49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6

General

Target

49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
Size

449KB
MD5

76cd287608d7a57f9d74198f7e76d258
SHA1

4394fd2e8524c53e31de6db735750ff3880e3926
SHA256

49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6
SHA512

f544366467cea8cbc56958144d0bf71a6e77b7f6d1dcb83ecdc9e0dbc66444bffd57c7a399d82b60871cb1e48bcfaf31b850feed44945cba36a5438e755f5473
SSDEEP

12288:QXj4iSNCClof00mXLI/D/ONp+6DIhjGhdWQiKC:YTSbn0OemNp+6DcKbiK

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4796 schtasks.exe
4928 schtasks.exe
944 schtasks.exe

pid	process
4796	schtasks.exe
4928	schtasks.exe
944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe

pid	process
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4804	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe

description	pid	process
Token: SeDebugPrivilege	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
Token: SeDebugPrivilege	4804	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.execmd.execmd.execmd.execmd.execmd.exe49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4860 wrote to memory of 1480	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 1480	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 1480	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1480 wrote to memory of 4796	1480	cmd.exe	schtasks.exe
PID 1480 wrote to memory of 4796	1480	cmd.exe	schtasks.exe
PID 1480 wrote to memory of 4796	1480	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 1524	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 1524	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 1524	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1524 wrote to memory of 4948	1524	cmd.exe	schtasks.exe
PID 1524 wrote to memory of 4948	1524	cmd.exe	schtasks.exe
PID 1524 wrote to memory of 4948	1524	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 5076	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 5076	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 5076	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 5076 wrote to memory of 4376	5076	cmd.exe	schtasks.exe
PID 5076 wrote to memory of 4376	5076	cmd.exe	schtasks.exe
PID 5076 wrote to memory of 4376	5076	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 3220	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 3220	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 3220	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 3220 wrote to memory of 3048	3220	cmd.exe	schtasks.exe
PID 3220 wrote to memory of 3048	3220	cmd.exe	schtasks.exe
PID 3220 wrote to memory of 3048	3220	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 3672	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 3672	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 3672	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 3672 wrote to memory of 916	3672	cmd.exe	schtasks.exe
PID 3672 wrote to memory of 916	3672	cmd.exe	schtasks.exe
PID 3672 wrote to memory of 916	3672	cmd.exe	schtasks.exe
PID 4804 wrote to memory of 1004	4804	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4804 wrote to memory of 1004	4804	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4804 wrote to memory of 1004	4804	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1004 wrote to memory of 4928	1004	cmd.exe	schtasks.exe
PID 1004 wrote to memory of 4928	1004	cmd.exe	schtasks.exe
PID 1004 wrote to memory of 4928	1004	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 1988	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 1988	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 1988	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1988 wrote to memory of 3276	1988	cmd.exe	schtasks.exe
PID 1988 wrote to memory of 3276	1988	cmd.exe	schtasks.exe
PID 1988 wrote to memory of 3276	1988	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 4552	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 4552	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 4552	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4552 wrote to memory of 3656	4552	cmd.exe	schtasks.exe
PID 4552 wrote to memory of 3656	4552	cmd.exe	schtasks.exe
PID 4552 wrote to memory of 3656	4552	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 4468	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 4468	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 4468	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4468 wrote to memory of 1348	4468	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 1348	4468	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 1348	4468	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 3588	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 3588	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 3588	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 3588 wrote to memory of 2644	3588	cmd.exe	schtasks.exe
PID 3588 wrote to memory of 2644	3588	cmd.exe	schtasks.exe
PID 3588 wrote to memory of 2644	3588	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 1392	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 1392	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 4860 wrote to memory of 1392	4860	49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe	cmd.exe
PID 1392 wrote to memory of 3292	1392	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
3⤵
- Creates scheduled task(s)
PID:4796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateTaskMachineCore
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateTaskMachineCore
3⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateTaskMachineUA
2⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateTaskMachineUA
3⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv6
2⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn updaterv6
3⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv7
2⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn updaterv7
3⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv8
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn updaterv8
3⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv9
2⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn updaterv9
3⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn updaterv10
2⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn updaterv10
3⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn DriverUpdaterV3
2⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn DriverUpdaterV3
3⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV1
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV1
3⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV2
2⤵
PID:4772

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV2
3⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV3
2⤵
PID:3348

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV3
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV4
2⤵
PID:3392

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV4
3⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV5
2⤵
PID:3636

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV5
3⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV6
2⤵
PID:1088

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /delete /f /tn GoogleUpdateDriverV6
3⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
2⤵
PID:312

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
3⤵
- Creates scheduled task(s)
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v gcupdaterv3.1.4.4NLAAE /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"
2⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\system32\schtasks.exe /create /f /tn "Google49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6" /ru Admin /sc minute /mo 1 /tr "\"C:\Users\Admin\AppData\Local\Temp\49362f7ff54a9c6f4beb0c37b7e768b2fdad8a2c93d872766d3abf6f52b7f6b6.exe"\" /st 00:00:00
3⤵
- Creates scheduled task(s)
PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/312-168-0x0000000000000000-mapping.dmp

Download
memory/916-144-0x0000000000000000-mapping.dmp

Download
memory/944-169-0x0000000000000000-mapping.dmp

Download
memory/1004-145-0x0000000000000000-mapping.dmp

Download
memory/1088-165-0x0000000000000000-mapping.dmp

Download
memory/1220-167-0x0000000000000000-mapping.dmp

Download
memory/1312-160-0x0000000000000000-mapping.dmp

Download
memory/1348-152-0x0000000000000000-mapping.dmp

Download
memory/1392-155-0x0000000000000000-mapping.dmp

Download
memory/1480-134-0x0000000000000000-mapping.dmp

Download
memory/1524-136-0x0000000000000000-mapping.dmp

Download
memory/1988-147-0x0000000000000000-mapping.dmp

Download
memory/2020-170-0x0000000000000000-mapping.dmp

Download
memory/2644-154-0x0000000000000000-mapping.dmp

Download
memory/3048-141-0x0000000000000000-mapping.dmp

Download
memory/3220-140-0x0000000000000000-mapping.dmp

Download
memory/3276-148-0x0000000000000000-mapping.dmp

Download
memory/3292-156-0x0000000000000000-mapping.dmp

Download
memory/3308-162-0x0000000000000000-mapping.dmp

Download
memory/3348-159-0x0000000000000000-mapping.dmp

Download
memory/3392-161-0x0000000000000000-mapping.dmp

Download
memory/3588-153-0x0000000000000000-mapping.dmp

Download
memory/3636-163-0x0000000000000000-mapping.dmp

Download
memory/3656-150-0x0000000000000000-mapping.dmp

Download
memory/3672-143-0x0000000000000000-mapping.dmp

Download
memory/3760-158-0x0000000000000000-mapping.dmp

Download
memory/4376-139-0x0000000000000000-mapping.dmp

Download
memory/4468-151-0x0000000000000000-mapping.dmp

Download
memory/4508-164-0x0000000000000000-mapping.dmp

Download
memory/4552-149-0x0000000000000000-mapping.dmp

Download
memory/4772-157-0x0000000000000000-mapping.dmp

Download
memory/4796-135-0x0000000000000000-mapping.dmp

Download
memory/4804-142-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4804-166-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4860-132-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4860-133-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4928-146-0x0000000000000000-mapping.dmp

Download
memory/4948-137-0x0000000000000000-mapping.dmp

Download
memory/5076-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads