30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40

Analysis

max time kernel
61s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2022 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
Size

960KB
MD5

085232f07fd79274ae2024bee8606cf7
SHA1

c7121647a250679833a70b13a673097f4876f703
SHA256

30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40
SHA512

19e66840ba693c3b3a970c9163c71b520b3394b6fd1a4168bb8e95794ddb3bbceccced9ac915ca43c7a293f4f7308cdbf4d4084dfaf82e9457f477b037a84c10
SSDEEP

768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3160	3096	WerFault.exe	81

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5072	schtasks.exe
2364	schtasks.exe
3664	schtasks.exe
2584	schtasks.exe
5104	schtasks.exe
4052	schtasks.exe
4264	schtasks.exe
1624	schtasks.exe
4436	schtasks.exe
2160	schtasks.exe
2488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4788	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	82
PID 3096 wrote to memory of 4788	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	82
PID 3096 wrote to memory of 4788	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	82
PID 3096 wrote to memory of 3064	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	83
PID 3096 wrote to memory of 3064	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	83
PID 3096 wrote to memory of 3064	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	83
PID 3096 wrote to memory of 3220	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	86
PID 3096 wrote to memory of 3220	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	86
PID 3096 wrote to memory of 3220	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	86
PID 3096 wrote to memory of 1396	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	85
PID 3096 wrote to memory of 1396	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	85
PID 3096 wrote to memory of 1396	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	85
PID 3096 wrote to memory of 1812	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	98
PID 3096 wrote to memory of 1812	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	98
PID 3096 wrote to memory of 1812	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	98
PID 3096 wrote to memory of 1308	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	91
PID 3096 wrote to memory of 1308	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	91
PID 3096 wrote to memory of 1308	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	91
PID 3096 wrote to memory of 4380	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	97
PID 3096 wrote to memory of 4380	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	97
PID 3096 wrote to memory of 4380	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	97
PID 3096 wrote to memory of 2804	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	93
PID 3096 wrote to memory of 2804	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	93
PID 3096 wrote to memory of 2804	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	93
PID 3096 wrote to memory of 2260	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	94
PID 3096 wrote to memory of 2260	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	94
PID 3096 wrote to memory of 2260	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	94
PID 3096 wrote to memory of 3544	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	99
PID 3096 wrote to memory of 3544	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	99
PID 3096 wrote to memory of 3544	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	99
PID 3096 wrote to memory of 3964	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	108
PID 3096 wrote to memory of 3964	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	108
PID 3096 wrote to memory of 3964	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	108
PID 3220 wrote to memory of 4052	3220	cmd.exe	101
PID 3220 wrote to memory of 4052	3220	cmd.exe	101
PID 3220 wrote to memory of 4052	3220	cmd.exe	101
PID 3096 wrote to memory of 4452	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	107
PID 3096 wrote to memory of 4452	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	107
PID 3096 wrote to memory of 4452	3096	30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe	107
PID 3064 wrote to memory of 5072	3064	cmd.exe	105
PID 3064 wrote to memory of 5072	3064	cmd.exe	105
PID 3064 wrote to memory of 5072	3064	cmd.exe	105
PID 3544 wrote to memory of 2364	3544	cmd.exe	106
PID 3544 wrote to memory of 2364	3544	cmd.exe	106
PID 3544 wrote to memory of 2364	3544	cmd.exe	106
PID 2260 wrote to memory of 3664	2260	cmd.exe	109
PID 2260 wrote to memory of 3664	2260	cmd.exe	109
PID 2260 wrote to memory of 3664	2260	cmd.exe	109
PID 2804 wrote to memory of 4264	2804	cmd.exe	110
PID 2804 wrote to memory of 4264	2804	cmd.exe	110
PID 2804 wrote to memory of 4264	2804	cmd.exe	110
PID 1396 wrote to memory of 2160	1396	cmd.exe	114
PID 1396 wrote to memory of 2160	1396	cmd.exe	114
PID 1396 wrote to memory of 2160	1396	cmd.exe	114
PID 4788 wrote to memory of 1624	4788	cmd.exe	111
PID 4788 wrote to memory of 1624	4788	cmd.exe	111
PID 4788 wrote to memory of 1624	4788	cmd.exe	111
PID 4380 wrote to memory of 2584	4380	cmd.exe	113
PID 4380 wrote to memory of 2584	4380	cmd.exe	113
PID 4380 wrote to memory of 2584	4380	cmd.exe	113
PID 1308 wrote to memory of 4436	1308	cmd.exe	112
PID 1308 wrote to memory of 4436	1308	cmd.exe	112
PID 1308 wrote to memory of 4436	1308	cmd.exe	112
PID 1812 wrote to memory of 2488	1812	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe
"C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk874" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk874" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7441" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7441" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2364
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk640" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  PID:4452
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4985" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4985" /TR "C:\Users\Admin\AppData\Local\Temp\30ea0a2d8cc4646ca03d4a2053d010cc1df24a7156f460c7729e774cbfe0ae40.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 1368
  2⤵
  - Program crash
  PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3096 -ip 3096
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3096-132-0x0000000000C20000-0x0000000000CD0000-memory.dmp

Filesize
704KB

Download
memory/3096-133-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/3096-135-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/3096-134-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download