9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606

General

Target

9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
Size

772KB
MD5

e9a1fa8fa4b560c6a2c7dec35174c8b8
SHA1

874b12650ed226ee72a692aa4f5d3cca1e3d4a41
SHA256

9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606
SHA512

a4f79237a95adea49d8663ecf33ae1fcca9768ebbcb0787cad5274ae91b351b1c4be367af71568039d20c06c1a30e17c7dbc98b4acabe6793821d88ab2434f03

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3456 4244 WerFault.exe 9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe

pid	pid_target	process	target process
3456	4244	WerFault.exe	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3652	schtasks.exe
2684	schtasks.exe
1868	schtasks.exe
2628	schtasks.exe
1624	schtasks.exe
2396	schtasks.exe
5012	schtasks.exe
1872	schtasks.exe
3008	schtasks.exe
1976	schtasks.exe
1140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe

pid	process
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe

description pid process

Token: SeDebugPrivilege 4244 9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe

description	pid	process
Token: SeDebugPrivilege	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4244 wrote to memory of 1584	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 1584	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 1584	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4268	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4268	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4268	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 1568	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 1568	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 1568	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3484	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3484	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3484	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3688	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3688	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3688	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4460	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4460	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4460	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3056	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3056	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3056	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4684	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4684	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4684	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 2708	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 2708	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 2708	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 1584 wrote to memory of 2628	1584	cmd.exe	schtasks.exe
PID 1584 wrote to memory of 2628	1584	cmd.exe	schtasks.exe
PID 1584 wrote to memory of 2628	1584	cmd.exe	schtasks.exe
PID 4244 wrote to memory of 3436	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3436	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 3436	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 2120	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 2120	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 2120	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4020	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4020	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4244 wrote to memory of 4020	4244	9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe	cmd.exe
PID 4268 wrote to memory of 1624	4268	cmd.exe	schtasks.exe
PID 4268 wrote to memory of 1624	4268	cmd.exe	schtasks.exe
PID 4268 wrote to memory of 1624	4268	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 1872	2708	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 1872	2708	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 1872	2708	cmd.exe	schtasks.exe
PID 3484 wrote to memory of 5012	3484	cmd.exe	schtasks.exe
PID 3484 wrote to memory of 5012	3484	cmd.exe	schtasks.exe
PID 3484 wrote to memory of 5012	3484	cmd.exe	schtasks.exe
PID 1568 wrote to memory of 2396	1568	cmd.exe	schtasks.exe
PID 1568 wrote to memory of 2396	1568	cmd.exe	schtasks.exe
PID 1568 wrote to memory of 2396	1568	cmd.exe	schtasks.exe
PID 3688 wrote to memory of 2684	3688	cmd.exe	schtasks.exe
PID 3688 wrote to memory of 2684	3688	cmd.exe	schtasks.exe
PID 3688 wrote to memory of 2684	3688	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 3652	3056	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 3652	3056	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 3652	3056	cmd.exe	schtasks.exe
PID 4684 wrote to memory of 3008	4684	cmd.exe	schtasks.exe
PID 4684 wrote to memory of 3008	4684	cmd.exe	schtasks.exe
PID 4684 wrote to memory of 3008	4684	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 1976	3436	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 1976	3436	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 1976	3436	cmd.exe	schtasks.exe
PID 2120 wrote to memory of 1868	2120	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe
"C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:2396

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:3652

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:3008

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:2684

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5436" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5436" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2038" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2038" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:1868

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3580" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3580" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:1872

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk5980" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
PID:4020

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk5980" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:1140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\9c35b125a9b751e42332503c8215305a06cb9181fd330fb21267932e55588606.exe"
3⤵
- Creates scheduled task(s)
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1148
2⤵
- Program crash
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4244 -ip 4244
1⤵
PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-156-0x0000000000000000-mapping.dmp

Download
memory/1568-136-0x0000000000000000-mapping.dmp

Download
memory/1584-134-0x0000000000000000-mapping.dmp

Download
memory/1624-147-0x0000000000000000-mapping.dmp

Download
memory/1868-155-0x0000000000000000-mapping.dmp

Download
memory/1872-148-0x0000000000000000-mapping.dmp

Download
memory/1976-154-0x0000000000000000-mapping.dmp

Download
memory/2120-145-0x0000000000000000-mapping.dmp

Download
memory/2396-150-0x0000000000000000-mapping.dmp

Download
memory/2628-143-0x0000000000000000-mapping.dmp

Download
memory/2684-151-0x0000000000000000-mapping.dmp

Download
memory/2708-142-0x0000000000000000-mapping.dmp

Download
memory/3008-153-0x0000000000000000-mapping.dmp

Download
memory/3056-140-0x0000000000000000-mapping.dmp

Download
memory/3436-144-0x0000000000000000-mapping.dmp

Download
memory/3484-137-0x0000000000000000-mapping.dmp

Download
memory/3652-152-0x0000000000000000-mapping.dmp

Download
memory/3688-138-0x0000000000000000-mapping.dmp

Download
memory/4020-146-0x0000000000000000-mapping.dmp

Download
memory/4244-130-0x0000000000950000-0x0000000000A00000-memory.dmp

Filesize
704KB

Download
memory/4244-132-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/4244-131-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/4244-133-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/4268-135-0x0000000000000000-mapping.dmp

Download
memory/4460-139-0x0000000000000000-mapping.dmp

Download
memory/4684-141-0x0000000000000000-mapping.dmp

Download
memory/5012-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads