Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
25-04-2024 18:11
General
-
Target
ratnik.exe
-
Size
283KB
-
MD5
cd2549b04a34bfecaa580c13aad997ff
-
SHA1
9754b3f5443513d79c4df458eac36c8e6e31df4a
-
SHA256
bce46dfea77df9cd1109c732b9a26a8888ecf8665116a94254b35341989ffc57
-
SHA512
2a7a74bf8bdb79b36929e7384e16fcc186a9e5c5d65566068c9b69ea138737755861b1f7fc5158e085b731de2a7389c3c979ff85c2cd99ed9b89b38c8f05e39f
-
SSDEEP
6144:pEDbtVkjwfWi3Le6VlWT8b9EqP4Xo5qDmb1Ugp:p8XNPVle8SqSDkVp
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 47 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Creates scheduled task(s) 1 TTPs 46 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ratnik.exe"C:\Users\Admin\AppData\Local\Temp\ratnik.exe"1⤵
- Modifies WinLogon for persistence
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Google Earth" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Google Earth" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Mozilla Firefox" /tr "C:\Users\Admin\Videos\xdwdSage 50.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Mozilla Firefox" /tr "C:\Users\Admin\Videos\xdwdSage 50.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Maya Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorel VideoStudio Upgrade.exeFilesize
709.3MB
MD5f5a8a78a74552701ea2c422103122e8d
SHA1433b0be41e0610c2cd55567d06b4eae5f2d46094
SHA2562904cf5c517b9f2190eb8ffd4c895d76e6ac93a66a00e59ea26ded37535b5954
SHA512d2439c5de2ae7d9923a1cadff82f3864c8dccb5539c9016be82ef8d23ca66a0149fd84501fe71c22621f6f6fbb763266a1ebe5d4c672c6b03be70510ce40091e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
11KB
MD5e3e15a868a60c5bc28058860580772ff
SHA131e64db52bcf6826fb18556214cc11cfca9ef116
SHA2564dfd6f56923734f981111a3fc4cf3e11b420522506dac49441312b2fe80c4db9
SHA5122b0db39c132bf6df3945c6acf0bc656650051c9483f0f454afd4640dc252c964049f4338889ed1289334fb536ad27997ff19746af420d11eaabf95db0e89f11c
-
C:\Users\Admin\AppData\Local\Temp\tmpB34D.tmp.pngFilesize
1.0MB
MD552b282dfe0c9d9cf250c7b5e021fcc13
SHA16340a315c92a43346b69cc0515fda55fd57d0a68
SHA2560fd3703fac3837f9ee980c97d154a7a064d0d516f06c37b4a242e0fe38a6b8de
SHA512ced762766d7bea737ecb3de8fa5ba3ad7908c847429a0aebb223844ca8333899fecf2a744b8cd9d241ffb268154e81601b196e43a4a73a3a0dec93ae743697b6
-
C:\Windows\xdwd.dllFilesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
memory/1756-94-0x00007FFBF9510000-0x00007FFBF9FD2000-memory.dmpFilesize
10.8MB
-
memory/1756-0-0x0000000000670000-0x00000000006BC000-memory.dmpFilesize
304KB
-
memory/1756-208-0x000000001B970000-0x000000001B980000-memory.dmpFilesize
64KB
-
memory/1756-448-0x000000001BF40000-0x000000001BFB6000-memory.dmpFilesize
472KB
-
memory/1756-449-0x000000001B940000-0x000000001B94A000-memory.dmpFilesize
40KB
-
memory/1756-450-0x000000001BA30000-0x000000001BA4E000-memory.dmpFilesize
120KB
-
memory/1756-33-0x000000001B970000-0x000000001B980000-memory.dmpFilesize
64KB
-
memory/1756-1-0x00007FFBF9510000-0x00007FFBF9FD2000-memory.dmpFilesize
10.8MB
-
memory/4812-65-0x00007FFC1A350000-0x00007FFC1A351000-memory.dmpFilesize
4KB
