0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4

Analysis

max time kernel
136s
max time network
140s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
09-10-2022 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
Size

963KB
MD5

8470085fc126af72665759eb2af7df1c
SHA1

345a19e22ae51d515ff2d5efbaa07be3c493ba79
SHA256

0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4
SHA512

945b8e62e1115498f17a6e90efb689e60a0d365542e8fe4c953ef3a944823ae2795d78d86fbce369dde6184dc392bd538cdfc12fa5303911937d2a8d9b45f76a
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1464	344	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4668	schtasks.exe
4484	schtasks.exe
4992	schtasks.exe
4088	schtasks.exe
3084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 2020	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	66
PID 344 wrote to memory of 2020	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	66
PID 344 wrote to memory of 2020	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	66
PID 344 wrote to memory of 2416	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	67
PID 344 wrote to memory of 2416	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	67
PID 344 wrote to memory of 2416	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	67
PID 344 wrote to memory of 2192	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	68
PID 344 wrote to memory of 2192	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	68
PID 344 wrote to memory of 2192	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	68
PID 344 wrote to memory of 3608	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	69
PID 344 wrote to memory of 3608	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	69
PID 344 wrote to memory of 3608	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	69
PID 344 wrote to memory of 3600	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	70
PID 344 wrote to memory of 3600	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	70
PID 344 wrote to memory of 3600	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	70
PID 344 wrote to memory of 4060	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	94
PID 344 wrote to memory of 4060	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	94
PID 344 wrote to memory of 4060	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	94
PID 344 wrote to memory of 1332	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	92
PID 344 wrote to memory of 1332	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	92
PID 344 wrote to memory of 1332	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	92
PID 344 wrote to memory of 4776	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	90
PID 344 wrote to memory of 4776	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	90
PID 344 wrote to memory of 4776	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	90
PID 344 wrote to memory of 4608	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	89
PID 344 wrote to memory of 4608	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	89
PID 344 wrote to memory of 4608	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	89
PID 344 wrote to memory of 4232	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	72
PID 344 wrote to memory of 4232	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	72
PID 344 wrote to memory of 4232	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	72
PID 344 wrote to memory of 4272	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	85
PID 344 wrote to memory of 4272	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	85
PID 344 wrote to memory of 4272	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	85
PID 344 wrote to memory of 3552	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	74
PID 344 wrote to memory of 3552	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	74
PID 344 wrote to memory of 3552	344	0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe	74
PID 2416 wrote to memory of 4668	2416	cmd.exe	81
PID 2416 wrote to memory of 4668	2416	cmd.exe	81
PID 2416 wrote to memory of 4668	2416	cmd.exe	81
PID 2020 wrote to memory of 3084	2020	cmd.exe	80
PID 2020 wrote to memory of 3084	2020	cmd.exe	80
PID 2020 wrote to memory of 3084	2020	cmd.exe	80
PID 3600 wrote to memory of 4484	3600	cmd.exe	82
PID 3600 wrote to memory of 4484	3600	cmd.exe	82
PID 3600 wrote to memory of 4484	3600	cmd.exe	82
PID 2192 wrote to memory of 4088	2192	cmd.exe	87
PID 2192 wrote to memory of 4088	2192	cmd.exe	87
PID 2192 wrote to memory of 4088	2192	cmd.exe	87
PID 3608 wrote to memory of 4992	3608	cmd.exe	86
PID 3608 wrote to memory of 4992	3608	cmd.exe	86
PID 3608 wrote to memory of 4992	3608	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe
"C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3084
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4992
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7032" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  PID:4232
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk404" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  PID:3552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6038" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  PID:4272
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk611" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  PID:4608
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  PID:4776
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\0897f4b909d8030bc48492547d761e535617458d3e001c1f777e9ceb64f8d3c4.exe"
  2⤵
  PID:4060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 1376
  2⤵
  - Program crash
  PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-162-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-148-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-122-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-123-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-124-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-125-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-126-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-127-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-128-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-129-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-130-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-131-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-132-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-133-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-134-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-135-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-136-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-137-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-138-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-139-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-140-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-141-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-142-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-143-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-144-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-145-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-146-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-164-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-163-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-149-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-120-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-151-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-152-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-153-0x0000000000030000-0x00000000000E0000-memory.dmp

Filesize
704KB

Download
memory/344-154-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-155-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-156-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-157-0x0000000004F00000-0x00000000053FE000-memory.dmp

Filesize
5.0MB

Download
memory/344-158-0x0000000004900000-0x0000000004992000-memory.dmp

Filesize
584KB

Download
memory/344-159-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-160-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-161-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-150-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-121-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-147-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-165-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-166-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-167-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-168-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-169-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-170-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-171-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-172-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-173-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/344-174-0x00000000049A0000-0x00000000049AA000-memory.dmp

Filesize
40KB

Download
memory/1332-194-0x0000000000000000-mapping.dmp

Download
memory/2020-177-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2020-180-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2020-188-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2020-184-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2020-175-0x0000000000000000-mapping.dmp

Download
memory/2192-178-0x0000000000000000-mapping.dmp

Download
memory/2192-185-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2192-193-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2192-190-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-187-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-179-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-176-0x0000000000000000-mapping.dmp

Download
memory/2416-181-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/2416-183-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/3084-244-0x0000000000000000-mapping.dmp

Download
memory/3552-220-0x0000000000000000-mapping.dmp

Download
memory/3600-186-0x0000000000000000-mapping.dmp

Download
memory/3608-192-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/3608-182-0x0000000000000000-mapping.dmp

Download
memory/3608-189-0x0000000077170000-0x00000000772FE000-memory.dmp

Filesize
1.6MB

Download
memory/4060-191-0x0000000000000000-mapping.dmp

Download
memory/4088-260-0x0000000000000000-mapping.dmp

Download
memory/4232-209-0x0000000000000000-mapping.dmp

Download
memory/4272-215-0x0000000000000000-mapping.dmp

Download
memory/4484-248-0x0000000000000000-mapping.dmp

Download
memory/4608-204-0x0000000000000000-mapping.dmp

Download
memory/4668-243-0x0000000000000000-mapping.dmp

Download
memory/4776-199-0x0000000000000000-mapping.dmp

Download
memory/4992-261-0x0000000000000000-mapping.dmp

Download