4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647

Analysis

max time kernel
144s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28-09-2022 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
Size

932KB
MD5

51a4bb3d2d46fb7cc56d76770e8ad3c0
SHA1

66fcb70c7f5da52ebd958318fab2e128273c7197
SHA256

4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647
SHA512

e134f3a1b63355308dd50eb151a425106ea5382e35464e5ea27c7eeb94d1df5bd2b16c1127841bbdc66915b213958f2b5829994340732f57f2e5753b90e644a4
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1744	1756	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5032	schtasks.exe
4540	schtasks.exe
4292	schtasks.exe
3808	schtasks.exe
5008	schtasks.exe
4592	schtasks.exe
5040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 5104	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	66
PID 1756 wrote to memory of 5104	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	66
PID 1756 wrote to memory of 5104	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	66
PID 1756 wrote to memory of 4156	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	91
PID 1756 wrote to memory of 4156	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	91
PID 1756 wrote to memory of 4156	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	91
PID 1756 wrote to memory of 4280	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	67
PID 1756 wrote to memory of 4280	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	67
PID 1756 wrote to memory of 4280	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	67
PID 1756 wrote to memory of 3956	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	90
PID 1756 wrote to memory of 3956	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	90
PID 1756 wrote to memory of 3956	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	90
PID 1756 wrote to memory of 936	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	68
PID 1756 wrote to memory of 936	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	68
PID 1756 wrote to memory of 936	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	68
PID 1756 wrote to memory of 1984	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	89
PID 1756 wrote to memory of 1984	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	89
PID 1756 wrote to memory of 1984	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	89
PID 1756 wrote to memory of 1888	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	87
PID 1756 wrote to memory of 1888	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	87
PID 1756 wrote to memory of 1888	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	87
PID 1756 wrote to memory of 4340	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	84
PID 1756 wrote to memory of 4340	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	84
PID 1756 wrote to memory of 4340	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	84
PID 1756 wrote to memory of 3988	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	69
PID 1756 wrote to memory of 3988	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	69
PID 1756 wrote to memory of 3988	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	69
PID 1756 wrote to memory of 2236	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	70
PID 1756 wrote to memory of 2236	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	70
PID 1756 wrote to memory of 2236	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	70
PID 1756 wrote to memory of 3420	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	71
PID 1756 wrote to memory of 3420	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	71
PID 1756 wrote to memory of 3420	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	71
PID 1756 wrote to memory of 3508	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	72
PID 1756 wrote to memory of 3508	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	72
PID 1756 wrote to memory of 3508	1756	4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe	72
PID 3956 wrote to memory of 4540	3956	cmd.exe	79
PID 3956 wrote to memory of 4540	3956	cmd.exe	79
PID 3956 wrote to memory of 4540	3956	cmd.exe	79
PID 4280 wrote to memory of 3808	4280	cmd.exe	81
PID 4280 wrote to memory of 3808	4280	cmd.exe	81
PID 4280 wrote to memory of 3808	4280	cmd.exe	81
PID 4156 wrote to memory of 4292	4156	cmd.exe	80
PID 4156 wrote to memory of 4292	4156	cmd.exe	80
PID 4156 wrote to memory of 4292	4156	cmd.exe	80
PID 1888 wrote to memory of 4592	1888	cmd.exe	93
PID 1888 wrote to memory of 4592	1888	cmd.exe	93
PID 1888 wrote to memory of 4592	1888	cmd.exe	93
PID 4340 wrote to memory of 5008	4340	cmd.exe	92
PID 4340 wrote to memory of 5008	4340	cmd.exe	92
PID 4340 wrote to memory of 5008	4340	cmd.exe	92
PID 3988 wrote to memory of 5040	3988	cmd.exe	94
PID 3988 wrote to memory of 5040	3988	cmd.exe	94
PID 3988 wrote to memory of 5040	3988	cmd.exe	94
PID 2236 wrote to memory of 5032	2236	cmd.exe	95
PID 2236 wrote to memory of 5032	2236	cmd.exe	95
PID 2236 wrote to memory of 5032	2236	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe
"C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  PID:5104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  PID:936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7009" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7009" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk402" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk402" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5032
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9522" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  PID:3420
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8901" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  PID:3508
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5008
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1320
  2⤵
  - Program crash
  PID:1744

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
1⤵
- Creates scheduled task(s)
PID:4540

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\4b4411ef7ad56b5dd1e8f44c03d56b2cd1b81b45928f14a04a9ce84c69d8d647.exe"
1⤵
- Creates scheduled task(s)
PID:4292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1756-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-149-0x0000000000E70000-0x0000000000F20000-memory.dmp

Filesize
704KB

Download
memory/1756-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-153-0x0000000005D00000-0x00000000061FE000-memory.dmp

Filesize
5.0MB

Download
memory/1756-154-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/1756-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-116-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-166-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-168-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-170-0x00000000058D0000-0x00000000058DA000-memory.dmp

Filesize
40KB

Download
memory/1756-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/3956-189-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/3956-185-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4156-184-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4156-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4156-188-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4156-180-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4280-187-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4280-182-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/4280-178-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/5104-183-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/5104-175-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/5104-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/5104-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download