316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f

Analysis

max time kernel
52s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
05/10/2022, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
Size

949KB
MD5

4f4c1f827ca6e894fc83ba558e81f31e
SHA1

c4787b9232800bd26a67c4dc8f20d52e6dea5713
SHA256

316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f
SHA512

307259e28db01a3bfbd5216da51c44cf5fb5993120310ed635847bd9b8da7b84cffffd54c0751509eb463d276df234da4ec8be75dc04e1d8f91a5cdfd01ea802
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1148	2664	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4224	schtasks.exe
3228	schtasks.exe
4256	schtasks.exe
3904	schtasks.exe
4820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 4660	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	66
PID 2664 wrote to memory of 4660	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	66
PID 2664 wrote to memory of 4660	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	66
PID 2664 wrote to memory of 3088	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	67
PID 2664 wrote to memory of 3088	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	67
PID 2664 wrote to memory of 3088	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	67
PID 2664 wrote to memory of 4080	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	68
PID 2664 wrote to memory of 4080	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	68
PID 2664 wrote to memory of 4080	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	68
PID 2664 wrote to memory of 2160	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	69
PID 2664 wrote to memory of 2160	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	69
PID 2664 wrote to memory of 2160	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	69
PID 2664 wrote to memory of 4672	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	70
PID 2664 wrote to memory of 4672	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	70
PID 2664 wrote to memory of 4672	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	70
PID 2664 wrote to memory of 4740	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	71
PID 2664 wrote to memory of 4740	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	71
PID 2664 wrote to memory of 4740	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	71
PID 2664 wrote to memory of 4968	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	72
PID 2664 wrote to memory of 4968	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	72
PID 2664 wrote to memory of 4968	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	72
PID 2664 wrote to memory of 5060	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	77
PID 2664 wrote to memory of 5060	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	77
PID 2664 wrote to memory of 5060	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	77
PID 2664 wrote to memory of 4908	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	75
PID 2664 wrote to memory of 4908	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	75
PID 2664 wrote to memory of 4908	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	75
PID 2664 wrote to memory of 4260	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	73
PID 2664 wrote to memory of 4260	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	73
PID 2664 wrote to memory of 4260	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	73
PID 2664 wrote to memory of 5072	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	80
PID 2664 wrote to memory of 5072	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	80
PID 2664 wrote to memory of 5072	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	80
PID 2664 wrote to memory of 4780	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	81
PID 2664 wrote to memory of 4780	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	81
PID 2664 wrote to memory of 4780	2664	316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe	81
PID 4740 wrote to memory of 4224	4740	cmd.exe	92
PID 4740 wrote to memory of 4224	4740	cmd.exe	92
PID 4740 wrote to memory of 4224	4740	cmd.exe	92
PID 4080 wrote to memory of 4256	4080	cmd.exe	89
PID 4080 wrote to memory of 4256	4080	cmd.exe	89
PID 4080 wrote to memory of 4256	4080	cmd.exe	89
PID 4968 wrote to memory of 4820	4968	cmd.exe	91
PID 4968 wrote to memory of 4820	4968	cmd.exe	91
PID 4968 wrote to memory of 4820	4968	cmd.exe	91
PID 3088 wrote to memory of 3904	3088	cmd.exe	90
PID 3088 wrote to memory of 3904	3088	cmd.exe	90
PID 3088 wrote to memory of 3904	3088	cmd.exe	90
PID 4908 wrote to memory of 3228	4908	cmd.exe	94
PID 4908 wrote to memory of 3228	4908	cmd.exe	94
PID 4908 wrote to memory of 3228	4908	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe
"C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  PID:4660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4256
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  PID:4672
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4224
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1944" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  PID:4260
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk5113" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk5113" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  PID:5060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk188" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  PID:5072
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7717" /TR "C:\Users\Admin\AppData\Local\Temp\316a69e6f3ac8e58fb252fcd0178db28088014f24bab38cdb945f25dbd9c6f9f.exe"
  2⤵
  PID:4780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1320
  2⤵
  - Program crash
  PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-188-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2160-184-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-157-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-160-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-120-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-121-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-122-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-123-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-124-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-125-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-126-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-127-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-128-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-129-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-130-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-131-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-132-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-133-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-134-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-135-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-158-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-137-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-138-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-139-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-140-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-141-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-142-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-143-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-144-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-145-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-146-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-147-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-148-0x00000000003C0000-0x0000000000470000-memory.dmp

Filesize
704KB

Download
memory/2664-149-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-150-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-151-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-152-0x0000000005190000-0x000000000568E000-memory.dmp

Filesize
5.0MB

Download
memory/2664-153-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/2664-154-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-155-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-156-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-115-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-136-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-119-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-116-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-161-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-162-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-163-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-164-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-165-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-166-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-167-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-168-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-169-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download
memory/2664-117-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-159-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2664-118-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3088-179-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3088-187-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3088-175-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3088-183-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4080-182-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4080-178-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4080-186-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4660-177-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4660-174-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4660-172-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/4660-181-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download