Analysis
-
max time kernel
97s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 10:52
Static task
static1
Behavioral task
behavioral1
Sample
19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe
-
Size
950KB
-
MD5
f76b184c1dc21239148d67dcaed96a11
-
SHA1
da0542a10bd9b8feef5ebb3226f6ab6b5d38f656
-
SHA256
19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa
-
SHA512
bd45fe157da84b382640ec0948c1f384ced6bd9a92221d4b1d981d86afa5b4e51bd42db70681dd56dda3940168fc2440b03f41a1f556f73dc79764c96d2cb970
-
SSDEEP
768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe" 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe" 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe" 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe" 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4544 4056 WerFault.exe 82 -
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2832 schtasks.exe 2696 schtasks.exe 2632 schtasks.exe 2664 schtasks.exe 4868 schtasks.exe 4404 schtasks.exe 3940 schtasks.exe 1260 schtasks.exe 3372 schtasks.exe 2116 schtasks.exe 920 schtasks.exe 672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4056 wrote to memory of 708 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 84 PID 4056 wrote to memory of 708 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 84 PID 4056 wrote to memory of 708 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 84 PID 4056 wrote to memory of 504 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 83 PID 4056 wrote to memory of 504 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 83 PID 4056 wrote to memory of 504 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 83 PID 4056 wrote to memory of 2016 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 88 PID 4056 wrote to memory of 2016 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 88 PID 4056 wrote to memory of 2016 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 88 PID 4056 wrote to memory of 1204 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 86 PID 4056 wrote to memory of 1204 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 86 PID 4056 wrote to memory of 1204 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 86 PID 4056 wrote to memory of 1456 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 89 PID 4056 wrote to memory of 1456 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 89 PID 4056 wrote to memory of 1456 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 89 PID 4056 wrote to memory of 392 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 93 PID 4056 wrote to memory of 392 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 93 PID 4056 wrote to memory of 392 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 93 PID 4056 wrote to memory of 1424 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 92 PID 4056 wrote to memory of 1424 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 92 PID 4056 wrote to memory of 1424 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 92 PID 4056 wrote to memory of 4560 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 95 PID 4056 wrote to memory of 4560 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 95 PID 4056 wrote to memory of 4560 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 95 PID 708 wrote to memory of 2696 708 cmd.exe 97 PID 708 wrote to memory of 2696 708 cmd.exe 97 PID 708 wrote to memory of 2696 708 cmd.exe 97 PID 4056 wrote to memory of 4012 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 98 PID 4056 wrote to memory of 4012 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 98 PID 4056 wrote to memory of 4012 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 98 PID 4056 wrote to memory of 2080 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 99 PID 4056 wrote to memory of 2080 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 99 PID 4056 wrote to memory of 2080 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 99 PID 4056 wrote to memory of 1848 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 104 PID 4056 wrote to memory of 1848 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 104 PID 4056 wrote to memory of 1848 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 104 PID 4056 wrote to memory of 3592 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 100 PID 4056 wrote to memory of 3592 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 100 PID 4056 wrote to memory of 3592 4056 19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe 100 PID 1424 wrote to memory of 2632 1424 cmd.exe 109 PID 1424 wrote to memory of 2632 1424 cmd.exe 109 PID 1424 wrote to memory of 2632 1424 cmd.exe 109 PID 2016 wrote to memory of 1260 2016 cmd.exe 102 PID 2016 wrote to memory of 1260 2016 cmd.exe 102 PID 2016 wrote to memory of 1260 2016 cmd.exe 102 PID 504 wrote to memory of 2116 504 cmd.exe 111 PID 504 wrote to memory of 2116 504 cmd.exe 111 PID 504 wrote to memory of 2116 504 cmd.exe 111 PID 1456 wrote to memory of 3372 1456 cmd.exe 110 PID 1456 wrote to memory of 3372 1456 cmd.exe 110 PID 1456 wrote to memory of 3372 1456 cmd.exe 110 PID 4560 wrote to memory of 672 4560 cmd.exe 116 PID 4560 wrote to memory of 672 4560 cmd.exe 116 PID 4560 wrote to memory of 672 4560 cmd.exe 116 PID 392 wrote to memory of 4404 392 cmd.exe 115 PID 392 wrote to memory of 4404 392 cmd.exe 115 PID 392 wrote to memory of 4404 392 cmd.exe 115 PID 1204 wrote to memory of 2664 1204 cmd.exe 112 PID 1204 wrote to memory of 2664 1204 cmd.exe 112 PID 1204 wrote to memory of 2664 1204 cmd.exe 112 PID 4012 wrote to memory of 920 4012 cmd.exe 114 PID 4012 wrote to memory of 920 4012 cmd.exe 114 PID 4012 wrote to memory of 920 4012 cmd.exe 114 PID 2080 wrote to memory of 4868 2080 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:1260
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:3372
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:2632
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:4404
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:672
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2637" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2637" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:920
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5345" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5345" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8261" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵PID:3592
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8261" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4556" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"2⤵PID:1848
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4556" /TR "C:\Users\Admin\AppData\Local\Temp\19fcb0c14fa737f065290fd2177b902f577ab3ed6ad48d29b479a3102da98faa.exe"3⤵
- Creates scheduled task(s)
PID:3940
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 14282⤵
- Program crash
PID:4544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4056 -ip 40561⤵PID:3436