e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd

Analysis

max time kernel
53s
max time network
113s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
09/09/2022, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
Size

885KB
MD5

0f6beeda1361b07cfac56941e831e1b7
SHA1

deb579371f0e91f9ee99a80ddbaa1502bd7f4976
SHA256

e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd
SHA512

149f1878124f710d31831253b563bf74ef283885d0e85bd5d6021d3fb951eaf62b1a4b5b197fff1fcb7d0fbea32a501c66f4651a1c18dea79444884b43f123f1
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3304	2804	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4368	schtasks.exe
4512	schtasks.exe
4428	schtasks.exe
3180	schtasks.exe
3172	schtasks.exe
3996	schtasks.exe
3900	schtasks.exe
4340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1908	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	66
PID 2804 wrote to memory of 1908	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	66
PID 2804 wrote to memory of 1908	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	66
PID 2804 wrote to memory of 4764	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	67
PID 2804 wrote to memory of 4764	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	67
PID 2804 wrote to memory of 4764	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	67
PID 2804 wrote to memory of 4776	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	68
PID 2804 wrote to memory of 4776	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	68
PID 2804 wrote to memory of 4776	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	68
PID 2804 wrote to memory of 4856	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	83
PID 2804 wrote to memory of 4856	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	83
PID 2804 wrote to memory of 4856	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	83
PID 2804 wrote to memory of 5072	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	82
PID 2804 wrote to memory of 5072	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	82
PID 2804 wrote to memory of 5072	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	82
PID 2804 wrote to memory of 4184	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	80
PID 2804 wrote to memory of 4184	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	80
PID 2804 wrote to memory of 4184	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	80
PID 2804 wrote to memory of 3616	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	69
PID 2804 wrote to memory of 3616	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	69
PID 2804 wrote to memory of 3616	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	69
PID 2804 wrote to memory of 2308	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	70
PID 2804 wrote to memory of 2308	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	70
PID 2804 wrote to memory of 2308	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	70
PID 2804 wrote to memory of 4092	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	71
PID 2804 wrote to memory of 4092	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	71
PID 2804 wrote to memory of 4092	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	71
PID 2804 wrote to memory of 1504	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	76
PID 2804 wrote to memory of 1504	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	76
PID 2804 wrote to memory of 1504	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	76
PID 2804 wrote to memory of 4880	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	75
PID 2804 wrote to memory of 4880	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	75
PID 2804 wrote to memory of 4880	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	75
PID 2804 wrote to memory of 2336	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	78
PID 2804 wrote to memory of 2336	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	78
PID 2804 wrote to memory of 2336	2804	e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe	78
PID 2308 wrote to memory of 3900	2308	cmd.exe	96
PID 2308 wrote to memory of 3900	2308	cmd.exe	96
PID 2308 wrote to memory of 3900	2308	cmd.exe	96
PID 4880 wrote to memory of 3996	4880	cmd.exe	95
PID 4880 wrote to memory of 3996	4880	cmd.exe	95
PID 4880 wrote to memory of 3996	4880	cmd.exe	95
PID 4764 wrote to memory of 3172	4764	cmd.exe	94
PID 4764 wrote to memory of 3172	4764	cmd.exe	94
PID 4764 wrote to memory of 3172	4764	cmd.exe	94
PID 1504 wrote to memory of 3180	1504	cmd.exe	93
PID 1504 wrote to memory of 3180	1504	cmd.exe	93
PID 1504 wrote to memory of 3180	1504	cmd.exe	93
PID 5072 wrote to memory of 4428	5072	cmd.exe	92
PID 5072 wrote to memory of 4428	5072	cmd.exe	92
PID 5072 wrote to memory of 4428	5072	cmd.exe	92
PID 4184 wrote to memory of 4512	4184	cmd.exe	91
PID 4184 wrote to memory of 4512	4184	cmd.exe	91
PID 4184 wrote to memory of 4512	4184	cmd.exe	91
PID 4776 wrote to memory of 4340	4776	cmd.exe	89
PID 4776 wrote to memory of 4340	4776	cmd.exe	89
PID 4776 wrote to memory of 4340	4776	cmd.exe	89
PID 3616 wrote to memory of 4368	3616	cmd.exe	90
PID 3616 wrote to memory of 4368	3616	cmd.exe	90
PID 3616 wrote to memory of 4368	3616	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe
"C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3900
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9094" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1788" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1788" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4676" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4676" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8484" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4512
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\e67884e084a44e707068c56f20fdde4a9e97ab885a2ed29a82848c978f5547cd.exe"
  2⤵
  PID:4856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1316
  2⤵
  - Program crash
  PID:3304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-179-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-177-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-173-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/1908-172-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-164-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-125-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-130-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-137-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-142-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-163-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-148-0x0000000000EC0000-0x0000000000F70000-memory.dmp

Filesize
704KB

Download
memory/2804-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-150-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-152-0x0000000005C30000-0x000000000612E000-memory.dmp

Filesize
5.0MB

Download
memory/2804-153-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/2804-154-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-155-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-156-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-157-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-115-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-139-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-124-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-162-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-165-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-166-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-167-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-168-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-169-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/2804-123-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-122-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-116-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-120-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-119-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4764-180-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4764-183-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4764-176-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4764-174-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4776-184-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4776-187-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4776-181-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4856-185-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/5072-188-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download