c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece

Analysis

max time kernel
54s
max time network
113s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
30-09-2022 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
Size

939KB
MD5

674ff95910d6eef6789de6ff1755a701
SHA1

4c689eb0a1c9c2ee0edcddba9bb444d191cc143d
SHA256

c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece
SHA512

587d826bef85de570dc2959cb3b00b9323a20290b7059e8ea6644748528f4c1caf87ca5bca8d39d3bb0d2ca88cffb30dad27c4266ef99e8f9099dbb5546d9991
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1636	3528	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3164	schtasks.exe
692	schtasks.exe
3020	schtasks.exe
4244	schtasks.exe
3180	schtasks.exe
3248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4816	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	66
PID 3528 wrote to memory of 4816	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	66
PID 3528 wrote to memory of 4816	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	66
PID 3528 wrote to memory of 4852	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	67
PID 3528 wrote to memory of 4852	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	67
PID 3528 wrote to memory of 4852	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	67
PID 3528 wrote to memory of 4888	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	68
PID 3528 wrote to memory of 4888	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	68
PID 3528 wrote to memory of 4888	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	68
PID 3528 wrote to memory of 4904	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	69
PID 3528 wrote to memory of 4904	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	69
PID 3528 wrote to memory of 4904	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	69
PID 3528 wrote to memory of 4312	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	70
PID 3528 wrote to memory of 4312	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	70
PID 3528 wrote to memory of 4312	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	70
PID 3528 wrote to memory of 4320	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	94
PID 3528 wrote to memory of 4320	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	94
PID 3528 wrote to memory of 4320	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	94
PID 3528 wrote to memory of 1112	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	92
PID 3528 wrote to memory of 1112	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	92
PID 3528 wrote to memory of 1112	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	92
PID 3528 wrote to memory of 5048	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	90
PID 3528 wrote to memory of 5048	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	90
PID 3528 wrote to memory of 5048	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	90
PID 3528 wrote to memory of 1176	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	72
PID 3528 wrote to memory of 1176	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	72
PID 3528 wrote to memory of 1176	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	72
PID 3528 wrote to memory of 4080	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	73
PID 3528 wrote to memory of 4080	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	73
PID 3528 wrote to memory of 4080	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	73
PID 3528 wrote to memory of 4932	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	74
PID 3528 wrote to memory of 4932	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	74
PID 3528 wrote to memory of 4932	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	74
PID 3528 wrote to memory of 4304	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	75
PID 3528 wrote to memory of 4304	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	75
PID 3528 wrote to memory of 4304	3528	c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe	75
PID 4816 wrote to memory of 3020	4816	cmd.exe	87
PID 4816 wrote to memory of 3020	4816	cmd.exe	87
PID 4816 wrote to memory of 3020	4816	cmd.exe	87
PID 5048 wrote to memory of 692	5048	cmd.exe	86
PID 5048 wrote to memory of 692	5048	cmd.exe	86
PID 5048 wrote to memory of 692	5048	cmd.exe	86
PID 1112 wrote to memory of 3164	1112	cmd.exe	85
PID 1112 wrote to memory of 3164	1112	cmd.exe	85
PID 1112 wrote to memory of 3164	1112	cmd.exe	85
PID 4852 wrote to memory of 3180	4852	cmd.exe	83
PID 4852 wrote to memory of 3180	4852	cmd.exe	83
PID 4852 wrote to memory of 3180	4852	cmd.exe	83
PID 4888 wrote to memory of 3248	4888	cmd.exe	84
PID 4888 wrote to memory of 3248	4888	cmd.exe	84
PID 4888 wrote to memory of 3248	4888	cmd.exe	84
PID 4932 wrote to memory of 4244	4932	cmd.exe	95
PID 4932 wrote to memory of 4244	4932	cmd.exe	95
PID 4932 wrote to memory of 4244	4932	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe
"C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  PID:4904
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  PID:4312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7828" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  PID:1176
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk985" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  PID:4080
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6573" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6573" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6484" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  PID:4304
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
  2⤵
  PID:4320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1396
  2⤵
  - Program crash
  PID:1636

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
1⤵
- Creates scheduled task(s)
PID:3164

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\c72b7cc903a5e8f1a7de7e839fa37e6fcd2b2c7fcce5b8e3bbdbb8c09345cece.exe"
1⤵
- Creates scheduled task(s)
PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-244-0x0000000000000000-mapping.dmp

Download
memory/1112-193-0x0000000000000000-mapping.dmp

Download
memory/1176-203-0x0000000000000000-mapping.dmp

Download
memory/3020-243-0x0000000000000000-mapping.dmp

Download
memory/3164-245-0x0000000000000000-mapping.dmp

Download
memory/3180-246-0x0000000000000000-mapping.dmp

Download
memory/3248-253-0x0000000000000000-mapping.dmp

Download
memory/3528-139-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-158-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-127-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-128-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-129-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-130-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-131-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-132-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-133-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-134-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-135-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-163-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-137-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-138-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-118-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-140-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-141-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-142-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-143-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-144-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-145-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-146-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-147-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-148-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-149-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-150-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-151-0x0000000000010000-0x00000000000C0000-memory.dmp

Filesize
704KB

Download
memory/3528-152-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-153-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-154-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-155-0x0000000004E50000-0x000000000534E000-memory.dmp

Filesize
5.0MB

Download
memory/3528-156-0x0000000004950000-0x00000000049E2000-memory.dmp

Filesize
584KB

Download
memory/3528-157-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-165-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-160-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-159-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-161-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-162-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-136-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-164-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-126-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-166-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-167-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-168-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-169-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-170-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-171-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-172-0x00000000048F0000-0x00000000048FA000-memory.dmp

Filesize
40KB

Download
memory/3528-119-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-120-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-121-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-122-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-123-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-124-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3528-125-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4080-208-0x0000000000000000-mapping.dmp

Download
memory/4244-276-0x0000000000000000-mapping.dmp

Download
memory/4304-218-0x0000000000000000-mapping.dmp

Download
memory/4312-183-0x0000000000000000-mapping.dmp

Download
memory/4320-188-0x0000000000000000-mapping.dmp

Download
memory/4816-177-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4816-180-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4816-175-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4816-184-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4816-173-0x0000000000000000-mapping.dmp

Download
memory/4852-174-0x0000000000000000-mapping.dmp

Download
memory/4852-185-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-178-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-181-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4852-189-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4888-190-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4888-187-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4888-176-0x0000000000000000-mapping.dmp

Download
memory/4888-182-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4904-186-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4904-179-0x0000000000000000-mapping.dmp

Download
memory/4904-191-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4932-213-0x0000000000000000-mapping.dmp

Download
memory/5048-198-0x0000000000000000-mapping.dmp

Download