a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
Size

561KB
MD5

009ad4da2328c0133ceddef2fd3687b4
SHA1

4b9ebbc512c4be235a29f3851afce645fba415b6
SHA256

bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445
SHA512

767b621b3295d71a511f26a2b8ee15a48f35eff75156e4947dd5ac1fdd13ce228fdac0042bdd44f3a411bd3927d5d8543e6864c0be672b52d8ed01d8d0d86311
SSDEEP

6144:QYodYSZydQTu2CFk0IkPyW//ne6VlWT8b9Qf+tbSaowwabqutYSUR8z:QYodYSZ+WcIpWXPVle8FPFt

Score

10^/10

credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\GoogleChrome-CacheCookieFile.exe"	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Loads dropped DLL 41 IoCs

pid	Process
1724	Process not Found
3184	Process not Found
2600	Process not Found
2468	Process not Found
2176	Process not Found
1348	Process not Found
4292	Process not Found
4628	Process not Found
1788	Process not Found
5100	Process not Found
4488	Process not Found
1720	Process not Found
456	Process not Found
4876	Process not Found
2928	Process not Found
4440	Process not Found
2764	Process not Found
1932	Process not Found
4616	Process not Found
1704	Process not Found
2164	Process not Found
4020	Process not Found
4292	Process not Found
1392	Process not Found
2608	Process not Found
2376	Process not Found
644	Process not Found
1668	Process not Found
4292	Process not Found
428	Process not Found
3120	Process not Found
3316	Process not Found
1444	Process not Found
876	Process not Found
1116	Process not Found
3308	Process not Found
5064	Process not Found
3984	Process not Found
4972	Process not Found
1880	Process not Found
4596	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Windows\\GoogleChrome-CacheCookieFile.exe"	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
92	pastebin.com
70	pastebin.com
79	pastebin.com
96	pastebin.com
107	pastebin.com
108	pastebin.com
142	pastebin.com
112	pastebin.com
33	pastebin.com
69	pastebin.com
85	pastebin.com
141	pastebin.com
148	pastebin.com
105	pastebin.com
135	pastebin.com
143	pastebin.com
145	pastebin.com
91	pastebin.com
93	pastebin.com
97	pastebin.com
111	pastebin.com
118	pastebin.com
128	pastebin.com
61	pastebin.com
82	pastebin.com
113	pastebin.com
65	pastebin.com
115	pastebin.com
122	pastebin.com
84	pastebin.com
100	pastebin.com
102	pastebin.com
106	pastebin.com
109	pastebin.com
119	pastebin.com
126	pastebin.com
68	pastebin.com
87	pastebin.com
104	pastebin.com
110	pastebin.com
114	pastebin.com
63	pastebin.com
66	pastebin.com
67	pastebin.com
83	pastebin.com
101	pastebin.com
125	pastebin.com
129	pastebin.com
58	pastebin.com
60	pastebin.com
124	pastebin.com
127	pastebin.com
137	pastebin.com
62	pastebin.com
64	pastebin.com
88	pastebin.com
89	pastebin.com
103	pastebin.com
132	pastebin.com
134	pastebin.com
146	pastebin.com
32	pastebin.com
149	pastebin.com
90	pastebin.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\GoogleChrome-CacheCookieFile.exe	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
File opened for modification	C:\Windows\GoogleChrome-CacheCookieFile.exe	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
File created	C:\Windows\xdwd.dll	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4788	schtasks.exe
4308	schtasks.exe
4448	schtasks.exe
3816	schtasks.exe
976	schtasks.exe
4140	schtasks.exe
2912	schtasks.exe
3772	schtasks.exe
3276	schtasks.exe
1972	schtasks.exe
3984	schtasks.exe
4616	schtasks.exe
1992	schtasks.exe
2144	schtasks.exe
548	schtasks.exe
2704	schtasks.exe
1444	schtasks.exe
3968	schtasks.exe
4716	schtasks.exe
5100	schtasks.exe
5016	schtasks.exe
3256	schtasks.exe
316	schtasks.exe
1076	schtasks.exe
3116	schtasks.exe
552	schtasks.exe
2220	schtasks.exe
4084	schtasks.exe
1808	schtasks.exe
3308	schtasks.exe
2728	schtasks.exe
1304	schtasks.exe
2500	schtasks.exe
3404	schtasks.exe
4948	schtasks.exe
540	schtasks.exe
5000	schtasks.exe
4432	schtasks.exe
5000	schtasks.exe
4448	schtasks.exe
4868	schtasks.exe
516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 3724	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	95
PID 4040 wrote to memory of 3724	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	95
PID 3724 wrote to memory of 548	3724	CMD.exe	97
PID 3724 wrote to memory of 548	3724	CMD.exe	97
PID 4040 wrote to memory of 3940	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	98
PID 4040 wrote to memory of 3940	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	98
PID 3940 wrote to memory of 540	3940	CMD.exe	100
PID 3940 wrote to memory of 540	3940	CMD.exe	100
PID 4040 wrote to memory of 1668	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	101
PID 4040 wrote to memory of 1668	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	101
PID 1668 wrote to memory of 1808	1668	CMD.exe	103
PID 1668 wrote to memory of 1808	1668	CMD.exe	103
PID 4040 wrote to memory of 2804	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	104
PID 4040 wrote to memory of 2804	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	104
PID 2804 wrote to memory of 5000	2804	CMD.exe	106
PID 2804 wrote to memory of 5000	2804	CMD.exe	106
PID 4040 wrote to memory of 1876	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	107
PID 4040 wrote to memory of 1876	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	107
PID 1876 wrote to memory of 2704	1876	CMD.exe	109
PID 1876 wrote to memory of 2704	1876	CMD.exe	109
PID 4040 wrote to memory of 4732	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	110
PID 4040 wrote to memory of 4732	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	110
PID 4732 wrote to memory of 1444	4732	CMD.exe	112
PID 4732 wrote to memory of 1444	4732	CMD.exe	112
PID 4040 wrote to memory of 3124	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	114
PID 4040 wrote to memory of 3124	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	114
PID 3124 wrote to memory of 3984	3124	CMD.exe	116
PID 3124 wrote to memory of 3984	3124	CMD.exe	116
PID 4040 wrote to memory of 3804	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	117
PID 4040 wrote to memory of 3804	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	117
PID 3804 wrote to memory of 4432	3804	CMD.exe	119
PID 3804 wrote to memory of 4432	3804	CMD.exe	119
PID 4040 wrote to memory of 940	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	120
PID 4040 wrote to memory of 940	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	120
PID 940 wrote to memory of 5000	940	CMD.exe	122
PID 940 wrote to memory of 5000	940	CMD.exe	122
PID 4040 wrote to memory of 1620	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	123
PID 4040 wrote to memory of 1620	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	123
