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/3904-182-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/3904-177-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/3904-172-0x0000000000000000-mapping.dmp

Download
memory/3916-180-0x0000000000000000-mapping.dmp

Download
memory/3916-187-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/3960-190-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/3960-185-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/3960-181-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/3960-178-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/3960-175-0x0000000000000000-mapping.dmp

Download
memory/4016-189-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/4016-184-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/4016-173-0x0000000000000000-mapping.dmp

Download
memory/4016-179-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/4016-176-0x0000000076F10000-0x000000007709E000-memory.dmp

Filesize
1.6MB

Download
memory/4048-201-0x0000000000000000-mapping.dmp

Download