874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2022, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
Size

875KB
MD5

8895a334ce91114d9fc1807b24085840
SHA1

542a01923dbbaacc94124e98b4ebe96a62f584e7
SHA256

874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8
SHA512

47bb92e87fcd931beb17133bce8e3139dad37fab1548dba9d2d143574df7a4993f88853cae5973a9e06ebe8c57615579b745591c21d7352b11aafbe3526de58d
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4352	2856	WerFault.exe	84

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4868	schtasks.exe
3560	schtasks.exe
2932	schtasks.exe
3836	schtasks.exe
3484	schtasks.exe
3344	schtasks.exe
660	schtasks.exe
4208	schtasks.exe
2648	schtasks.exe
2064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 732	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	86
PID 2856 wrote to memory of 732	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	86
PID 2856 wrote to memory of 732	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	86
PID 2856 wrote to memory of 1816	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	87
PID 2856 wrote to memory of 1816	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	87
PID 2856 wrote to memory of 1816	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	87
PID 2856 wrote to memory of 4092	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	109
PID 2856 wrote to memory of 4092	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	109
PID 2856 wrote to memory of 4092	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	109
PID 2856 wrote to memory of 4716	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	106
PID 2856 wrote to memory of 4716	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	106
PID 2856 wrote to memory of 4716	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	106
PID 2856 wrote to memory of 2232	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	105
PID 2856 wrote to memory of 2232	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	105
PID 2856 wrote to memory of 2232	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	105
PID 2856 wrote to memory of 2180	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	90
PID 2856 wrote to memory of 2180	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	90
PID 2856 wrote to memory of 2180	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	90
PID 2856 wrote to memory of 4008	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	91
PID 2856 wrote to memory of 4008	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	91
PID 2856 wrote to memory of 4008	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	91
PID 2856 wrote to memory of 2356	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	92
PID 2856 wrote to memory of 2356	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	92
PID 2856 wrote to memory of 2356	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	92
PID 2856 wrote to memory of 5056	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	95
PID 2856 wrote to memory of 5056	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	95
PID 2856 wrote to memory of 5056	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	95
PID 2856 wrote to memory of 4284	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	96
PID 2856 wrote to memory of 4284	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	96
PID 2856 wrote to memory of 4284	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	96
PID 2856 wrote to memory of 1132	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	97
PID 2856 wrote to memory of 1132	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	97
PID 2856 wrote to memory of 1132	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	97
PID 2856 wrote to memory of 4112	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	98
PID 2856 wrote to memory of 4112	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	98
PID 2856 wrote to memory of 4112	2856	874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe	98
PID 4008 wrote to memory of 2648	4008	cmd.exe	111
PID 4008 wrote to memory of 2648	4008	cmd.exe	111
PID 4008 wrote to memory of 2648	4008	cmd.exe	111
PID 4284 wrote to memory of 4208	4284	cmd.exe	110
PID 4284 wrote to memory of 4208	4284	cmd.exe	110
PID 4284 wrote to memory of 4208	4284	cmd.exe	110
PID 1816 wrote to memory of 4868	1816	cmd.exe	112
PID 1816 wrote to memory of 4868	1816	cmd.exe	112
PID 1816 wrote to memory of 4868	1816	cmd.exe	112
PID 732 wrote to memory of 2064	732	cmd.exe	113
PID 732 wrote to memory of 2064	732	cmd.exe	113
PID 732 wrote to memory of 2064	732	cmd.exe	113
PID 2232 wrote to memory of 3836	2232	cmd.exe	114
PID 2232 wrote to memory of 3836	2232	cmd.exe	114
PID 2232 wrote to memory of 3836	2232	cmd.exe	114
PID 4716 wrote to memory of 3484	4716	cmd.exe	115
PID 4716 wrote to memory of 3484	4716	cmd.exe	115
PID 4716 wrote to memory of 3484	4716	cmd.exe	115
PID 2180 wrote to memory of 3560	2180	cmd.exe	116
PID 2180 wrote to memory of 3560	2180	cmd.exe	116
PID 2180 wrote to memory of 3560	2180	cmd.exe	116
PID 4092 wrote to memory of 3344	4092	cmd.exe	117
PID 4092 wrote to memory of 3344	4092	cmd.exe	117
PID 4092 wrote to memory of 3344	4092	cmd.exe	117
PID 1132 wrote to memory of 2932	1132	cmd.exe	118
PID 1132 wrote to memory of 2932	1132	cmd.exe	118
PID 1132 wrote to memory of 2932	1132	cmd.exe	118
PID 5056 wrote to memory of 660	5056	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe
"C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8298" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8298" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2061" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2061" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2932" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2932" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1826" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  PID:4112
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\874252b70d1549911804f47cb908d3d22ae81d1aa8dc7203a22639b27943ddf8.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 1104
  2⤵
  - Program crash
  PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2856 -ip 2856
1⤵
PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2856-135-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/2856-134-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/2856-133-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/2856-132-0x0000000000970000-0x0000000000A20000-memory.dmp

Filesize
704KB

Download