PID 1620 wrote to memory of 4448	1620	CMD.exe	125
PID 1620 wrote to memory of 4448	1620	CMD.exe	125
PID 4040 wrote to memory of 2076	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	126
PID 4040 wrote to memory of 2076	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	126
PID 2076 wrote to memory of 4616	2076	CMD.exe	128
PID 2076 wrote to memory of 4616	2076	CMD.exe	128
PID 4040 wrote to memory of 2144	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	129
PID 4040 wrote to memory of 2144	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	129
PID 2144 wrote to memory of 516	2144	CMD.exe	131
PID 2144 wrote to memory of 516	2144	CMD.exe	131
PID 4040 wrote to memory of 1508	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	133
PID 4040 wrote to memory of 1508	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	133
PID 1508 wrote to memory of 4140	1508	CMD.exe	135
PID 1508 wrote to memory of 4140	1508	CMD.exe	135
PID 4040 wrote to memory of 448	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	136
PID 4040 wrote to memory of 448	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	136
PID 448 wrote to memory of 3308	448	CMD.exe	138
PID 448 wrote to memory of 3308	448	CMD.exe	138
PID 4040 wrote to memory of 4588	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	139
PID 4040 wrote to memory of 4588	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	139
PID 4588 wrote to memory of 3276	4588	CMD.exe	141
PID 4588 wrote to memory of 3276	4588	CMD.exe	141
PID 4040 wrote to memory of 3184	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	147
PID 4040 wrote to memory of 3184	4040	bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe	147
PID 3184 wrote to memory of 2500	3184	CMD.exe	149
PID 3184 wrote to memory of 2500	3184	CMD.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe
"C:\Users\Admin\AppData\Local\Temp\bca3772529d1a336233bb4e59a704d5217e6e1f7b80222d2d028bfc816cb5445.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:548
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:540
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "7-Zip" /tr "C:\Windows\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "7-Zip" /tr "C:\Windows\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1808
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5000
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2704
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1444
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3984
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4432
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5000
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4448
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4616
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:516
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4140
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3308
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3276
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2500
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:1720
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3404
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:1808
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3968
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:532
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4948
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:5068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:316
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:3880
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3816
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:4892
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2912
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:2212
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3772
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:1564
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4716
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:2548
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1076
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:4400
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5100
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:4172
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4868
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:820
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1972
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:2744
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1992
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:5000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5016
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:1076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3256
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:1876
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4788
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:4800
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3116
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:2176
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2728
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:4708
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:552
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:4132
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1304
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:3528
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2220
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:4836
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4308
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:1628
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4448
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:5068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:976
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:3572
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2144
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST & exit
  2⤵
  PID:4032
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\GoogleChrome-CacheCookieFile.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/4040-0-0x00007FF8AA393000-0x00007FF8AA395000-memory.dmp

Filesize
8KB

Download
memory/4040-1-0x0000000000B40000-0x0000000000BD2000-memory.dmp

Filesize
584KB

Download
memory/4040-2-0x00007FF8AA393000-0x00007FF8AA395000-memory.dmp

Filesize
8KB

Download
memory/4040-19-0x00007FF8AA390000-0x00007FF8AAE51000-memory.dmp

Filesize
10.8MB

Download
memory/4040-119-0x00007FF8AA390000-0x00007FF8AAE51000-memory.dmp

Filesize
10.8MB

Download