Analysis
-
max time kernel
54s -
max time network
117s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
17-09-2022 16:25
Static task
static1
Behavioral task
behavioral1
Sample
a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe
Resource
win10-20220812-en
windows10-1703-x64
6 signatures
150 seconds
General
-
Target
a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe
-
Size
903KB
-
MD5
d59070df40cdc5587c12177ec520eb7f
-
SHA1
bcb530e8b6b8395345863f96876244984f2bf767
-
SHA256
a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2
-
SHA512
47c37fcb8c8a638fd66e3faddd10ca0f685343e8660d472923b5c9afeefd3a185686792c382e2392fa8a965342c750618711a91950763d76c94b5eaf3da7c944
-
SSDEEP
768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe" a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe" a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe" a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe" a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 860 2196 WerFault.exe 65 -
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2220 schtasks.exe 3964 schtasks.exe 3752 schtasks.exe 3856 schtasks.exe 3724 schtasks.exe 2992 schtasks.exe 4032 schtasks.exe 4428 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2196 wrote to memory of 4148 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 66 PID 2196 wrote to memory of 4148 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 66 PID 2196 wrote to memory of 4148 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 66 PID 2196 wrote to memory of 4796 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 67 PID 2196 wrote to memory of 4796 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 67 PID 2196 wrote to memory of 4796 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 67 PID 2196 wrote to memory of 4780 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 69 PID 2196 wrote to memory of 4780 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 69 PID 2196 wrote to memory of 4780 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 69 PID 2196 wrote to memory of 5020 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 68 PID 2196 wrote to memory of 5020 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 68 PID 2196 wrote to memory of 5020 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 68 PID 2196 wrote to memory of 5092 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 70 PID 2196 wrote to memory of 5092 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 70 PID 2196 wrote to memory of 5092 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 70 PID 2196 wrote to memory of 4108 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 78 PID 2196 wrote to memory of 4108 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 78 PID 2196 wrote to memory of 4108 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 78 PID 2196 wrote to memory of 1428 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 76 PID 2196 wrote to memory of 1428 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 76 PID 2196 wrote to memory of 1428 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 76 PID 2196 wrote to memory of 2960 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 75 PID 2196 wrote to memory of 2960 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 75 PID 2196 wrote to memory of 2960 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 75 PID 2196 wrote to memory of 1528 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 72 PID 2196 wrote to memory of 1528 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 72 PID 2196 wrote to memory of 1528 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 72 PID 2196 wrote to memory of 1280 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 79 PID 2196 wrote to memory of 1280 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 79 PID 2196 wrote to memory of 1280 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 79 PID 2196 wrote to memory of 3552 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 86 PID 2196 wrote to memory of 3552 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 86 PID 2196 wrote to memory of 3552 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 86 PID 2196 wrote to memory of 372 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 81 PID 2196 wrote to memory of 372 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 81 PID 2196 wrote to memory of 372 2196 a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe 81 PID 3552 wrote to memory of 3724 3552 cmd.exe 96 PID 3552 wrote to memory of 3724 3552 cmd.exe 96 PID 3552 wrote to memory of 3724 3552 cmd.exe 96 PID 2960 wrote to memory of 2992 2960 cmd.exe 97 PID 2960 wrote to memory of 2992 2960 cmd.exe 97 PID 2960 wrote to memory of 2992 2960 cmd.exe 97 PID 372 wrote to memory of 3964 372 cmd.exe 93 PID 372 wrote to memory of 3964 372 cmd.exe 93 PID 372 wrote to memory of 3964 372 cmd.exe 93 PID 4780 wrote to memory of 3752 4780 cmd.exe 94 PID 4780 wrote to memory of 3752 4780 cmd.exe 94 PID 4780 wrote to memory of 3752 4780 cmd.exe 94 PID 4148 wrote to memory of 3856 4148 cmd.exe 95 PID 4148 wrote to memory of 3856 4148 cmd.exe 95 PID 4148 wrote to memory of 3856 4148 cmd.exe 95 PID 4796 wrote to memory of 2220 4796 cmd.exe 92 PID 4796 wrote to memory of 2220 4796 cmd.exe 92 PID 4796 wrote to memory of 2220 4796 cmd.exe 92 PID 5020 wrote to memory of 4032 5020 cmd.exe 90 PID 5020 wrote to memory of 4032 5020 cmd.exe 90 PID 5020 wrote to memory of 4032 5020 cmd.exe 90 PID 1428 wrote to memory of 4428 1428 cmd.exe 91 PID 1428 wrote to memory of 4428 1428 cmd.exe 91 PID 1428 wrote to memory of 4428 1428 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"3⤵
- Creates scheduled task(s)
PID:3856
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"3⤵
- Creates scheduled task(s)
PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"3⤵
- Creates scheduled task(s)
PID:4032
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"3⤵
- Creates scheduled task(s)
PID:3752
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵PID:5092
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1713" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵PID:1528
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"3⤵
- Creates scheduled task(s)
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"3⤵
- Creates scheduled task(s)
PID:4428
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵PID:4108
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk814" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵PID:1280
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1966" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1966" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"3⤵
- Creates scheduled task(s)
PID:3964
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1281" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1281" /TR "C:\Users\Admin\AppData\Local\Temp\a1959499724a1599b8d469362b842db04b8f32cbdb96b84983d3a60045b2b8b2.exe"3⤵
- Creates scheduled task(s)
PID:3724
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 13202⤵
- Program crash
PID:860
-