3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f

Analysis

max time kernel
42s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26/09/2022, 12:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
Size

927KB
MD5

d7297b7b05d3168243b0ed636261ec6c
SHA1

7ce203a3b55a5714a3f2a825564b44331a41580c
SHA256

3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f
SHA512

69438fc8f2c92eb80bfdfb743f19071c92f8adc5848c42f86a68dd1ee4de5129743c8b147586eaa9b3a58f96cbfca44b3c1e9d2994ebc7a38c3e6c56188e7ad6
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2888	1288	WerFault.exe	81

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2700	schtasks.exe
1540	schtasks.exe
1708	schtasks.exe
804	schtasks.exe
3344	schtasks.exe
1348	schtasks.exe
1404	schtasks.exe
4024	schtasks.exe
2284	schtasks.exe
868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2376	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	85
PID 1288 wrote to memory of 2376	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	85
PID 1288 wrote to memory of 2376	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	85
PID 1288 wrote to memory of 2976	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	86
PID 1288 wrote to memory of 2976	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	86
PID 1288 wrote to memory of 2976	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	86
PID 1288 wrote to memory of 756	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	87
PID 1288 wrote to memory of 756	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	87
PID 1288 wrote to memory of 756	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	87
PID 1288 wrote to memory of 4696	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	89
PID 1288 wrote to memory of 4696	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	89
PID 1288 wrote to memory of 4696	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	89
PID 1288 wrote to memory of 4532	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	92
PID 1288 wrote to memory of 4532	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	92
PID 1288 wrote to memory of 4532	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	92
PID 1288 wrote to memory of 3292	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	107
PID 1288 wrote to memory of 3292	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	107
PID 1288 wrote to memory of 3292	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	107
PID 1288 wrote to memory of 4792	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	95
PID 1288 wrote to memory of 4792	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	95
PID 1288 wrote to memory of 4792	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	95
PID 1288 wrote to memory of 2020	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	96
PID 1288 wrote to memory of 2020	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	96
PID 1288 wrote to memory of 2020	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	96
PID 1288 wrote to memory of 3460	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	97
PID 1288 wrote to memory of 3460	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	97
PID 1288 wrote to memory of 3460	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	97
PID 1288 wrote to memory of 3920	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	98
PID 1288 wrote to memory of 3920	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	98
PID 1288 wrote to memory of 3920	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	98
PID 1288 wrote to memory of 1128	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	100
PID 1288 wrote to memory of 1128	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	100
PID 1288 wrote to memory of 1128	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	100
PID 1288 wrote to memory of 4308	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	101
PID 1288 wrote to memory of 4308	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	101
PID 1288 wrote to memory of 4308	1288	3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe	101
PID 2376 wrote to memory of 1404	2376	cmd.exe	109
PID 2376 wrote to memory of 1404	2376	cmd.exe	109
PID 2376 wrote to memory of 1404	2376	cmd.exe	109
PID 3460 wrote to memory of 868	3460	cmd.exe	117
PID 3460 wrote to memory of 868	3460	cmd.exe	117
PID 3460 wrote to memory of 868	3460	cmd.exe	117
PID 2976 wrote to memory of 1708	2976	cmd.exe	110
PID 2976 wrote to memory of 1708	2976	cmd.exe	110
PID 2976 wrote to memory of 1708	2976	cmd.exe	110
PID 756 wrote to memory of 804	756	cmd.exe	112
PID 756 wrote to memory of 804	756	cmd.exe	112
PID 756 wrote to memory of 804	756	cmd.exe	112
PID 4696 wrote to memory of 4024	4696	cmd.exe	111
PID 4696 wrote to memory of 4024	4696	cmd.exe	111
PID 4696 wrote to memory of 4024	4696	cmd.exe	111
PID 1128 wrote to memory of 3344	1128	cmd.exe	113
PID 1128 wrote to memory of 3344	1128	cmd.exe	113
PID 1128 wrote to memory of 3344	1128	cmd.exe	113
PID 4532 wrote to memory of 2284	4532	cmd.exe	114
PID 4532 wrote to memory of 2284	4532	cmd.exe	114
PID 4532 wrote to memory of 2284	4532	cmd.exe	114
PID 4792 wrote to memory of 2700	4792	cmd.exe	116
PID 4792 wrote to memory of 2700	4792	cmd.exe	116
PID 4792 wrote to memory of 2700	4792	cmd.exe	116
PID 2020 wrote to memory of 1348	2020	cmd.exe	115
PID 2020 wrote to memory of 1348	2020	cmd.exe	115
PID 2020 wrote to memory of 1348	2020	cmd.exe	115
PID 3292 wrote to memory of 1540	3292	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe
"C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:804
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4024
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk546" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk546" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk724" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  PID:3920
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3538" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3538" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2141" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\3fa02897f9434987e00b1e28538ca04668e321e3de0a7ccca611bb8726d7ba0f.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1364
  2⤵
  - Program crash
  PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1288 -ip 1288
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-134-0x0000000004990000-0x0000000004A22000-memory.dmp

Filesize
584KB

Download
memory/1288-132-0x0000000000060000-0x0000000000110000-memory.dmp

Filesize
704KB

Download
memory/1288-133-0x00000000050A0000-0x0000000005644000-memory.dmp

Filesize
5.6MB

Download
memory/1288-135-0x0000000004980000-0x000000000498A000-memory.dmp

Filesize
40KB

Download