b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b

General

Target

b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
Size

772KB
MD5

d11e5324da599323753ff7053bd8a7a4
SHA1

ca08e6f0373ebd4340cac73f830a948836e594da
SHA256

b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b
SHA512

380d36fd21205436cba451b57c0c189836afac5e2df767f3a258071f3dd60749b0416261d437b24fd8b4997d4b64c28e6672f0e8275eea23d4408f7475effb75

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2396 1776 WerFault.exe b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe

pid	pid_target	process	target process
2396	1776	WerFault.exe	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
224	schtasks.exe
208	schtasks.exe
3736	schtasks.exe
2592	schtasks.exe
4792	schtasks.exe
3600	schtasks.exe
3680	schtasks.exe
4112	schtasks.exe
4120	schtasks.exe
2148	schtasks.exe
2304	schtasks.exe
3608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe

pid	process
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe

description pid process

Token: SeDebugPrivilege 1776 b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe

description	pid	process
Token: SeDebugPrivilege	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1776 wrote to memory of 3892	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 3892	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 3892	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4136	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4136	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4136	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4540	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4540	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4540	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 3128	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 3128	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 3128	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4488	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4488	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4488	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 2092	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 2092	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 2092	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 448	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 448	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 448	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 3848	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 3848	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 3848	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4188	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4188	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4188	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4844	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4844	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 4844	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 2904	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 2904	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 2904	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 1240	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 1240	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 1776 wrote to memory of 1240	1776	b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe	cmd.exe
PID 3128 wrote to memory of 4120	3128	cmd.exe	schtasks.exe
PID 3128 wrote to memory of 4120	3128	cmd.exe	schtasks.exe
PID 3128 wrote to memory of 4120	3128	cmd.exe	schtasks.exe
PID 2092 wrote to memory of 4112	2092	cmd.exe	schtasks.exe
PID 2092 wrote to memory of 4112	2092	cmd.exe	schtasks.exe
PID 2092 wrote to memory of 4112	2092	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 208	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 208	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 208	3892	cmd.exe	schtasks.exe
PID 4540 wrote to memory of 224	4540	cmd.exe	schtasks.exe
PID 4540 wrote to memory of 224	4540	cmd.exe	schtasks.exe
PID 4540 wrote to memory of 224	4540	cmd.exe	schtasks.exe
PID 4136 wrote to memory of 2592	4136	cmd.exe	schtasks.exe
PID 4136 wrote to memory of 2592	4136	cmd.exe	schtasks.exe
PID 4136 wrote to memory of 2592	4136	cmd.exe	schtasks.exe
PID 4488 wrote to memory of 2148	4488	cmd.exe	schtasks.exe
PID 4488 wrote to memory of 2148	4488	cmd.exe	schtasks.exe
PID 4488 wrote to memory of 2148	4488	cmd.exe	schtasks.exe
PID 4188 wrote to memory of 2304	4188	cmd.exe	schtasks.exe
PID 4188 wrote to memory of 2304	4188	cmd.exe	schtasks.exe
PID 4188 wrote to memory of 2304	4188	cmd.exe	schtasks.exe
PID 2904 wrote to memory of 3736	2904	cmd.exe	schtasks.exe
PID 2904 wrote to memory of 3736	2904	cmd.exe	schtasks.exe
PID 2904 wrote to memory of 3736	2904	cmd.exe	schtasks.exe
PID 448 wrote to memory of 3680	448	cmd.exe	schtasks.exe
PID 448 wrote to memory of 3680	448	cmd.exe	schtasks.exe
PID 448 wrote to memory of 3680	448	cmd.exe	schtasks.exe
PID 3848 wrote to memory of 3600	3848	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe
"C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:208

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:2592

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:224

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:2148

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:4120

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:3680

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:4112

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:3600

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk5025" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk5025" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:2304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7669" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
PID:4844

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7669" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:3608

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8529" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
PID:1240

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8529" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:4792

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9494" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9494" /TR "C:\Users\Admin\AppData\Local\Temp\b219c18eb188d70c2de523df9eb2328225cf69d685d9a8d1dc858ef3f9fe768b.exe"
3⤵
- Creates scheduled task(s)
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1036
2⤵
- Program crash
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1776 -ip 1776
1⤵
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-148-0x0000000000000000-mapping.dmp

Download
memory/224-149-0x0000000000000000-mapping.dmp

Download
memory/448-140-0x0000000000000000-mapping.dmp

Download
memory/1240-145-0x0000000000000000-mapping.dmp

Download
memory/1776-133-0x0000000003320000-0x000000000332A000-memory.dmp

Filesize
40KB

Download
memory/1776-132-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1776-130-0x0000000000D60000-0x0000000000E10000-memory.dmp

Filesize
704KB

Download
memory/1776-131-0x0000000005CF0000-0x0000000006294000-memory.dmp

Filesize
5.6MB

Download
memory/2092-139-0x0000000000000000-mapping.dmp

Download
memory/2148-151-0x0000000000000000-mapping.dmp

Download
memory/2304-152-0x0000000000000000-mapping.dmp

Download
memory/2592-150-0x0000000000000000-mapping.dmp

Download
memory/2904-144-0x0000000000000000-mapping.dmp

Download
memory/3128-137-0x0000000000000000-mapping.dmp

Download
memory/3600-155-0x0000000000000000-mapping.dmp

Download
memory/3608-156-0x0000000000000000-mapping.dmp

Download
memory/3680-154-0x0000000000000000-mapping.dmp

Download
memory/3736-153-0x0000000000000000-mapping.dmp

Download
memory/3848-141-0x0000000000000000-mapping.dmp

Download
memory/3892-134-0x0000000000000000-mapping.dmp

Download
memory/4112-147-0x0000000000000000-mapping.dmp

Download
memory/4120-146-0x0000000000000000-mapping.dmp

Download
memory/4136-135-0x0000000000000000-mapping.dmp

Download
memory/4188-142-0x0000000000000000-mapping.dmp

Download
memory/4488-138-0x0000000000000000-mapping.dmp

Download
memory/4540-136-0x0000000000000000-mapping.dmp

Download
memory/4792-157-0x0000000000000000-mapping.dmp

Download
memory/4844-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads