Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

43434343.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/04/2024, 20:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43434343.exe

  • Size

    577KB

  • MD5

    dbfbb43a05e6dc400e28a8244c60ba25

  • SHA1

    512a77466dac3f33af1ec28103f9bb2f89eb74c9

  • SHA256

    a9504fddb4d2bb5c3c2af238a1b8e1a60105d3dbf0576dabb56dd82bdba3b68b

  • SHA512

    a5339c4e878273886c6a97de1337c757a27a6b86aa4fb7e1815a22fe1a9e1ed2080ede612238255bee6021d8759c9ff5705aee3d5ef657dc5db151c117221986

  • SSDEEP

    6144:ozN+SpinTfDha/wWvSUkl60e6VlWT8b9O8VZcs/CSMofaP0PE0gmLbSGxVznbGk5:oA2YbLnU2dPVle8ToSMo00xSGzPG

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Loads dropped DLL 42 IoCs
  • Drops file in Windows directory 1 IoCs
  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\43434343.exe
    "C:\Users\Admin\AppData\Local\Temp\43434343.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Eclipse" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Eclipse" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe"
        3⤵
        • Creates scheduled task(s)
        PID:1804
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:3628
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Excel Host" /tr "C:\Users\Admin\xdwdAdobe Photoshop Upgrade.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "Microsoft Excel Host" /tr "C:\Users\Admin\xdwdAdobe Photoshop Upgrade.exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:3844
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1528
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:3148
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1184
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4204
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1444
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3384
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:4988
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:3656
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:616
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2632
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:4620
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:3352
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:2748
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4732
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:3476
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:232
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
      2⤵
        PID:2636
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
          3⤵
          • Creates scheduled task(s)
          PID:4504
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
        2⤵
          PID:2968
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:2808
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
          2⤵
            PID:1248
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
              3⤵
              • Creates scheduled task(s)
              PID:1784
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
            2⤵
              PID:1552
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                3⤵
                • Creates scheduled task(s)
                PID:3816
            • C:\Windows\SYSTEM32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
              2⤵
                PID:1460
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                  3⤵
                  • Creates scheduled task(s)
                  PID:3724
              • C:\Windows\SYSTEM32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                2⤵
                  PID:3616
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                    3⤵
                    • Creates scheduled task(s)
                    PID:596
                • C:\Windows\SYSTEM32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                  2⤵
                    PID:3352
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                      3⤵
                      • Creates scheduled task(s)
                      PID:1932
                  • C:\Windows\SYSTEM32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                    2⤵
                      PID:2804
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                        3⤵
                        • Creates scheduled task(s)
                        PID:3596
                    • C:\Windows\SYSTEM32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                      2⤵
                        PID:2496
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                          3⤵
                          • Creates scheduled task(s)
                          PID:652
                      • C:\Windows\SYSTEM32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                        2⤵
                          PID:4540
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                            3⤵
                            • Creates scheduled task(s)
                            PID:412
                        • C:\Windows\SYSTEM32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                          2⤵
                            PID:228
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                              3⤵
                              • Creates scheduled task(s)
                              PID:3796
                          • C:\Windows\SYSTEM32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                            2⤵
                              PID:2840
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                3⤵
                                • Creates scheduled task(s)
                                PID:5048
                            • C:\Windows\SYSTEM32\CMD.exe
                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                              2⤵
                                PID:4564
                                • C:\Windows\system32\schtasks.exe
                                  SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                  3⤵
                                  • Creates scheduled task(s)
                                  PID:1388
                              • C:\Windows\SYSTEM32\CMD.exe
                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                2⤵
                                  PID:2756
                                  • C:\Windows\system32\schtasks.exe
                                    SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                    3⤵
                                    • Creates scheduled task(s)
                                    PID:1428
                                • C:\Windows\SYSTEM32\CMD.exe
                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                  2⤵
                                    PID:4976
                                    • C:\Windows\system32\schtasks.exe
                                      SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                      3⤵
                                      • Creates scheduled task(s)
                                      PID:5088
                                  • C:\Windows\SYSTEM32\CMD.exe
                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                    2⤵
                                      PID:2688
                                      • C:\Windows\system32\schtasks.exe
