salatstealer | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
150s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

453d8a70001855e0de88f95920eecd22.exe
Size

3.7MB
MD5

453d8a70001855e0de88f95920eecd22
SHA1

01aeba5a239a5bec4a1028343d48692a5f75794b
SHA256

099ac5c59d32074a1883ef3f4e17796c1244b20f6ca311446062f493f80c8997
SHA512

e7b601043fdc65eb4667865fc55928ef0eb4e5693eb6cb1e1203a9351a44d18209ce652afb2ed86e0806a28d53bdbcc0f7687897b678600362d3d3460d73fe9a
SSDEEP

98304:WdLdnDeAr4fRH/o+2y90A+KyuqvkmNBNMWEUVH:Wdcq4ZfoltAiHvRmWZ

Score

10^/10

salatstealer credential_access defense_evasion discovery persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Detect SalatStealer payload 18 IoCs

resource	yara_rule
behavioral28/memory/5976-45-0x0000000000A40000-0x00000000015BD000-memory.dmp	family_salatstealer
behavioral28/memory/1876-69-0x00000000001D0000-0x0000000000D4D000-memory.dmp	family_salatstealer
behavioral28/memory/2072-78-0x0000000000C80000-0x00000000017FD000-memory.dmp	family_salatstealer
behavioral28/memory/4856-104-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-105-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-203-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-289-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-371-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-453-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-535-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-618-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-686-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-755-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-837-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-919-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-1001-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-1083-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer
behavioral28/memory/4856-1165-0x0000000000290000-0x0000000000E0D000-memory.dmp	family_salatstealer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\xdwdUnity.exe"	ElysiumExeFree 1.exe

Salatstealer family
salatstealer

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	453d8a70001855e0de88f95920eecd22.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 6 IoCs

pid	Process
1884	ElysiumExeFree.exe
5976	cooocli.exe
4436	ElysiumExeFree 1.exe
4856	services.exe
1876	services.exe
2072	services.exe

Loads dropped DLL 44 IoCs

pid	Process
3388	Process not Found
444	Process not Found
5880	Process not Found
4328	Process not Found
3340	Process not Found
1888	Process not Found
4504	Process not Found
3460	Process not Found
748	Process not Found
4616	Process not Found
1884	Process not Found
6096	Process not Found
4076	Process not Found
3584	Process not Found
4104	Process not Found
4216	Process not Found
5268	Process not Found
1744	Process not Found
2536	Process not Found
4860	Process not Found
5308	Process not Found
2240	Process not Found
2824	Process not Found
5824	Process not Found
2464	Process not Found
5600	Process not Found
400	Process not Found
848	Process not Found
5580	Process not Found
2756	Process not Found
5532	Process not Found
4884	Process not Found
5976	Process not Found
4924	Process not Found
2240	Process not Found
3476	Process not Found
1192	Process not Found
3900	Process not Found
5328	Process not Found
2420	Process not Found
2184	Process not Found
2268	Process not Found
2744	Process not Found
1812	Process not Found

