ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454

Analysis

max time kernel
144s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
14/09/2022, 18:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
Size

895KB
MD5

71c82ff59be9f63178d1a587b0ac594e
SHA1

3e28cd6a62207d0b0d1f51a60c97afe9a82f770b
SHA256

ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454
SHA512

3017a23c9798ad68ca55b30385fb24c74ffcd2681269448d6f337fd267e91947c00c411b646f635d5429e4bd1d1295bf0549fb84e8507e0115e9b3e648a3bfb5
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
416	2700	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4028	schtasks.exe
1712	schtasks.exe
1872	schtasks.exe
4192	schtasks.exe
4592	schtasks.exe
4296	schtasks.exe
4364	schtasks.exe
3684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4808	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	66
PID 2700 wrote to memory of 4808	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	66
PID 2700 wrote to memory of 4808	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	66
PID 2700 wrote to memory of 4820	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	67
PID 2700 wrote to memory of 4820	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	67
PID 2700 wrote to memory of 4820	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	67
PID 2700 wrote to memory of 4884	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	68
PID 2700 wrote to memory of 4884	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	68
PID 2700 wrote to memory of 4884	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	68
PID 2700 wrote to memory of 5100	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	69
PID 2700 wrote to memory of 5100	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	69
PID 2700 wrote to memory of 5100	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	69
PID 2700 wrote to memory of 2328	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	70
PID 2700 wrote to memory of 2328	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	70
PID 2700 wrote to memory of 2328	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	70
PID 2700 wrote to memory of 4260	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	72
PID 2700 wrote to memory of 4260	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	72
PID 2700 wrote to memory of 4260	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	72
PID 2700 wrote to memory of 3592	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	73
PID 2700 wrote to memory of 3592	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	73
PID 2700 wrote to memory of 3592	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	73
PID 2700 wrote to memory of 5040	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	88
PID 2700 wrote to memory of 5040	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	88
PID 2700 wrote to memory of 5040	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	88
PID 2700 wrote to memory of 2296	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	76
PID 2700 wrote to memory of 2296	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	76
PID 2700 wrote to memory of 2296	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	76
PID 2700 wrote to memory of 4032	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	87
PID 2700 wrote to memory of 4032	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	87
PID 2700 wrote to memory of 4032	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	87
PID 2700 wrote to memory of 1584	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	78
PID 2700 wrote to memory of 1584	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	78
PID 2700 wrote to memory of 1584	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	78
PID 2700 wrote to memory of 1340	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	79
PID 2700 wrote to memory of 1340	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	79
PID 2700 wrote to memory of 1340	2700	ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe	79
PID 4884 wrote to memory of 1712	4884	cmd.exe	89
PID 4884 wrote to memory of 1712	4884	cmd.exe	89
PID 4884 wrote to memory of 1712	4884	cmd.exe	89
PID 3592 wrote to memory of 1872	3592	cmd.exe	90
PID 3592 wrote to memory of 1872	3592	cmd.exe	90
PID 3592 wrote to memory of 1872	3592	cmd.exe	90
PID 4808 wrote to memory of 4192	4808	cmd.exe	91
PID 4808 wrote to memory of 4192	4808	cmd.exe	91
PID 4808 wrote to memory of 4192	4808	cmd.exe	91
PID 4260 wrote to memory of 4592	4260	cmd.exe	92
PID 4260 wrote to memory of 4592	4260	cmd.exe	92
PID 4260 wrote to memory of 4592	4260	cmd.exe	92
PID 5040 wrote to memory of 4364	5040	cmd.exe	94
PID 5040 wrote to memory of 4364	5040	cmd.exe	94
PID 5040 wrote to memory of 4364	5040	cmd.exe	94
PID 2296 wrote to memory of 4296	2296	cmd.exe	93
PID 2296 wrote to memory of 4296	2296	cmd.exe	93
PID 2296 wrote to memory of 4296	2296	cmd.exe	93
PID 1584 wrote to memory of 4028	1584	cmd.exe	96
PID 1584 wrote to memory of 4028	1584	cmd.exe	96
PID 1584 wrote to memory of 4028	1584	cmd.exe	96
PID 1340 wrote to memory of 3684	1340	cmd.exe	95
PID 1340 wrote to memory of 3684	1340	cmd.exe	95
PID 1340 wrote to memory of 3684	1340	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe
"C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4192
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  PID:4820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  PID:5100
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7110" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7110" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4296
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk5944" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk5944" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8259" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8259" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9182" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  PID:4032
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\ae0b19631a3c5bee67967548ea8953faa72889da83addec9f31b17037147c454.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1320
  2⤵
  - Program crash
  PID:416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2328-189-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-159-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-163-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-129-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-123-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-132-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-141-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-142-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-146-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-147-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-148-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-149-0x0000000000A50000-0x0000000000B00000-memory.dmp

Filesize
704KB

Download
memory/2700-150-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-153-0x0000000005920000-0x0000000005E1E000-memory.dmp

Filesize
5.0MB

Download
memory/2700-154-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/2700-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-156-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-157-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-158-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-160-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-164-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-162-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-165-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-166-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-167-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-168-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-170-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/2700-116-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-117-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-118-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-119-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-120-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-182-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-178-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-184-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-180-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4884-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4884-188-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4884-185-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/5100-186-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download