fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7

Analysis

max time kernel
54s
max time network
115s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
06-08-2022 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Size

772KB
MD5

4dac458d4af94bfb8e564f7c37326178
SHA1

7803c7f01fa2fa336564db337bae87a8b70c31a9
SHA256

fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7
SHA512

9d048348d40d5e895098b3edf410769570e92bea75536ae85a1638472e3c291b7c351f79b8a6a89620cd4fc8460494b57a80d01590c39241d9b308da746f0a91

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2156 1092 WerFault.exe fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1232 schtasks.exe
1384 schtasks.exe
2284 schtasks.exe
2800 schtasks.exe

pid	pid_target	process	target process
2156	1092	WerFault.exe	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe

pid	process
1232	schtasks.exe
1384	schtasks.exe
2284	schtasks.exe
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe

pid	process
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe

description pid process

Token: SeDebugPrivilege 1092 fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe

description	pid	process
Token: SeDebugPrivilege	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1092 wrote to memory of 2240	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2240	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2240	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 1608	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 1608	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 1608	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 652	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 652	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 652	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 1864	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 1864	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 1864	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 4076	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 4076	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 4076	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 936	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 936	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 936	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2312	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2312	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2312	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 384	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 384	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 384	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2156	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2156	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2156	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 216	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 216	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 216	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2336	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2336	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2336	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2692	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2692	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1092 wrote to memory of 2692	1092	fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe	cmd.exe
PID 1864 wrote to memory of 2284	1864	cmd.exe	schtasks.exe
PID 1864 wrote to memory of 2284	1864	cmd.exe	schtasks.exe
PID 1864 wrote to memory of 2284	1864	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 2800	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 2800	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 2800	1608	cmd.exe	schtasks.exe
PID 652 wrote to memory of 1384	652	cmd.exe	schtasks.exe
PID 652 wrote to memory of 1384	652	cmd.exe	schtasks.exe
PID 652 wrote to memory of 1384	652	cmd.exe	schtasks.exe
PID 2240 wrote to memory of 1232	2240	cmd.exe	schtasks.exe
PID 2240 wrote to memory of 1232	2240	cmd.exe	schtasks.exe
PID 2240 wrote to memory of 1232	2240	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe
"C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
3⤵
- Creates scheduled task(s)
PID:1232

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
3⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
3⤵
- Creates scheduled task(s)
PID:1384

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
3⤵
- Creates scheduled task(s)
PID:2284

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk316" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6110" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7933" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2089" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\fec67e08749ea653a5a8e375b93bf0342ea6dc789c203d493f51e8ed3f1626c7.exe"
2⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1320
2⤵
- Program crash
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-208-0x0000000000000000-mapping.dmp

Download
memory/384-198-0x0000000000000000-mapping.dmp

Download
memory/652-183-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/652-178-0x0000000000000000-mapping.dmp

Download
memory/652-190-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/652-186-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/936-189-0x0000000000000000-mapping.dmp

Download
memory/1092-160-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-150-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-127-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-128-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-129-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-130-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-131-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-132-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-133-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-134-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-135-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-136-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-137-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-139-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-138-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-140-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-141-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-142-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-144-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-143-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-145-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-146-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-147-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-148-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-149-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-165-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-151-0x0000000000BE0000-0x0000000000C90000-memory.dmp

Filesize
704KB

Download
memory/1092-152-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-153-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-154-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-155-0x0000000005BB0000-0x00000000060AE000-memory.dmp

Filesize
5.0MB

Download
memory/1092-156-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/1092-157-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-158-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-159-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-118-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-161-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-162-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-163-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-120-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-126-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-166-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-167-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-168-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-169-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-170-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-171-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-172-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/1092-119-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-164-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-121-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-122-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-125-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-123-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-124-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1232-245-0x0000000000000000-mapping.dmp

Download
memory/1384-244-0x0000000000000000-mapping.dmp

Download
memory/1608-188-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1608-184-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1608-174-0x0000000000000000-mapping.dmp

Download
memory/1608-177-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1608-180-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1864-187-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1864-191-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/1864-181-0x0000000000000000-mapping.dmp

Download
memory/2156-203-0x0000000000000000-mapping.dmp

Download
memory/2240-176-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-179-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-175-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-182-0x0000000077060000-0x00000000771EE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-173-0x0000000000000000-mapping.dmp

Download
memory/2284-242-0x0000000000000000-mapping.dmp

Download
memory/2312-193-0x0000000000000000-mapping.dmp

Download
memory/2336-213-0x0000000000000000-mapping.dmp

Download
memory/2692-218-0x0000000000000000-mapping.dmp

Download
memory/2800-243-0x0000000000000000-mapping.dmp

Download
memory/4076-185-0x0000000000000000-mapping.dmp

Download