688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d

Analysis

max time kernel
54s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
21/09/2022, 20:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
Size

914KB
MD5

8c7963278e52a7f6d6fc7ed99559df30
SHA1

7e7108248bb2c6f55aab5d585ef13ac8d20a2523
SHA256

688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d
SHA512

257a607179cc54beb666478c34dc9d6a79016ccdf9a0a380450c423551840c07ba8974260d9c69436f3bf523542308d18dd3734df79d04a67040c4b223cb52f8
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
640	2684	WerFault.exe	66

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4312	schtasks.exe
1844	schtasks.exe
2236	schtasks.exe
3956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 4704	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	67
PID 2684 wrote to memory of 4704	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	67
PID 2684 wrote to memory of 4704	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	67
PID 2684 wrote to memory of 4716	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	68
PID 2684 wrote to memory of 4716	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	68
PID 2684 wrote to memory of 4716	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	68
PID 2684 wrote to memory of 4736	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	69
PID 2684 wrote to memory of 4736	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	69
PID 2684 wrote to memory of 4736	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	69
PID 2684 wrote to memory of 4748	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	70
PID 2684 wrote to memory of 4748	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	70
PID 2684 wrote to memory of 4748	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	70
PID 2684 wrote to memory of 5044	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	71
PID 2684 wrote to memory of 5044	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	71
PID 2684 wrote to memory of 5044	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	71
PID 2684 wrote to memory of 4128	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	72
PID 2684 wrote to memory of 4128	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	72
PID 2684 wrote to memory of 4128	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	72
PID 2684 wrote to memory of 4076	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	73
PID 2684 wrote to memory of 4076	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	73
PID 2684 wrote to memory of 4076	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	73
PID 2684 wrote to memory of 3728	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	75
PID 2684 wrote to memory of 3728	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	75
PID 2684 wrote to memory of 3728	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	75
PID 2684 wrote to memory of 4192	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	78
PID 2684 wrote to memory of 4192	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	78
PID 2684 wrote to memory of 4192	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	78
PID 2684 wrote to memory of 1552	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	77
PID 2684 wrote to memory of 1552	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	77
PID 2684 wrote to memory of 1552	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	77
PID 2684 wrote to memory of 4768	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	94
PID 2684 wrote to memory of 4768	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	94
PID 2684 wrote to memory of 4768	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	94
PID 2684 wrote to memory of 3416	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	92
PID 2684 wrote to memory of 3416	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	92
PID 2684 wrote to memory of 3416	2684	688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe	92
PID 4736 wrote to memory of 4312	4736	cmd.exe	91
PID 4736 wrote to memory of 4312	4736	cmd.exe	91
PID 4736 wrote to memory of 4312	4736	cmd.exe	91
PID 4128 wrote to memory of 1844	4128	cmd.exe	88
PID 4128 wrote to memory of 1844	4128	cmd.exe	88
PID 4128 wrote to memory of 1844	4128	cmd.exe	88
PID 4192 wrote to memory of 2236	4192	cmd.exe	89
PID 4192 wrote to memory of 2236	4192	cmd.exe	89
PID 4192 wrote to memory of 2236	4192	cmd.exe	89
PID 4716 wrote to memory of 3956	4716	cmd.exe	90
PID 4716 wrote to memory of 3956	4716	cmd.exe	90
PID 4716 wrote to memory of 3956	4716	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe
"C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  PID:4704
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  PID:4748
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  PID:5044
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1844
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  PID:4076
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  PID:3728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9386" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  PID:1552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7686" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7686" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9495" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  PID:3416
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7477" /TR "C:\Users\Admin\AppData\Local\Temp\688c976ef8b22284c0762925b9c4f881e01209ce36d2613c3a44c2cd9ed1863d.exe"
  2⤵
  PID:4768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1320
  2⤵
  - Program crash
  PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2684-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-163-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-124-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-125-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-126-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-127-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-128-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-130-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-129-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-131-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-132-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-133-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-134-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-135-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-137-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-136-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-138-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-139-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-140-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-141-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-142-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-143-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-144-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-145-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-148-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-149-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-151-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-152-0x0000000000270000-0x0000000000320000-memory.dmp

Filesize
704KB

Download
memory/2684-153-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-154-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-155-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-156-0x0000000005050000-0x000000000554E000-memory.dmp

Filesize
5.0MB

Download
memory/2684-157-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/2684-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-119-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-123-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-164-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-162-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-165-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-167-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-169-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-170-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-171-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-172-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-173-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

Filesize
40KB

Download
memory/2684-120-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-121-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/2684-122-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4704-176-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4704-178-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4704-182-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4704-186-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4716-187-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4716-179-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4716-183-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4716-191-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4736-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4736-185-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4736-189-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-192-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-188-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download