                                        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                        3⤵
                                        • Creates scheduled task(s)
                                        PID:4164
                                    • C:\Windows\SYSTEM32\CMD.exe
                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                      2⤵
                                        PID:3000
                                        • C:\Windows\system32\schtasks.exe
                                          SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                          3⤵
                                          • Creates scheduled task(s)
                                          PID:4588
                                      • C:\Windows\SYSTEM32\CMD.exe
                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                        2⤵
                                          PID:3596
                                          • C:\Windows\system32\schtasks.exe
                                            SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                            3⤵
                                            • Creates scheduled task(s)
                                            PID:1456
                                        • C:\Windows\SYSTEM32\CMD.exe
                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                          2⤵
                                            PID:1832
                                            • C:\Windows\system32\schtasks.exe
                                              SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                              3⤵
                                              • Creates scheduled task(s)
                                              PID:580
                                          • C:\Windows\SYSTEM32\CMD.exe
                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                            2⤵
                                              PID:4112
                                              • C:\Windows\system32\schtasks.exe
                                                SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                3⤵
                                                • Creates scheduled task(s)
                                                PID:4580
                                            • C:\Windows\SYSTEM32\CMD.exe
                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                              2⤵
                                                PID:4188
                                                • C:\Windows\system32\schtasks.exe
                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                  3⤵
                                                  • Creates scheduled task(s)
                                                  PID:2792
                                              • C:\Windows\SYSTEM32\CMD.exe
                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                                2⤵
                                                  PID:4504
                                                  • C:\Windows\system32\schtasks.exe
                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                    3⤵
                                                    • Creates scheduled task(s)
                                                    PID:2200
                                                • C:\Windows\SYSTEM32\CMD.exe
                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                                  2⤵
                                                    PID:2808
                                                    • C:\Windows\system32\schtasks.exe
                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                      3⤵
                                                      • Creates scheduled task(s)
                                                      PID:3932
                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                                    2⤵
                                                      PID:1784
                                                      • C:\Windows\system32\schtasks.exe
                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                        3⤵
                                                        • Creates scheduled task(s)
                                                        PID:3380
                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                                      2⤵
                                                        PID:1776
                                                        • C:\Windows\system32\schtasks.exe
                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                          3⤵
                                                          • Creates scheduled task(s)
                                                          PID:1620
                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                                        2⤵
                                                          PID:2204
                                                          • C:\Windows\system32\schtasks.exe
                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                            3⤵
                                                            • Creates scheduled task(s)
                                                            PID:4236
                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                                          2⤵
                                                            PID:1264
                                                            • C:\Windows\system32\schtasks.exe
                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                              3⤵
                                                              • Creates scheduled task(s)
                                                              PID:3456
                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                                            2⤵
                                                              PID:3016
                                                              • C:\Windows\system32\schtasks.exe
                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                                3⤵
                                                                • Creates scheduled task(s)
                                                                PID:1448
                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST & exit
                                                              2⤵
                                                                PID:3828
                                                                • C:\Windows\system32\schtasks.exe
                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "KeePass Upgrade" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe" /RL HIGHEST
                                                                  3⤵
                                                                  • Creates scheduled task(s)
                                                                  PID:2732

