Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
22/04/2024, 20:20
General
-
Target
43434343.exe
-
Size
577KB
-
MD5
dbfbb43a05e6dc400e28a8244c60ba25
-
SHA1
512a77466dac3f33af1ec28103f9bb2f89eb74c9
-
SHA256
a9504fddb4d2bb5c3c2af238a1b8e1a60105d3dbf0576dabb56dd82bdba3b68b
-
SHA512
a5339c4e878273886c6a97de1337c757a27a6b86aa4fb7e1815a22fe1a9e1ed2080ede612238255bee6021d8759c9ff5705aee3d5ef657dc5db151c117221986
-
SSDEEP
6144:ozN+SpinTfDha/wWvSUkl60e6VlWT8b9O8VZcs/CSMofaP0PE0gmLbSGxVznbGk5:oA2YbLnU2dPVle8ToSMo00xSGzPG
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 42 IoCs
-
Drops file in Windows directory 1 IoCs
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\43434343.exe"C:\Users\Admin\AppData\Local\Temp\43434343.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Eclipse" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Eclipse" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Excel Host" /tr "C:\Users\Admin\xdwdAdobe Photoshop Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Excel Host" /tr "C:\Users\Admin\xdwdAdobe Photoshop Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
747.6MB
MD516113ff2629437e11989e31c00ec1d9a
SHA1e53390cc0c98b1136d94260e78ba02bf3be53f99
SHA2565b85eef648c93b71793f9c135a5fe76913c5d725c8b3d09cde59c0591f11e7ed
SHA51211bd49158ab91da301b82e85767ca43227e9073c94916efef8b38618fbb879cedefc60a822154377b5323d5fce8b99d07f1aebba82eb886db6d6dee684574281
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
600KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB