49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6

Analysis

max time kernel
164s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
Size

449KB
MD5

76cd287608d7a57f9d74198f7e76d258
SHA1

4394fd2e8524c53e31de6db735750ff3880e3926
SHA256

49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6
SHA512

f544366467cea8cbc56958144d0bf71a6e77b7f6d1dcb83ecdc9e0dbc66444bffd57c7a399d82b60871cb1e48bcfaf31b850feed44945cba36a5438e755f5473
SSDEEP

12288:QXj4iSNCClof00mXLI/D/ONp+6DIhjGhdWQiKC:YTSbn0OemNp+6DcKbiK

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcupdaterv3.1.4.4OTYHJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1936 schtasks.exe
1140 schtasks.exe
884 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

872 reg.exe

pid	process
1936	schtasks.exe
1140	schtasks.exe
884	schtasks.exe

pid	process
872	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe

pid	process
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1736	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1596	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
Token: SeDebugPrivilege	1736	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
Token: SeDebugPrivilege	1596	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1188 wrote to memory of 1860	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1860	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1860	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1860	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1284	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1284	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1284	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1284	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1284 wrote to memory of 1624	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 1624	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 1624	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 1624	1284	cmd.exe	schtasks.exe
PID 1188 wrote to memory of 1500	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1500	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1500	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1500	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1500 wrote to memory of 1496	1500	cmd.exe	schtasks.exe
PID 1500 wrote to memory of 1496	1500	cmd.exe	schtasks.exe
PID 1500 wrote to memory of 1496	1500	cmd.exe	schtasks.exe
PID 1500 wrote to memory of 1496	1500	cmd.exe	schtasks.exe
PID 1188 wrote to memory of 1508	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1508	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1508	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1508	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1508 wrote to memory of 1656	1508	cmd.exe	schtasks.exe
PID 1508 wrote to memory of 1656	1508	cmd.exe	schtasks.exe
PID 1508 wrote to memory of 1656	1508	cmd.exe	schtasks.exe
PID 1508 wrote to memory of 1656	1508	cmd.exe	schtasks.exe
PID 1188 wrote to memory of 1712	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1712	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1712	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1712	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1712 wrote to memory of 2000	1712	cmd.exe	schtasks.exe
PID 1712 wrote to memory of 2000	1712	cmd.exe	schtasks.exe
PID 1712 wrote to memory of 2000	1712	cmd.exe	schtasks.exe
PID 1712 wrote to memory of 2000	1712	cmd.exe	schtasks.exe
PID 1188 wrote to memory of 1692	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1692	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1692	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1692	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1692 wrote to memory of 548	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 548	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 548	1692	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 548	1692	cmd.exe	schtasks.exe
PID 1188 wrote to memory of 808	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 808	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 808	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 808	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1084	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1084	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1084	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 1084	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1084 wrote to memory of 940	1084	cmd.exe	schtasks.exe
PID 1084 wrote to memory of 940	1084	cmd.exe	schtasks.exe
PID 1084 wrote to memory of 940	1084	cmd.exe	schtasks.exe
PID 1084 wrote to memory of 940	1084	cmd.exe	schtasks.exe
PID 1188 wrote to memory of 2020	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 2020	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 2020	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1188 wrote to memory of 2020	1188	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 2020 wrote to memory of 996	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 996	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 996	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 996	2020	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
  2⤵
  PID:1860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateTaskMachineCore
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateTaskMachineCore
    3⤵
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateTaskMachineUA
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateTaskMachineUA
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv6
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn updaterv6
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv7
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn updaterv7
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn updaterv8
    3⤵
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv9
  2⤵
  PID:808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv10
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn updaterv10
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn DriverUpdaterV3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn DriverUpdaterV3
    3⤵
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV1
  2⤵
  PID:616
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV1
    3⤵
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV2
  2⤵
  PID:1192
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV2
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV3
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV3
    3⤵
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV4
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV4
    3⤵
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV5
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV5
    3⤵
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV6
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV6
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
    3⤵
    - Creates scheduled task(s)
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v gcupdaterv3.1.4.4OTYHJ /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v gcupdaterv3.1.4.4OTYHJ /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:872

C:\Windows\system32\taskeng.exe
taskeng.exe {1B992E20-3C0B-4B5B-8C3C-EC7EF9E62037} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
  C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
      4⤵
      Creates scheduled task(s)
      PID:1936
- C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
  C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
      4⤵
      Creates scheduled task(s)
      PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-80-0x0000000000000000-mapping.dmp

Download
memory/548-67-0x0000000000000000-mapping.dmp

Download
memory/616-73-0x0000000000000000-mapping.dmp

Download
memory/808-68-0x0000000000000000-mapping.dmp

Download
memory/848-74-0x0000000000000000-mapping.dmp

Download
memory/872-89-0x0000000000000000-mapping.dmp

Download
memory/884-86-0x0000000000000000-mapping.dmp

Download
memory/940-70-0x0000000000000000-mapping.dmp

Download
memory/996-72-0x0000000000000000-mapping.dmp

Download
memory/1084-69-0x0000000000000000-mapping.dmp

Download
memory/1140-101-0x0000000000000000-mapping.dmp

Download
memory/1140-83-0x0000000000000000-mapping.dmp

Download
memory/1188-87-0x0000000001E96000-0x0000000001EA7000-memory.dmp

Filesize
68KB

Download
memory/1188-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1188-56-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1188-55-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1188-97-0x0000000001E96000-0x0000000001EA7000-memory.dmp

Filesize
68KB

Download
memory/1192-75-0x0000000000000000-mapping.dmp

Download
memory/1232-85-0x0000000000000000-mapping.dmp

Download
memory/1284-58-0x0000000000000000-mapping.dmp

Download
memory/1332-79-0x0000000000000000-mapping.dmp

Download
memory/1380-82-0x0000000000000000-mapping.dmp

Download
memory/1496-61-0x0000000000000000-mapping.dmp

Download
memory/1500-60-0x0000000000000000-mapping.dmp

Download
memory/1508-88-0x0000000000000000-mapping.dmp

Download
memory/1508-62-0x0000000000000000-mapping.dmp

Download
memory/1588-100-0x0000000000000000-mapping.dmp

Download
memory/1592-77-0x0000000000000000-mapping.dmp

Download
memory/1596-102-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1596-98-0x0000000000000000-mapping.dmp

Download
memory/1596-103-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1596-104-0x0000000001FB6000-0x0000000001FC7000-memory.dmp

Filesize
68KB

Download
memory/1624-59-0x0000000000000000-mapping.dmp

Download
memory/1628-76-0x0000000000000000-mapping.dmp

Download
memory/1656-63-0x0000000000000000-mapping.dmp

Download
memory/1668-92-0x0000000000000000-mapping.dmp

Download
memory/1692-66-0x0000000000000000-mapping.dmp

Download
memory/1712-64-0x0000000000000000-mapping.dmp

Download
memory/1736-90-0x0000000000000000-mapping.dmp

Download
memory/1736-94-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1736-95-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1736-96-0x0000000000696000-0x00000000006A7000-memory.dmp

Filesize
68KB

Download
memory/1780-78-0x0000000000000000-mapping.dmp

Download
memory/1860-81-0x0000000000000000-mapping.dmp

Download
memory/1860-57-0x0000000000000000-mapping.dmp

Download
memory/1916-84-0x0000000000000000-mapping.dmp

Download
memory/1936-93-0x0000000000000000-mapping.dmp

Download
memory/2000-65-0x0000000000000000-mapping.dmp

Download
memory/2020-71-0x0000000000000000-mapping.dmp

Download