510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b

Analysis

max time kernel
53s
max time network
116s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
22/09/2022, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
Size

914KB
MD5

f7a4c70ce4b9c3592f195edaed7e4240
SHA1

00c24a176f3117b1bf729d53511f026854789998
SHA256

510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b
SHA512

b5a4410daff8127a8d2ea7133c5c4c695e0b33447c2a827518fb16b7def2aaac3833259488c354daa9b194bf489e10d554705f80a45721ee29f5d2736368c3b5
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
932	2248	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3204	schtasks.exe
4700	schtasks.exe
3140	schtasks.exe
3068	schtasks.exe
4440	schtasks.exe
4308	schtasks.exe
3116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3552	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	66
PID 2248 wrote to memory of 3552	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	66
PID 2248 wrote to memory of 3552	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	66
PID 2248 wrote to memory of 3512	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	67
PID 2248 wrote to memory of 3512	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	67
PID 2248 wrote to memory of 3512	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	67
PID 2248 wrote to memory of 3480	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	68
PID 2248 wrote to memory of 3480	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	68
PID 2248 wrote to memory of 3480	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	68
PID 2248 wrote to memory of 4632	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	69
PID 2248 wrote to memory of 4632	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	69
PID 2248 wrote to memory of 4632	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	69
PID 2248 wrote to memory of 4152	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	70
PID 2248 wrote to memory of 4152	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	70
PID 2248 wrote to memory of 4152	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	70
PID 2248 wrote to memory of 3688	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	85
PID 2248 wrote to memory of 3688	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	85
PID 2248 wrote to memory of 3688	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	85
PID 2248 wrote to memory of 1500	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	83
PID 2248 wrote to memory of 1500	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	83
PID 2248 wrote to memory of 1500	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	83
PID 2248 wrote to memory of 2980	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	82
PID 2248 wrote to memory of 2980	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	82
PID 2248 wrote to memory of 2980	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	82
PID 2248 wrote to memory of 1124	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	72
PID 2248 wrote to memory of 1124	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	72
PID 2248 wrote to memory of 1124	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	72
PID 2248 wrote to memory of 1556	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	73
PID 2248 wrote to memory of 1556	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	73
PID 2248 wrote to memory of 1556	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	73
PID 2248 wrote to memory of 3476	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	80
PID 2248 wrote to memory of 3476	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	80
PID 2248 wrote to memory of 3476	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	80
PID 2248 wrote to memory of 4172	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	78
PID 2248 wrote to memory of 4172	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	78
PID 2248 wrote to memory of 4172	2248	510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe	78
PID 3552 wrote to memory of 3068	3552	cmd.exe	90
PID 3552 wrote to memory of 3068	3552	cmd.exe	90
PID 3552 wrote to memory of 3068	3552	cmd.exe	90
PID 1500 wrote to memory of 3140	1500	cmd.exe	96
PID 1500 wrote to memory of 3140	1500	cmd.exe	96
PID 1500 wrote to memory of 3140	1500	cmd.exe	96
PID 3512 wrote to memory of 4700	3512	cmd.exe	95
PID 3512 wrote to memory of 4700	3512	cmd.exe	95
PID 3512 wrote to memory of 4700	3512	cmd.exe	95
PID 4632 wrote to memory of 3204	4632	cmd.exe	94
PID 4632 wrote to memory of 3204	4632	cmd.exe	94
PID 4632 wrote to memory of 3204	4632	cmd.exe	94
PID 4152 wrote to memory of 3116	4152	cmd.exe	93
PID 4152 wrote to memory of 3116	4152	cmd.exe	93
PID 4152 wrote to memory of 3116	4152	cmd.exe	93
PID 3480 wrote to memory of 4308	3480	cmd.exe	92
PID 3480 wrote to memory of 4308	3480	cmd.exe	92
PID 3480 wrote to memory of 4308	3480	cmd.exe	92
PID 3688 wrote to memory of 4440	3688	cmd.exe	91
PID 3688 wrote to memory of 4440	3688	cmd.exe	91
PID 3688 wrote to memory of 4440	3688	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe
"C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3116
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7686" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9386" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  PID:1556
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9495" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  PID:4172
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7477" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  PID:3476
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\510cca5ebf1671102bd30bcceacfd7a8c456755466b83c23cbf2e6ccbec4087b.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1316
  2⤵
  - Program crash
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2248-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-151-0x0000000000250000-0x0000000000300000-memory.dmp

Filesize
704KB

Download
memory/2248-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-155-0x0000000005130000-0x000000000562E000-memory.dmp

Filesize
5.0MB

Download
memory/2248-156-0x0000000004B40000-0x0000000004BD2000-memory.dmp

Filesize
584KB

Download
memory/2248-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-172-0x0000000004B30000-0x0000000004B3A000-memory.dmp

Filesize
40KB

Download
memory/2248-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3480-191-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3480-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3480-187-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3552-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3552-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3552-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3552-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4632-190-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4632-188-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download