f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47

Analysis

max time kernel
90s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2022, 06:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
Size

958KB
MD5

f023b09e43e63960dffe608ebb26a5b0
SHA1

c9b583d136553b61a2c2c8ef5752b8b3817ee782
SHA256

f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47
SHA512

7f2dfb961f0dc863b8387d84604bf34e69a1cb5befefc55ddfd3b5c9b4fea71677620d25bb426984b4d133659e3564319c8ce117078b95272d214afb5be22d05
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1704	3448	WerFault.exe	81

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4476	schtasks.exe
864	schtasks.exe
1948	schtasks.exe
4972	schtasks.exe
1188	schtasks.exe
4632	schtasks.exe
1668	schtasks.exe
4144	schtasks.exe
2280	schtasks.exe
3872	schtasks.exe
1320	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 372	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	82
PID 3448 wrote to memory of 372	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	82
PID 3448 wrote to memory of 372	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	82
PID 3448 wrote to memory of 4808	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	83
PID 3448 wrote to memory of 4808	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	83
PID 3448 wrote to memory of 4808	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	83
PID 3448 wrote to memory of 1204	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	84
PID 3448 wrote to memory of 1204	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	84
PID 3448 wrote to memory of 1204	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	84
PID 3448 wrote to memory of 5116	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	87
PID 3448 wrote to memory of 5116	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	87
PID 3448 wrote to memory of 5116	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	87
PID 3448 wrote to memory of 4140	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	89
PID 3448 wrote to memory of 4140	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	89
PID 3448 wrote to memory of 4140	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	89
PID 3448 wrote to memory of 1592	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	90
PID 3448 wrote to memory of 1592	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	90
PID 3448 wrote to memory of 1592	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	90
PID 3448 wrote to memory of 1940	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	93
PID 3448 wrote to memory of 1940	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	93
PID 3448 wrote to memory of 1940	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	93
PID 3448 wrote to memory of 644	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	94
PID 3448 wrote to memory of 644	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	94
PID 3448 wrote to memory of 644	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	94
PID 3448 wrote to memory of 3604	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	95
PID 3448 wrote to memory of 3604	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	95
PID 3448 wrote to memory of 3604	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	95
PID 3448 wrote to memory of 216	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	97
PID 3448 wrote to memory of 216	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	97
PID 3448 wrote to memory of 216	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	97
PID 3448 wrote to memory of 4020	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	102
PID 3448 wrote to memory of 4020	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	102
PID 3448 wrote to memory of 4020	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	102
PID 3448 wrote to memory of 3452	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	98
PID 3448 wrote to memory of 3452	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	98
PID 3448 wrote to memory of 3452	3448	f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe	98
PID 5116 wrote to memory of 864	5116	cmd.exe	114
PID 5116 wrote to memory of 864	5116	cmd.exe	114
PID 5116 wrote to memory of 864	5116	cmd.exe	114
PID 4020 wrote to memory of 4476	4020	cmd.exe	113
PID 4020 wrote to memory of 4476	4020	cmd.exe	113
PID 4020 wrote to memory of 4476	4020	cmd.exe	113
PID 1940 wrote to memory of 3872	1940	cmd.exe	109
PID 1940 wrote to memory of 3872	1940	cmd.exe	109
PID 1940 wrote to memory of 3872	1940	cmd.exe	109
PID 4808 wrote to memory of 1668	4808	cmd.exe	106
PID 4808 wrote to memory of 1668	4808	cmd.exe	106
PID 4808 wrote to memory of 1668	4808	cmd.exe	106
PID 372 wrote to memory of 4144	372	cmd.exe	107
PID 372 wrote to memory of 4144	372	cmd.exe	107
PID 372 wrote to memory of 4144	372	cmd.exe	107
PID 4140 wrote to memory of 1188	4140	cmd.exe	112
PID 4140 wrote to memory of 1188	4140	cmd.exe	112
PID 4140 wrote to memory of 1188	4140	cmd.exe	112
PID 3452 wrote to memory of 4972	3452	cmd.exe	111
PID 3452 wrote to memory of 4972	3452	cmd.exe	111
PID 3452 wrote to memory of 4972	3452	cmd.exe	111
PID 1592 wrote to memory of 1320	1592	cmd.exe	110
PID 1592 wrote to memory of 1320	1592	cmd.exe	110
PID 1592 wrote to memory of 1320	1592	cmd.exe	110
PID 1204 wrote to memory of 2280	1204	cmd.exe	108
PID 1204 wrote to memory of 2280	1204	cmd.exe	108
PID 1204 wrote to memory of 2280	1204	cmd.exe	108
PID 3604 wrote to memory of 4632	3604	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe
"C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:864
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  PID:644
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2433" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2433" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5376" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  PID:216
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5376" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk45" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk45" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7725" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7725" /TR "C:\Users\Admin\AppData\Local\Temp\f86556b76a060da4b4c2ff00e52192f3c9e91921e2e747c01a338b57d0786c47.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1104
  2⤵
  - Program crash
  PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3448 -ip 3448
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3448-132-0x00000000003A0000-0x0000000000450000-memory.dmp

Filesize
704KB

Download
memory/3448-133-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/3448-134-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/3448-135-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download