Analysis
-
max time kernel
143s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe
-
Size
884KB
-
MD5
c27dce7837354c83175340e05e548a5e
-
SHA1
dabd14601162820e922f340dc311dc099507242b
-
SHA256
16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2
-
SHA512
bfc48d3fc44783930a336a24ea42b286e06eec2272d0ef2925652f05256acf6cc365d1def24fa25a70e0852295446b95914cfc35ee03ba9c02659d90a2520841
-
SSDEEP
768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe" 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe" 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe" 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe" 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4356 4856 WerFault.exe 80 -
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2128 schtasks.exe 3404 schtasks.exe 2000 schtasks.exe 716 schtasks.exe 4264 schtasks.exe 2312 schtasks.exe 4652 schtasks.exe 1748 schtasks.exe 2308 schtasks.exe 1624 schtasks.exe 64 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 3556 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 81 PID 4856 wrote to memory of 3556 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 81 PID 4856 wrote to memory of 3556 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 81 PID 4856 wrote to memory of 4896 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 82 PID 4856 wrote to memory of 4896 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 82 PID 4856 wrote to memory of 4896 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 82 PID 4856 wrote to memory of 1924 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 84 PID 4856 wrote to memory of 1924 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 84 PID 4856 wrote to memory of 1924 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 84 PID 4856 wrote to memory of 1792 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 88 PID 4856 wrote to memory of 1792 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 88 PID 4856 wrote to memory of 1792 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 88 PID 4856 wrote to memory of 4812 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 85 PID 4856 wrote to memory of 4812 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 85 PID 4856 wrote to memory of 4812 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 85 PID 4856 wrote to memory of 3244 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 89 PID 4856 wrote to memory of 3244 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 89 PID 4856 wrote to memory of 3244 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 89 PID 4856 wrote to memory of 2204 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 92 PID 4856 wrote to memory of 2204 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 92 PID 4856 wrote to memory of 2204 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 92 PID 4856 wrote to memory of 3592 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 93 PID 4856 wrote to memory of 3592 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 93 PID 4856 wrote to memory of 3592 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 93 PID 4856 wrote to memory of 808 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 96 PID 4856 wrote to memory of 808 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 96 PID 4856 wrote to memory of 808 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 96 PID 4856 wrote to memory of 3848 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 94 PID 4856 wrote to memory of 3848 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 94 PID 4856 wrote to memory of 3848 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 94 PID 4856 wrote to memory of 5096 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 100 PID 4856 wrote to memory of 5096 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 100 PID 4856 wrote to memory of 5096 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 100 PID 4856 wrote to memory of 4004 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 102 PID 4856 wrote to memory of 4004 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 102 PID 4856 wrote to memory of 4004 4856 16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe 102 PID 3556 wrote to memory of 3404 3556 cmd.exe 114 PID 3556 wrote to memory of 3404 3556 cmd.exe 114 PID 3556 wrote to memory of 3404 3556 cmd.exe 114 PID 2204 wrote to memory of 64 2204 cmd.exe 113 PID 2204 wrote to memory of 64 2204 cmd.exe 113 PID 2204 wrote to memory of 64 2204 cmd.exe 113 PID 3848 wrote to memory of 1748 3848 cmd.exe 106 PID 3848 wrote to memory of 1748 3848 cmd.exe 106 PID 3848 wrote to memory of 1748 3848 cmd.exe 106 PID 1792 wrote to memory of 716 1792 cmd.exe 107 PID 1792 wrote to memory of 716 1792 cmd.exe 107 PID 1792 wrote to memory of 716 1792 cmd.exe 107 PID 4896 wrote to memory of 2308 4896 cmd.exe 108 PID 4896 wrote to memory of 2308 4896 cmd.exe 108 PID 4896 wrote to memory of 2308 4896 cmd.exe 108 PID 4812 wrote to memory of 4264 4812 cmd.exe 109 PID 4812 wrote to memory of 4264 4812 cmd.exe 109 PID 4812 wrote to memory of 4264 4812 cmd.exe 109 PID 3244 wrote to memory of 2312 3244 cmd.exe 110 PID 3244 wrote to memory of 2312 3244 cmd.exe 110 PID 3244 wrote to memory of 2312 3244 cmd.exe 110 PID 3592 wrote to memory of 2128 3592 cmd.exe 111 PID 3592 wrote to memory of 2128 3592 cmd.exe 111 PID 3592 wrote to memory of 2128 3592 cmd.exe 111 PID 808 wrote to memory of 1624 808 cmd.exe 112 PID 808 wrote to memory of 1624 808 cmd.exe 112 PID 808 wrote to memory of 1624 808 cmd.exe 112 PID 1924 wrote to memory of 2000 1924 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:4264
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:716
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:64
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7063" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7063" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk5739" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk5739" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6135" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵PID:5096
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7253" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"2⤵PID:4004
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7253" /TR "C:\Users\Admin\AppData\Local\Temp\16fa6c5891aa070fc83beb7ce8218d9bfd93aa6805776a0a19b78efd970398f2.exe"3⤵
- Creates scheduled task(s)
PID:4652
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 11442⤵
- Program crash
PID:4356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4856 -ip 48561⤵PID:4960