bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3

Analysis

max time kernel
51s
max time network
114s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
23-09-2022 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Size

918KB
MD5

200a0c67addb88ddfab79bdc760d8a21
SHA1

8a8b2f71cdbeb9d6b573b558854518af9e4398cf
SHA256

bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3
SHA512

9a7af4212f3475ec6392576e1385ccdf4826fe2605cf050148ed6e541c70236add3f0a2ab4769a7e9791ce976c910596ba5fb716040382dbab8698776a1016d9
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2104 4808 WerFault.exe bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3252 schtasks.exe
4596 schtasks.exe
4456 schtasks.exe
4468 schtasks.exe
2848 schtasks.exe

pid	pid_target	process	target process
2104	4808	WerFault.exe	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe

pid	process
3252	schtasks.exe
4596	schtasks.exe
4456	schtasks.exe
4468	schtasks.exe
2848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe

pid	process
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe

description pid process

Token: SeDebugPrivilege 4808 bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe

description	pid	process
Token: SeDebugPrivilege	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4808 wrote to memory of 3548	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 3548	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 3548	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 3636	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 3636	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 3636	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4324	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4324	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4324	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4364	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4364	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4364	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 2860	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 2860	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 2860	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4276	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4276	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4276	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4272	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4272	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4272	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 1552	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 1552	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 1552	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4400	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4400	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4400	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 5112	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 5112	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 5112	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4852	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4852	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 4852	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 788	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 788	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 4808 wrote to memory of 788	4808	bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe	cmd.exe
PID 3548 wrote to memory of 4596	3548	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 4596	3548	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 4596	3548	cmd.exe	schtasks.exe
PID 4364 wrote to memory of 2848	4364	cmd.exe	schtasks.exe
PID 4364 wrote to memory of 2848	4364	cmd.exe	schtasks.exe
PID 4364 wrote to memory of 2848	4364	cmd.exe	schtasks.exe
PID 3636 wrote to memory of 3252	3636	cmd.exe	schtasks.exe
PID 3636 wrote to memory of 3252	3636	cmd.exe	schtasks.exe
PID 3636 wrote to memory of 3252	3636	cmd.exe	schtasks.exe
PID 4400 wrote to memory of 4456	4400	cmd.exe	schtasks.exe
PID 4400 wrote to memory of 4456	4400	cmd.exe	schtasks.exe
PID 4400 wrote to memory of 4456	4400	cmd.exe	schtasks.exe
PID 788 wrote to memory of 4468	788	cmd.exe	schtasks.exe
PID 788 wrote to memory of 4468	788	cmd.exe	schtasks.exe
PID 788 wrote to memory of 4468	788	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe
"C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
3⤵
- Creates scheduled task(s)
PID:4596

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
3⤵
- Creates scheduled task(s)
PID:3252

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
3⤵
- Creates scheduled task(s)
PID:2848

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6511" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6511" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
3⤵
- Creates scheduled task(s)
PID:4456

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3427" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk3427" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
3⤵
- Creates scheduled task(s)
PID:4468

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9351" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3429" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\bc6798edf51efc67035ee7853e7a61640319bc984cb85146b15477eec9a0c7d3.exe"
2⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1316
2⤵
- Program crash
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-222-0x0000000000000000-mapping.dmp

Download
memory/1552-200-0x0000000000000000-mapping.dmp

Download
memory/2848-247-0x0000000000000000-mapping.dmp

Download
memory/2860-185-0x0000000000000000-mapping.dmp

Download
memory/3252-252-0x0000000000000000-mapping.dmp

Download
memory/3548-186-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3548-180-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3548-182-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3548-177-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3548-175-0x0000000000000000-mapping.dmp

Download
memory/3636-183-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3636-191-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3636-179-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3636-187-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/3636-176-0x0000000000000000-mapping.dmp

Download
memory/4272-195-0x0000000000000000-mapping.dmp

Download
memory/4276-190-0x0000000000000000-mapping.dmp

Download
memory/4324-192-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4324-188-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4324-184-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4324-178-0x0000000000000000-mapping.dmp

Download
memory/4364-189-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4364-193-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4364-181-0x0000000000000000-mapping.dmp

Download
memory/4400-205-0x0000000000000000-mapping.dmp

Download
memory/4456-269-0x0000000000000000-mapping.dmp

Download
memory/4468-274-0x0000000000000000-mapping.dmp

Download
memory/4596-246-0x0000000000000000-mapping.dmp

Download
memory/4808-141-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-146-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-150-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-151-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-152-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-153-0x0000000000310000-0x00000000003C0000-memory.dmp

Filesize
704KB

Download
memory/4808-154-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-155-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-156-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-157-0x0000000005070000-0x000000000556E000-memory.dmp

Filesize
5.0MB

Download
memory/4808-158-0x0000000004C10000-0x0000000004CA2000-memory.dmp

Filesize
584KB

Download
memory/4808-159-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-160-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-161-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-163-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-162-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-164-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-165-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-166-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-167-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-168-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-169-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-170-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-171-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-172-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-173-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-174-0x0000000004D70000-0x0000000004D7A000-memory.dmp

Filesize
40KB

Download
memory/4808-148-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-147-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-149-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-145-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-144-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-143-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-142-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-120-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-140-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-139-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-138-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-137-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-121-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-136-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-122-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-135-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-134-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-133-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-132-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-131-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-130-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-129-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-128-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-127-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-126-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-125-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-124-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4808-123-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-215-0x0000000000000000-mapping.dmp

Download
memory/5112-210-0x0000000000000000-mapping.dmp

Download