59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a

Analysis

max time kernel
52s
max time network
112s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24/09/2022, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
Size

922KB
MD5

7ee530f49a44382b86673d7bd5f33473
SHA1

f298855262f46a32dd28ae10b55f91039294d436
SHA256

59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a
SHA512

2330f4b2ee3c8c9237065f3f5afe6748ebcdea875e306866f5340410d19da3b7e5e433a2b1e635fbbaea66521648066fed38cca137bb0eb20c84493203c77b6a
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3164	2836	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4856	schtasks.exe
3912	schtasks.exe
4820	schtasks.exe
3888	schtasks.exe
1740	schtasks.exe
3560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4404	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	66
PID 2836 wrote to memory of 4404	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	66
PID 2836 wrote to memory of 4404	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	66
PID 2836 wrote to memory of 4812	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	67
PID 2836 wrote to memory of 4812	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	67
PID 2836 wrote to memory of 4812	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	67
PID 2836 wrote to memory of 4868	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	68
PID 2836 wrote to memory of 4868	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	68
PID 2836 wrote to memory of 4868	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	68
PID 2836 wrote to memory of 68	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	74
PID 2836 wrote to memory of 68	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	74
PID 2836 wrote to memory of 68	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	74
PID 2836 wrote to memory of 1580	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	69
PID 2836 wrote to memory of 1580	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	69
PID 2836 wrote to memory of 1580	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	69
PID 2836 wrote to memory of 4888	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	70
PID 2836 wrote to memory of 4888	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	70
PID 2836 wrote to memory of 4888	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	70
PID 2836 wrote to memory of 3956	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	71
PID 2836 wrote to memory of 3956	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	71
PID 2836 wrote to memory of 3956	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	71
PID 2836 wrote to memory of 3344	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	72
PID 2836 wrote to memory of 3344	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	72
PID 2836 wrote to memory of 3344	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	72
PID 2836 wrote to memory of 1828	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	88
PID 2836 wrote to memory of 1828	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	88
PID 2836 wrote to memory of 1828	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	88
PID 2836 wrote to memory of 1096	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	78
PID 2836 wrote to memory of 1096	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	78
PID 2836 wrote to memory of 1096	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	78
PID 2836 wrote to memory of 4044	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	79
PID 2836 wrote to memory of 4044	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	79
PID 2836 wrote to memory of 4044	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	79
PID 2836 wrote to memory of 4900	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	80
PID 2836 wrote to memory of 4900	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	80
PID 2836 wrote to memory of 4900	2836	59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe	80
PID 4888 wrote to memory of 4820	4888	cmd.exe	91
PID 4888 wrote to memory of 4820	4888	cmd.exe	91
PID 4888 wrote to memory of 4820	4888	cmd.exe	91
PID 4812 wrote to memory of 4856	4812	cmd.exe	89
PID 4812 wrote to memory of 4856	4812	cmd.exe	89
PID 4812 wrote to memory of 4856	4812	cmd.exe	89
PID 1580 wrote to memory of 3912	1580	cmd.exe	90
PID 1580 wrote to memory of 3912	1580	cmd.exe	90
PID 1580 wrote to memory of 3912	1580	cmd.exe	90
PID 68 wrote to memory of 1740	68	cmd.exe	93
PID 68 wrote to memory of 1740	68	cmd.exe	93
PID 68 wrote to memory of 1740	68	cmd.exe	93
PID 4404 wrote to memory of 3888	4404	cmd.exe	92
PID 4404 wrote to memory of 3888	4404	cmd.exe	92
PID 4404 wrote to memory of 3888	4404	cmd.exe	92
PID 1828 wrote to memory of 3560	1828	cmd.exe	94
PID 1828 wrote to memory of 3560	1828	cmd.exe	94
PID 1828 wrote to memory of 3560	1828	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe
"C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3888
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  PID:4868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  PID:3956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  PID:3344
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:68
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1798" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk943" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  PID:4044
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4785" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  PID:4900
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7240" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7240" /TR "C:\Users\Admin\AppData\Local\Temp\59f875b8ee2c4035868fe30a7394b7503f92e076db6cbb3880cf0014386ada8a.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1320
  2⤵
  - Program crash
  PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/68-186-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/68-182-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-188-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-157-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-167-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-125-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-127-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-126-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-128-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-163-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-130-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-131-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-132-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-133-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-134-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-135-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-136-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-161-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-138-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-139-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-140-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-141-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-142-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-143-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-144-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-145-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-146-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-147-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-148-0x0000000000F90000-0x0000000001040000-memory.dmp

Filesize
704KB

Download
memory/2836-149-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-150-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-151-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-152-0x0000000005F60000-0x000000000645E000-memory.dmp

Filesize
5.0MB

Download
memory/2836-153-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/2836-154-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-155-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-156-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-115-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-158-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-159-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-160-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-137-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-124-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-129-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-164-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-165-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-166-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-162-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-168-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-169-0x0000000001AC0000-0x0000000001ACA000-memory.dmp

Filesize
40KB

Download
memory/2836-116-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-117-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-118-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-119-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-120-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-123-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-122-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-121-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4404-172-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4404-180-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4404-176-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4404-185-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4812-175-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4812-178-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4812-184-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-177-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-181-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-187-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download