3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e

Analysis

max time kernel
122s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2022 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
Size

933KB
MD5

93fa37062009bddeabf2a0157dcdfeb5
SHA1

6380e8d757b1632a2dc8138ad23d7be3e7784410
SHA256

3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e
SHA512

0ecd767bfa238b3499222ac5700419728400027b423354fc6387d166b9e3bdd97cdab835dacf234496097121acce0f66fd2f4e89b488881a00db70787c8421fa
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1508	1856	WerFault.exe	82

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1408	schtasks.exe
2728	schtasks.exe
1080	schtasks.exe
2024	schtasks.exe
1772	schtasks.exe
2308	schtasks.exe
1444	schtasks.exe
2588	schtasks.exe
3376	schtasks.exe
1996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2724	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	84
PID 1856 wrote to memory of 2724	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	84
PID 1856 wrote to memory of 2724	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	84
PID 1856 wrote to memory of 1384	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	85
PID 1856 wrote to memory of 1384	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	85
PID 1856 wrote to memory of 1384	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	85
PID 1856 wrote to memory of 3924	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	108
PID 1856 wrote to memory of 3924	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	108
PID 1856 wrote to memory of 3924	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	108
PID 1856 wrote to memory of 4656	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	87
PID 1856 wrote to memory of 4656	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	87
PID 1856 wrote to memory of 4656	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	87
PID 1856 wrote to memory of 932	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	106
PID 1856 wrote to memory of 932	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	106
PID 1856 wrote to memory of 932	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	106
PID 1856 wrote to memory of 1440	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	89
PID 1856 wrote to memory of 1440	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	89
PID 1856 wrote to memory of 1440	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	89
PID 1856 wrote to memory of 748	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	90
PID 1856 wrote to memory of 748	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	90
PID 1856 wrote to memory of 748	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	90
PID 1856 wrote to memory of 3784	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	103
PID 1856 wrote to memory of 3784	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	103
PID 1856 wrote to memory of 3784	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	103
PID 1856 wrote to memory of 1684	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	92
PID 1856 wrote to memory of 1684	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	92
PID 1856 wrote to memory of 1684	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	92
PID 1856 wrote to memory of 4680	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	93
PID 1856 wrote to memory of 4680	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	93
PID 1856 wrote to memory of 4680	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	93
PID 1856 wrote to memory of 2144	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	94
PID 1856 wrote to memory of 2144	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	94
PID 1856 wrote to memory of 2144	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	94
PID 1856 wrote to memory of 3132	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	95
PID 1856 wrote to memory of 3132	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	95
PID 1856 wrote to memory of 3132	1856	3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe	95
PID 2724 wrote to memory of 1408	2724	cmd.exe	99
PID 2724 wrote to memory of 1408	2724	cmd.exe	99
PID 2724 wrote to memory of 1408	2724	cmd.exe	99
PID 4680 wrote to memory of 2024	4680	cmd.exe	117
PID 4680 wrote to memory of 2024	4680	cmd.exe	117
PID 4680 wrote to memory of 2024	4680	cmd.exe	117
PID 1384 wrote to memory of 1772	1384	cmd.exe	109
PID 1384 wrote to memory of 1772	1384	cmd.exe	109
PID 1384 wrote to memory of 1772	1384	cmd.exe	109
PID 2144 wrote to memory of 2728	2144	cmd.exe	111
PID 2144 wrote to memory of 2728	2144	cmd.exe	111
PID 2144 wrote to memory of 2728	2144	cmd.exe	111
PID 4656 wrote to memory of 2308	4656	cmd.exe	110
PID 4656 wrote to memory of 2308	4656	cmd.exe	110
PID 4656 wrote to memory of 2308	4656	cmd.exe	110
PID 1440 wrote to memory of 1080	1440	cmd.exe	113
PID 1440 wrote to memory of 1080	1440	cmd.exe	113
PID 1440 wrote to memory of 1080	1440	cmd.exe	113
PID 748 wrote to memory of 1444	748	cmd.exe	112
PID 748 wrote to memory of 1444	748	cmd.exe	112
PID 748 wrote to memory of 1444	748	cmd.exe	112
PID 1684 wrote to memory of 2588	1684	cmd.exe	114
PID 1684 wrote to memory of 2588	1684	cmd.exe	114
PID 1684 wrote to memory of 2588	1684	cmd.exe	114
PID 3784 wrote to memory of 3376	3784	cmd.exe	115
PID 3784 wrote to memory of 3376	3784	cmd.exe	115
PID 3784 wrote to memory of 3376	3784	cmd.exe	115
PID 932 wrote to memory of 1996	932	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe
"C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6882" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6882" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8486" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8486" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk5104" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk5104" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9264" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  PID:3132
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\3ae5c651e4b2c6617c0c074c1b4d95fe80f913616c88a3c00ca4df80e541a13e.exe"
  2⤵
  PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1040
  2⤵
  - Program crash
  PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 1856
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-142-0x0000000000000000-mapping.dmp

Download
memory/932-140-0x0000000000000000-mapping.dmp

Download
memory/1080-153-0x0000000000000000-mapping.dmp

Download
memory/1384-137-0x0000000000000000-mapping.dmp

Download
memory/1408-148-0x0000000000000000-mapping.dmp

Download
memory/1440-141-0x0000000000000000-mapping.dmp

Download
memory/1444-154-0x0000000000000000-mapping.dmp

Download
memory/1684-144-0x0000000000000000-mapping.dmp

Download
memory/1772-150-0x0000000000000000-mapping.dmp

Download
memory/1856-135-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/1856-132-0x0000000000D00000-0x0000000000DB0000-memory.dmp

Filesize
704KB

Download
memory/1856-133-0x0000000005EA0000-0x0000000006444000-memory.dmp

Filesize
5.6MB

Download
memory/1856-134-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/1996-157-0x0000000000000000-mapping.dmp

Download
memory/2024-149-0x0000000000000000-mapping.dmp

Download
memory/2144-146-0x0000000000000000-mapping.dmp

Download
memory/2308-152-0x0000000000000000-mapping.dmp

Download
memory/2588-155-0x0000000000000000-mapping.dmp

Download
memory/2724-136-0x0000000000000000-mapping.dmp

Download
memory/2728-151-0x0000000000000000-mapping.dmp

Download
memory/3132-147-0x0000000000000000-mapping.dmp

Download
memory/3376-156-0x0000000000000000-mapping.dmp

Download
memory/3784-143-0x0000000000000000-mapping.dmp

Download
memory/3924-138-0x0000000000000000-mapping.dmp

Download
memory/4656-139-0x0000000000000000-mapping.dmp

Download
memory/4680-145-0x0000000000000000-mapping.dmp

Download