37393231ee6c2f1e4e81bb820867302f509abe5108d7e6eac891fe1ab4b66ca5

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
Size

530KB
MD5

64aa30b5594ae016414dda4be0aee3f1
SHA1

488e5b6b086d9898a74fc8d01d0cebd1f6f38a64
SHA256

b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174
SHA512

950c4f67f7e631d685bd452a75ffb1925a95e02e8e8fb730b59fc8e65639c6edde919069f86ea12c565bbe4eecc1f82fb35e8107e889fb567a7537de80a5ad48
SSDEEP

6144:LyIqmGLgf01enzg6aoUN5Fe6VlWT8b96cfHJ9qFYNF/PHW2DGbDeY6Odn2:GBd58ziPFPVle8ompIuFX22DSz6Odn2

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\System"	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Admin\\AppData\\Roaming\\Windows"	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 46 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
876	schtasks.exe
1560	schtasks.exe
896	schtasks.exe
1068	schtasks.exe
1936	schtasks.exe
2344	schtasks.exe
2064	schtasks.exe
1504	schtasks.exe
1468	schtasks.exe
2720	schtasks.exe
2856	schtasks.exe
2704	schtasks.exe
2612	schtasks.exe
584	schtasks.exe
2168	schtasks.exe
2100	schtasks.exe
1348	schtasks.exe
1088	schtasks.exe
632	schtasks.exe
2140	schtasks.exe
2944	schtasks.exe
656	schtasks.exe
2888	schtasks.exe
2068	schtasks.exe
2456	schtasks.exe
780	schtasks.exe
1660	schtasks.exe
2076	schtasks.exe
2180	schtasks.exe
1552	schtasks.exe
2632	schtasks.exe
2128	schtasks.exe
2052	schtasks.exe
1736	schtasks.exe
292	schtasks.exe
2488	schtasks.exe
792	schtasks.exe
2764	schtasks.exe
2844	schtasks.exe
2988	schtasks.exe
2256	schtasks.exe
1900	schtasks.exe
268	schtasks.exe
2248	schtasks.exe
880	schtasks.exe
2928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2504	CMD.exe
584	schtasks.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
1676	WmiApSrv.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
1856	CMD.exe
2168	schtasks.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2096	CMD.exe
1936	schtasks.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2740	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	31
PID 2748 wrote to memory of 2740	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	31
PID 2748 wrote to memory of 2740	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	31
PID 2740 wrote to memory of 2612	2740	CMD.exe	33
PID 2740 wrote to memory of 2612	2740	CMD.exe	33
PID 2740 wrote to memory of 2612	2740	CMD.exe	33
PID 2748 wrote to memory of 340	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	34
PID 2748 wrote to memory of 340	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	34
PID 2748 wrote to memory of 340	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	34
PID 340 wrote to memory of 1468	340	CMD.exe	36
PID 340 wrote to memory of 1468	340	CMD.exe	36
PID 340 wrote to memory of 1468	340	CMD.exe	36
PID 2748 wrote to memory of 2528	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	37
PID 2748 wrote to memory of 2528	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	37
PID 2748 wrote to memory of 2528	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	37
PID 2528 wrote to memory of 2944	2528	CMD.exe	39
PID 2528 wrote to memory of 2944	2528	CMD.exe	39
PID 2528 wrote to memory of 2944	2528	CMD.exe	39
PID 2748 wrote to memory of 2504	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	40
PID 2748 wrote to memory of 2504	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	40
PID 2748 wrote to memory of 2504	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	40
PID 2504 wrote to memory of 584	2504	CMD.exe	42
PID 2504 wrote to memory of 584	2504	CMD.exe	42
PID 2504 wrote to memory of 584	2504	CMD.exe	42
PID 2748 wrote to memory of 1856	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	44
PID 2748 wrote to memory of 1856	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	44
PID 2748 wrote to memory of 1856	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	44
PID 1856 wrote to memory of 2168	1856	CMD.exe	46
PID 1856 wrote to memory of 2168	1856	CMD.exe	46
PID 1856 wrote to memory of 2168	1856	CMD.exe	46
PID 2748 wrote to memory of 2096	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	47
PID 2748 wrote to memory of 2096	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	47
PID 2748 wrote to memory of 2096	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	47
PID 2096 wrote to memory of 1936	2096	CMD.exe	49
PID 2096 wrote to memory of 1936	2096	CMD.exe	49
PID 2096 wrote to memory of 1936	2096	CMD.exe	49
PID 2748 wrote to memory of 2988	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	50
PID 2748 wrote to memory of 2988	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	50
PID 2748 wrote to memory of 2988	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	50
PID 2988 wrote to memory of 2256	2988	CMD.exe	52
PID 2988 wrote to memory of 2256	2988	CMD.exe	52
PID 2988 wrote to memory of 2256	2988	CMD.exe	52
PID 2748 wrote to memory of 1980	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	53
PID 2748 wrote to memory of 1980	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	53
PID 2748 wrote to memory of 1980	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	53
PID 1980 wrote to memory of 2488	1980	CMD.exe	55
PID 1980 wrote to memory of 2488	1980	CMD.exe	55
PID 1980 wrote to memory of 2488	1980	CMD.exe	55
PID 2748 wrote to memory of 1684	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	56
PID 2748 wrote to memory of 1684	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	56
PID 2748 wrote to memory of 1684	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	56
PID 1684 wrote to memory of 876	1684	CMD.exe	58
PID 1684 wrote to memory of 876	1684	CMD.exe	58
PID 1684 wrote to memory of 876	1684	CMD.exe	58
PID 2748 wrote to memory of 2744	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	59
PID 2748 wrote to memory of 2744	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	59
PID 2748 wrote to memory of 2744	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	59
PID 2744 wrote to memory of 2344	2744	CMD.exe	61
PID 2744 wrote to memory of 2344	2744	CMD.exe	61
PID 2744 wrote to memory of 2344	2744	CMD.exe	61
PID 2748 wrote to memory of 2548	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	62
PID 2748 wrote to memory of 2548	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	62
PID 2748 wrote to memory of 2548	2748	b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe	62
PID 2548 wrote to memory of 656	2548	CMD.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe
"C:\Users\Admin\AppData\Local\Temp\b65e1ac2a1c32fcf66f67031ebe907e9ca4e1a7cbae7589979b1eba091b6e174.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Users\Admin\AppData\Roaming\System" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Users\Admin\AppData\Roaming\System"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2612
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1468
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\AppData\Roaming\Windows" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\AppData\Roaming\Windows" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2944
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:584
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2168
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1936
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2256
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2488
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:876
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2344
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:656
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2392
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2888
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2016
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1560
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1772
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2100
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1164
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2064
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1348
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:600
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2180
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2420
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1552
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:568
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2720
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:656
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1088
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2392
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:632
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1676
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1900
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1040
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1504
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2212
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:896
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1348
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:268
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2920
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:792
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2928
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2856
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1536
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2704
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1872
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2140
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2376
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2068
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2016
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2456
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1772
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:780
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1164
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1660
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1780
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2076
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1056
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2632
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1584
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2764
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2580
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2248
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2012
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2128
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2484
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2052
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2844
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2092
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1068
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2488
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:880
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2608
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2988
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:1072
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1736
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:408
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:292
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit
  2⤵
  PID:2800
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Corel VideoStudio Upgrade" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/268-651-0x000007FEF7BD0000-0x000007FEF7BF2000-memory.dmp

