c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6

General

Target

c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
Size

796KB
MD5

e64f4840872e0c14754a501249fde3e4
SHA1

6f35010b3e36080437cb284f5a08f9083b3c4a5f
SHA256

c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6
SHA512

007b80d9782656c3746c30303ba5f25c7edd756627a66b2b24a06ad88abb1783803d6924cb8d43a927ad4f805d3c374fb0fedebe82ba7fd5e8315e041f0508f8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2248	schtasks.exe
4088	schtasks.exe
3884	schtasks.exe
3676	schtasks.exe
4476	schtasks.exe
4728	schtasks.exe
3752	schtasks.exe
4600	schtasks.exe
1892	schtasks.exe
2596	schtasks.exe
3168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe

pid	process
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe

description pid process

Token: SeDebugPrivilege 5012 c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe

description	pid	process
Token: SeDebugPrivilege	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5012 wrote to memory of 1752	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 1752	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 1752	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3620	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3620	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3620	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2604	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2604	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2604	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2772	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2772	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2772	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2156	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2156	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2156	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3440	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3440	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3440	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3464	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3464	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3464	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 1676	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 1676	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 1676	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 1668	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 1668	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 1668	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 5020	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 5020	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 5020	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2224	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2224	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 2224	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3424	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3424	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 5012 wrote to memory of 3424	5012	c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe	cmd.exe
PID 1752 wrote to memory of 1892	1752	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 1892	1752	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 1892	1752	cmd.exe	schtasks.exe
PID 2604 wrote to memory of 2596	2604	cmd.exe	schtasks.exe
PID 2604 wrote to memory of 2596	2604	cmd.exe	schtasks.exe
PID 2604 wrote to memory of 2596	2604	cmd.exe	schtasks.exe
PID 2772 wrote to memory of 3168	2772	cmd.exe	schtasks.exe
PID 2772 wrote to memory of 3168	2772	cmd.exe	schtasks.exe
PID 2772 wrote to memory of 3168	2772	cmd.exe	schtasks.exe
PID 3620 wrote to memory of 3884	3620	cmd.exe	schtasks.exe
PID 3620 wrote to memory of 3884	3620	cmd.exe	schtasks.exe
PID 3620 wrote to memory of 3884	3620	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 3676	1676	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 3676	1676	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 3676	1676	cmd.exe	schtasks.exe
PID 3464 wrote to memory of 4476	3464	cmd.exe	schtasks.exe
PID 3464 wrote to memory of 4476	3464	cmd.exe	schtasks.exe
PID 3464 wrote to memory of 4476	3464	cmd.exe	schtasks.exe
PID 1668 wrote to memory of 4088	1668	cmd.exe	schtasks.exe
PID 1668 wrote to memory of 4088	1668	cmd.exe	schtasks.exe
PID 1668 wrote to memory of 4088	1668	cmd.exe	schtasks.exe
PID 3424 wrote to memory of 2248	3424	cmd.exe	schtasks.exe
PID 3424 wrote to memory of 2248	3424	cmd.exe	schtasks.exe
PID 3424 wrote to memory of 2248	3424	cmd.exe	schtasks.exe
PID 2224 wrote to memory of 3752	2224	cmd.exe	schtasks.exe
PID 2224 wrote to memory of 3752	2224	cmd.exe	schtasks.exe
PID 2224 wrote to memory of 3752	2224	cmd.exe	schtasks.exe
PID 3440 wrote to memory of 4728	3440	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe
"C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:3884

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:2596

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:3168

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:4476

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:4728

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:3676

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3945" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3945" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:4088

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1855" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
PID:5020

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1855" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:4600

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7892" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7892" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:2248

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2445" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2445" /TR "C:\Users\Admin\AppData\Local\Temp\c5ec2a76b83dd703822d1d256ed72571ba3125874a64306324c9f444f6146bf6.exe"
3⤵
- Creates scheduled task(s)
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5012 -ip 5012
1⤵
PID:1684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 3364 -ip 3364
1⤵
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-142-0x0000000000000000-mapping.dmp

Download
memory/1676-141-0x0000000000000000-mapping.dmp

Download
memory/1752-134-0x0000000000000000-mapping.dmp

Download
memory/1892-146-0x0000000000000000-mapping.dmp

Download
memory/2156-138-0x0000000000000000-mapping.dmp

Download
memory/2224-144-0x0000000000000000-mapping.dmp

Download
memory/2248-153-0x0000000000000000-mapping.dmp

Download
memory/2596-147-0x0000000000000000-mapping.dmp

Download
memory/2604-136-0x0000000000000000-mapping.dmp

Download
memory/2772-137-0x0000000000000000-mapping.dmp

Download
memory/3168-148-0x0000000000000000-mapping.dmp

Download
memory/3424-145-0x0000000000000000-mapping.dmp

Download
memory/3440-139-0x0000000000000000-mapping.dmp

Download
memory/3464-140-0x0000000000000000-mapping.dmp

Download
memory/3620-135-0x0000000000000000-mapping.dmp

Download
memory/3676-150-0x0000000000000000-mapping.dmp

Download
memory/3752-154-0x0000000000000000-mapping.dmp

Download
memory/3884-149-0x0000000000000000-mapping.dmp

Download
memory/4088-152-0x0000000000000000-mapping.dmp

Download
memory/4476-151-0x0000000000000000-mapping.dmp

Download
memory/4600-156-0x0000000000000000-mapping.dmp

Download
memory/4728-155-0x0000000000000000-mapping.dmp

Download
memory/5012-132-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/5012-133-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download
memory/5012-130-0x0000000000A30000-0x0000000000AE0000-memory.dmp

Filesize
704KB

Download
memory/5012-131-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/5020-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads