85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2022 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
Size

772KB
MD5

09c521472ec1bcaf02882cd29bcbd3af
SHA1

f24244d2e4807cca3bf7af4fa568de73d5e11bfd
SHA256

85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9
SHA512

ae5a0acb97120c5daeab524413af587df5ef8f3b9220f8734f5883704ba2447b0b10e8c4d320e62588cb63eee375aec52288d8a776c26c649747acdf6c0b03f9

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3468 4244 WerFault.exe 85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe

pid	pid_target	process	target process
3468	4244	WerFault.exe	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5024	schtasks.exe
1912	schtasks.exe
2240	schtasks.exe
2124	schtasks.exe
4992	schtasks.exe
3364	schtasks.exe
2632	schtasks.exe
4004	schtasks.exe
4184	schtasks.exe
4932	schtasks.exe
2112	schtasks.exe
2348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe

pid	process
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe

description pid process

Token: SeDebugPrivilege 4244 85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe

description	pid	process
Token: SeDebugPrivilege	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4244 wrote to memory of 1584	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 1584	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 1584	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 4268	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 4268	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 4268	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 1568	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 1568	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 1568	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3484	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3484	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3484	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3688	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3688	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3688	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 4976	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 4976	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 4976	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3056	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3056	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3056	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3136	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3136	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3136	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 1480	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 1480	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 1480	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 3484 wrote to memory of 2124	3484	cmd.exe	schtasks.exe
PID 3484 wrote to memory of 2124	3484	cmd.exe	schtasks.exe
PID 3484 wrote to memory of 2124	3484	cmd.exe	schtasks.exe
PID 4244 wrote to memory of 3436	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3436	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3436	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 1568 wrote to memory of 4184	1568	cmd.exe	schtasks.exe
PID 1568 wrote to memory of 4184	1568	cmd.exe	schtasks.exe
PID 1568 wrote to memory of 4184	1568	cmd.exe	schtasks.exe
PID 4244 wrote to memory of 2140	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 2140	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 2140	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3456	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3456	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 4244 wrote to memory of 3456	4244	85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe	cmd.exe
PID 1584 wrote to memory of 4992	1584	cmd.exe	schtasks.exe
PID 1584 wrote to memory of 4992	1584	cmd.exe	schtasks.exe
PID 1584 wrote to memory of 4992	1584	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 2632	3436	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 2632	3436	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 2632	3436	cmd.exe	schtasks.exe
PID 3456 wrote to memory of 3364	3456	cmd.exe	schtasks.exe
PID 3456 wrote to memory of 3364	3456	cmd.exe	schtasks.exe
PID 3456 wrote to memory of 3364	3456	cmd.exe	schtasks.exe
PID 4268 wrote to memory of 5024	4268	cmd.exe	schtasks.exe
PID 4268 wrote to memory of 5024	4268	cmd.exe	schtasks.exe
PID 4268 wrote to memory of 5024	4268	cmd.exe	schtasks.exe
PID 3688 wrote to memory of 4932	3688	cmd.exe	schtasks.exe
PID 3688 wrote to memory of 4932	3688	cmd.exe	schtasks.exe
PID 3688 wrote to memory of 4932	3688	cmd.exe	schtasks.exe
PID 4976 wrote to memory of 2112	4976	cmd.exe	schtasks.exe
PID 4976 wrote to memory of 2112	4976	cmd.exe	schtasks.exe
PID 4976 wrote to memory of 2112	4976	cmd.exe	schtasks.exe
PID 3136 wrote to memory of 2348	3136	cmd.exe	schtasks.exe
PID 3136 wrote to memory of 2348	3136	cmd.exe	schtasks.exe
PID 3136 wrote to memory of 2348	3136	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 4004	3056	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe
"C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4992
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2533" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2533" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4156" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4156" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9402" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9402" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3364
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4147" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4147" /TR "C:\Users\Admin\AppData\Local\Temp\85bd1fc63e51ad39647f121abb91ed3f5fa01133693650c9824b7733f5f30ed9.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1372
  2⤵
  - Program crash
  PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4244 -ip 4244
1⤵
PID:3572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-142-0x0000000000000000-mapping.dmp

Download
memory/1568-136-0x0000000000000000-mapping.dmp

Download
memory/1584-134-0x0000000000000000-mapping.dmp

Download
memory/1912-156-0x0000000000000000-mapping.dmp

Download
memory/2112-153-0x0000000000000000-mapping.dmp

Download
memory/2124-143-0x0000000000000000-mapping.dmp

Download
memory/2140-146-0x0000000000000000-mapping.dmp

Download
memory/2240-157-0x0000000000000000-mapping.dmp

Download
memory/2348-154-0x0000000000000000-mapping.dmp

Download
memory/2632-149-0x0000000000000000-mapping.dmp

Download
memory/3056-140-0x0000000000000000-mapping.dmp

Download
memory/3136-141-0x0000000000000000-mapping.dmp

Download
memory/3364-150-0x0000000000000000-mapping.dmp

Download
memory/3436-144-0x0000000000000000-mapping.dmp

Download
memory/3456-147-0x0000000000000000-mapping.dmp

Download
memory/3484-137-0x0000000000000000-mapping.dmp

Download
memory/3688-138-0x0000000000000000-mapping.dmp

Download
memory/4004-155-0x0000000000000000-mapping.dmp

Download
memory/4184-145-0x0000000000000000-mapping.dmp

Download
memory/4244-130-0x00000000003E0000-0x0000000000490000-memory.dmp

Filesize
704KB

Download
memory/4244-131-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/4244-132-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/4244-133-0x0000000004D10000-0x0000000004D1A000-memory.dmp

Filesize
40KB

Download
memory/4268-135-0x0000000000000000-mapping.dmp

Download
memory/4932-152-0x0000000000000000-mapping.dmp

Download
memory/4976-139-0x0000000000000000-mapping.dmp

Download
memory/4992-148-0x0000000000000000-mapping.dmp

Download
memory/5024-151-0x0000000000000000-mapping.dmp

Download