Filesize
136KB

Download
memory/568-484-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/584-58-0x000007FEF7B70000-0x000007FEF7B92000-memory.dmp

Filesize
136KB

Download
memory/600-422-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/632-539-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/656-507-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/656-253-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/780-842-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/792-674-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/876-197-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/896-618-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/1040-596-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1088-506-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/1164-871-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1164-371-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1348-652-0x000007FEF7BD0000-0x000007FEF7BF2000-memory.dmp

Filesize
136KB

Download
memory/1348-393-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/1504-590-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1536-736-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1552-450-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/1560-314-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1660-870-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1676-64-0x000007FEF1FC0000-0x000007FEF1FE2000-memory.dmp

Filesize
136KB

Download
memory/1676-562-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/1684-200-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1772-843-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1772-338-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/1780-899-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1856-90-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1872-759-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/1900-561-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/1936-112-0x000007FEF2110000-0x000007FEF2132000-memory.dmp

Filesize
136KB

Download
memory/1980-170-0x000007FEF2110000-0x000007FEF2132000-memory.dmp

Filesize
136KB

Download
memory/2016-815-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2016-315-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2064-366-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2068-791-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2076-898-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2076-394-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/2096-113-0x000007FEF2110000-0x000007FEF2132000-memory.dmp

Filesize
136KB

Download
memory/2100-337-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/2140-758-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2168-89-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2180-421-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2212-619-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/2256-141-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2344-225-0x000007FEF2110000-0x000007FEF2132000-memory.dmp

Filesize
136KB

Download
memory/2376-792-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2392-540-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2392-282-0x000007FEF2110000-0x000007FEF2132000-memory.dmp

Filesize
136KB

Download
memory/2420-451-0x000007FEF6E90000-0x000007FEF6EB2000-memory.dmp

Filesize
136KB

Download
memory/2456-814-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2488-169-0x000007FEF2110000-0x000007FEF2132000-memory.dmp

Filesize
136KB

Download
memory/2504-59-0x000007FEF7B70000-0x000007FEF7B92000-memory.dmp

Filesize
136KB

Download
memory/2548-254-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2632-926-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2704-732-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2720-483-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2744-226-0x000007FEF2110000-0x000007FEF2132000-memory.dmp

Filesize
136KB

Download
memory/2748-63-0x000007FEF6120000-0x000007FEF6B0C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-122-0x000007FEF6120000-0x000007FEF6B0C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-2-0x000007FEF6123000-0x000007FEF6124000-memory.dmp

Filesize
4KB

Download
memory/2748-1-0x0000000000F70000-0x0000000000FFA000-memory.dmp

Filesize
552KB

Download
memory/2748-0-0x000007FEF6123000-0x000007FEF6124000-memory.dmp

Filesize
4KB

Download
memory/2748-65-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2856-702-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2888-281-0x000007FEF2110000-0x000007FEF2132000-memory.dmp

Filesize
136KB

Download
memory/2920-675-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2928-703-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download
memory/2988-142-0x000007FEF6FF0000-0x000007FEF7012000-memory.dmp

Filesize
136KB

Download