                                                            Network

                                                            • flag-us
                                                              DNS
                                                              increased-rely.gl.at.ply.gg
                                                              43434343.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              increased-rely.gl.at.ply.gg
                                                              IN A
                                                              Response
                                                              increased-rely.gl.at.ply.gg
                                                              IN A
                                                              147.185.221.19
                                                            • flag-us
                                                              DNS
                                                              8.8.8.8.in-addr.arpa
                                                              43434343.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              8.8.8.8.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                              8.8.8.8.in-addr.arpa
                                                              IN PTR
                                                              dnsgoogle
                                                            • flag-us
                                                              DNS
                                                              nexusrules.officeapps.live.com
                                                              43434343.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              nexusrules.officeapps.live.com
                                                              IN A
                                                              Response
                                                              nexusrules.officeapps.live.com
                                                              IN CNAME
                                                              prod.nexusrules.live.com.akadns.net
                                                              prod.nexusrules.live.com.akadns.net
                                                              IN A
                                                              52.111.229.48
                                                            • flag-us
                                                              DNS
                                                              48.229.111.52.in-addr.arpa
                                                              43434343.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              48.229.111.52.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              self.events.data.microsoft.com
                                                              43434343.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              self.events.data.microsoft.com
                                                              IN A
                                                              Response
                                                              self.events.data.microsoft.com
                                                              IN CNAME
                                                              self-events-data.trafficmanager.net
                                                              self-events-data.trafficmanager.net
                                                              IN CNAME
                                                              onedscolprdcus16.centralus.cloudapp.azure.com
                                                              onedscolprdcus16.centralus.cloudapp.azure.com
                                                              IN A
                                                              52.182.143.213
                                                            • flag-us
                                                              DNS
                                                              213.143.182.52.in-addr.arpa
                                                              43434343.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              213.143.182.52.in-addr.arpa
                                                              IN PTR
                                                              Response
                                                            • flag-us
                                                              DNS
                                                              213.143.182.52.in-addr.arpa
                                                              43434343.exe
                                                              Remote address:
                                                              8.8.8.8:53
                                                              Request
                                                              213.143.182.52.in-addr.arpa
                                                              IN PTR
                                                            • 147.185.221.19:33473
                                                              increased-rely.gl.at.ply.gg
                                                              43434343.exe
                                                              260 B
                                                               5
                                                            • 147.185.221.19:33473
                                                              increased-rely.gl.at.ply.gg
                                                              43434343.exe
                                                              260 B
                                                               5
                                                            • 147.185.221.19:33473
                                                              increased-rely.gl.at.ply.gg
                                                              43434343.exe
                                                              260 B
                                                               5
                                                            • 147.185.221.19:33473
                                                              increased-rely.gl.at.ply.gg
                                                              43434343.exe
                                                              260 B
                                                               5
                                                            • 147.185.221.19:33473
                                                              increased-rely.gl.at.ply.gg
                                                              43434343.exe
                                                              260 B
                                                               5
                                                            • 147.185.221.19:33473
                                                              increased-rely.gl.at.ply.gg
                                                              43434343.exe
                                                              260 B
                                                               5
                                                            • 147.185.221.19:33473
                                                              increased-rely.gl.at.ply.gg
                                                              43434343.exe
                                                              156 B
                                                               3
                                                            • 8.8.8.8:53
                                                              increased-rely.gl.at.ply.gg
                                                              dns
                                                              43434343.exe
                                                              509 B
                                                               822 B
                                                               7
                                                              6

                                                              DNS Request

                                                              increased-rely.gl.at.ply.gg

                                                              DNS Response

                                                              147.185.221.19

                                                              DNS Request

                                                              8.8.8.8.in-addr.arpa

                                                              DNS Request

                                                              nexusrules.officeapps.live.com

                                                              DNS Response

                                                              52.111.229.48

                                                              DNS Request

                                                              48.229.111.52.in-addr.arpa

                                                              DNS Request

                                                              self.events.data.microsoft.com

                                                              DNS Response

                                                              52.182.143.213

                                                              DNS Request

                                                              213.143.182.52.in-addr.arpa

                                                              DNS Request

                                                              213.143.182.52.in-addr.arpa

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdGIMP (GNU Image Manipulation Program).exe
                                                              Filesize

                                                              747.6MB

                                                              MD5

                                                              16113ff2629437e11989e31c00ec1d9a

                                                              SHA1

                                                              e53390cc0c98b1136d94260e78ba02bf3be53f99

                                                              SHA256

                                                              5b85eef648c93b71793f9c135a5fe76913c5d725c8b3d09cde59c0591f11e7ed

                                                              SHA512

                                                              11bd49158ab91da301b82e85767ca43227e9073c94916efef8b38618fbb879cedefc60a822154377b5323d5fce8b99d07f1aebba82eb886db6d6dee684574281

                                                              Download Submit

                                                            • C:\Windows\xdwd.dll
                                                              Filesize

                                                              136KB

                                                              MD5

                                                              16e5a492c9c6ae34c59683be9c51fa31

                                                              SHA1

                                                              97031b41f5c56f371c28ae0d62a2df7d585adaba

                                                              SHA256

                                                              35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                                                              SHA512

                                                              20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                                                              Download Submit

                                                            • memory/4700-0-0x00000000007C0000-0x0000000000856000-memory.dmp

                                                              Filesize

                                                              600KB

                                                              Download

                                                            • memory/4700-1-0x00007FFF27450000-0x00007FFF27F12000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                              Download

                                                            • memory/4700-33-0x000000001BB80000-0x000000001BB90000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/4700-88-0x00007FFF27450000-0x00007FFF27F12000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                              Download

                                                            • memory/4700-224-0x000000001BB80000-0x000000001BB90000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            We care about your privacy.

                                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.