9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee

Analysis

max time kernel
91s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2022, 13:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
Size

959KB
MD5

ebb45718242ac8a9f28173e69aeeb2f3
SHA1

5620c7cc4bee5b2942d265ffe090f47747ef645d
SHA256

9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee
SHA512

949fefc7abd2503ad322e80dc952da754a405d7051c4403bf8ac9cc95552477cc8321159963be73cad07d967113b6b3ed99c3529dc444bb7bf24d62f3bbcffa5
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1116	1664	WerFault.exe	80

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2056	schtasks.exe
3540	schtasks.exe
2088	schtasks.exe
3372	schtasks.exe
5104	schtasks.exe
3872	schtasks.exe
4584	schtasks.exe
3180	schtasks.exe
2344	schtasks.exe
3892	schtasks.exe
4572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 4820	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	82
PID 1664 wrote to memory of 4820	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	82
PID 1664 wrote to memory of 4820	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	82
PID 1664 wrote to memory of 4564	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	83
PID 1664 wrote to memory of 4564	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	83
PID 1664 wrote to memory of 4564	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	83
PID 1664 wrote to memory of 1332	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	84
PID 1664 wrote to memory of 1332	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	84
PID 1664 wrote to memory of 1332	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	84
PID 1664 wrote to memory of 960	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	85
PID 1664 wrote to memory of 960	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	85
PID 1664 wrote to memory of 960	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	85
PID 1664 wrote to memory of 1256	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	91
PID 1664 wrote to memory of 1256	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	91
PID 1664 wrote to memory of 1256	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	91
PID 1664 wrote to memory of 2012	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	89
PID 1664 wrote to memory of 2012	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	89
PID 1664 wrote to memory of 2012	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	89
PID 1664 wrote to memory of 1768	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	93
PID 1664 wrote to memory of 1768	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	93
PID 1664 wrote to memory of 1768	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	93
PID 1664 wrote to memory of 1824	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	97
PID 1664 wrote to memory of 1824	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	97
PID 1664 wrote to memory of 1824	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	97
PID 1664 wrote to memory of 220	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	95
PID 1664 wrote to memory of 220	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	95
PID 1664 wrote to memory of 220	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	95
PID 4564 wrote to memory of 3372	4564	cmd.exe	94
PID 4564 wrote to memory of 3372	4564	cmd.exe	94
PID 4564 wrote to memory of 3372	4564	cmd.exe	94
PID 1664 wrote to memory of 216	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	100
PID 1664 wrote to memory of 216	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	100
PID 1664 wrote to memory of 216	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	100
PID 1664 wrote to memory of 4020	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	102
PID 1664 wrote to memory of 4020	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	102
PID 1664 wrote to memory of 4020	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	102
PID 1664 wrote to memory of 4600	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	103
PID 1664 wrote to memory of 4600	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	103
PID 1664 wrote to memory of 4600	1664	9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe	103
PID 1768 wrote to memory of 2056	1768	cmd.exe	107
PID 1768 wrote to memory of 2056	1768	cmd.exe	107
PID 1768 wrote to memory of 2056	1768	cmd.exe	107
PID 1332 wrote to memory of 5104	1332	cmd.exe	108
PID 1332 wrote to memory of 5104	1332	cmd.exe	108
PID 1332 wrote to memory of 5104	1332	cmd.exe	108
PID 4820 wrote to memory of 3872	4820	cmd.exe	109
PID 4820 wrote to memory of 3872	4820	cmd.exe	109
PID 4820 wrote to memory of 3872	4820	cmd.exe	109
PID 960 wrote to memory of 4584	960	cmd.exe	110
PID 960 wrote to memory of 4584	960	cmd.exe	110
PID 960 wrote to memory of 4584	960	cmd.exe	110
PID 1256 wrote to memory of 3180	1256	cmd.exe	111
PID 1256 wrote to memory of 3180	1256	cmd.exe	111
PID 1256 wrote to memory of 3180	1256	cmd.exe	111
PID 1824 wrote to memory of 2344	1824	cmd.exe	112
PID 1824 wrote to memory of 2344	1824	cmd.exe	112
PID 1824 wrote to memory of 2344	1824	cmd.exe	112
PID 216 wrote to memory of 4572	216	cmd.exe	114
PID 216 wrote to memory of 4572	216	cmd.exe	114
PID 216 wrote to memory of 4572	216	cmd.exe	114
PID 2012 wrote to memory of 3892	2012	cmd.exe	113
PID 2012 wrote to memory of 3892	2012	cmd.exe	113
PID 2012 wrote to memory of 3892	2012	cmd.exe	113
PID 4020 wrote to memory of 3540	4020	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe
"C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2056
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7307" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  PID:220
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk7307" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk6044" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk6044" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8208" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8208" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk84" /TR "C:\Users\Admin\AppData\Local\Temp\9728611b807515ef858ec43b3f25afa985b9fc8ce1cb2d487fe999bc6097aeee.exe"
  2⤵
  PID:4600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1372
  2⤵
  - Program crash
  PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1664 -ip 1664
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-134-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/1664-132-0x0000000000A60000-0x0000000000B10000-memory.dmp

Filesize
704KB

Download
memory/1664-133-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/1664-135-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download