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Program Files\\xdwdPutty.exe"	ElysiumExeFree 1.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral28/files/0x0010000000024151-17.dat	upx
behavioral28/memory/5976-31-0x0000000000A40000-0x00000000015BD000-memory.dmp	upx
behavioral28/memory/5976-45-0x0000000000A40000-0x00000000015BD000-memory.dmp	upx
behavioral28/memory/4856-47-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/1876-54-0x00000000001D0000-0x0000000000D4D000-memory.dmp	upx
behavioral28/memory/1876-69-0x00000000001D0000-0x0000000000D4D000-memory.dmp	upx
behavioral28/memory/2072-77-0x0000000000C80000-0x00000000017FD000-memory.dmp	upx
behavioral28/memory/2072-78-0x0000000000C80000-0x00000000017FD000-memory.dmp	upx
behavioral28/memory/4856-104-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-105-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-203-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-289-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-371-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-453-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-535-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-618-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-686-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-755-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-837-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-919-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-1001-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-1083-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx
behavioral28/memory/4856-1165-0x0000000000290000-0x0000000000E0D000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\xdwdPutty.exe	ElysiumExeFree 1.exe
File opened for modification	C:\Program Files\xdwdPutty.exe	ElysiumExeFree 1.exe
File created	C:\Program Files (x86)\MSBuild\352ffea3-1bd0-078a-0ee0-795bcc18a31b	cooocli.exe
File created	C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe	cooocli.exe
File opened for modification	C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe	cooocli.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\services.exe	services.exe
File created	C:\Program Files\Google\Chrome\Application\services.exe	services.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	ElysiumExeFree 1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5360	1884	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cooocli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ElysiumExeFree.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 41 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4376	schtasks.exe
5632	schtasks.exe
3376	schtasks.exe
6044	schtasks.exe
3948	schtasks.exe
4988	schtasks.exe
2684	schtasks.exe
3712	schtasks.exe
2928	schtasks.exe
2460	schtasks.exe
3712	schtasks.exe
820	schtasks.exe
1372	schtasks.exe
3532	schtasks.exe
6000	schtasks.exe
2972	schtasks.exe
5780	schtasks.exe
5188	schtasks.exe
1060	schtasks.exe
2888	schtasks.exe
1088	schtasks.exe
1232	schtasks.exe
5324	schtasks.exe
4708	schtasks.exe
856	schtasks.exe
2500	schtasks.exe
2500	schtasks.exe
3212	schtasks.exe
5936	schtasks.exe
5260	schtasks.exe
2332	schtasks.exe
3656	schtasks.exe
1672	schtasks.exe
5796	schtasks.exe
3368	schtasks.exe
4488	schtasks.exe
2536	schtasks.exe
5580	schtasks.exe
3852	schtasks.exe
3040	schtasks.exe
220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5976	cooocli.exe
5976	cooocli.exe
5976	cooocli.exe
5976	cooocli.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
1876	services.exe
1876	services.exe
4324	powershell.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4324	powershell.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
2072	services.exe
2072	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4856	services.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe
4436	ElysiumExeFree 1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4856	services.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	ElysiumExeFree 1.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4856	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 1884	364	453d8a70001855e0de88f95920eecd22.exe	87
PID 364 wrote to memory of 1884	364	453d8a70001855e0de88f95920eecd22.exe	87
PID 364 wrote to memory of 1884	364	453d8a70001855e0de88f95920eecd22.exe	87
PID 364 wrote to memory of 5976	364	453d8a70001855e0de88f95920eecd22.exe	89
PID 364 wrote to memory of 5976	364	453d8a70001855e0de88f95920eecd22.exe	89
PID 364 wrote to memory of 5976	364	453d8a70001855e0de88f95920eecd22.exe	89
PID 364 wrote to memory of 4436	364	453d8a70001855e0de88f95920eecd22.exe	90
PID 364 wrote to memory of 4436	364	453d8a70001855e0de88f95920eecd22.exe	90
PID 5976 wrote to memory of 4856	5976	cooocli.exe	95
PID 5976 wrote to memory of 4856	5976	cooocli.exe	95
PID 5976 wrote to memory of 4856	5976	cooocli.exe	95
PID 4856 wrote to memory of 4324	4856	services.exe	96
PID 4856 wrote to memory of 4324	4856	services.exe	96
PID 4856 wrote to memory of 4324	4856	services.exe	96
PID 4856 wrote to memory of 1876	4856	services.exe	98
PID 4856 wrote to memory of 1876	4856	services.exe	98
PID 4856 wrote to memory of 1876	4856	services.exe	98
PID 4856 wrote to memory of 2072	4856	services.exe	100
PID 4856 wrote to memory of 2072	4856	services.exe	100
PID 4856 wrote to memory of 2072	4856	services.exe	100
PID 4436 wrote to memory of 5900	4436	ElysiumExeFree 1.exe	102
PID 4436 wrote to memory of 5900	4436	ElysiumExeFree 1.exe	102
PID 5900 wrote to memory of 3376	5900	CMD.exe	104
PID 5900 wrote to memory of 3376	5900	CMD.exe	104
PID 4436 wrote to memory of 1624	4436	ElysiumExeFree 1.exe	105
PID 4436 wrote to memory of 1624	4436	ElysiumExeFree 1.exe	105
PID 1624 wrote to memory of 3656	1624	CMD.exe	107
PID 1624 wrote to memory of 3656	1624	CMD.exe	107
PID 4436 wrote to memory of 4556	4436	ElysiumExeFree 1.exe	108
PID 4436 wrote to memory of 4556	4436	ElysiumExeFree 1.exe	108
PID 4556 wrote to memory of 856	4556	CMD.exe	110
PID 4556 wrote to memory of 856	4556	CMD.exe	110
PID 4436 wrote to memory of 3136	4436	ElysiumExeFree 1.exe	111
PID 4436 wrote to memory of 3136	4436	ElysiumExeFree 1.exe	111
PID 3136 wrote to memory of 3040	3136	CMD.exe	113
PID 3136 wrote to memory of 3040	3136	CMD.exe	113
PID 4436 wrote to memory of 648	4436	ElysiumExeFree 1.exe	117
PID 4436 wrote to memory of 648	4436	ElysiumExeFree 1.exe	117
PID 648 wrote to memory of 6044	648	CMD.exe	119
PID 648 wrote to memory of 6044	648	CMD.exe	119
PID 4436 wrote to memory of 2232	4436	ElysiumExeFree 1.exe	122
PID 4436 wrote to memory of 2232	4436	ElysiumExeFree 1.exe	122
PID 2232 wrote to memory of 3368	2232	CMD.exe	124
PID 2232 wrote to memory of 3368	2232	CMD.exe	124
PID 4436 wrote to memory of 1648	4436	ElysiumExeFree 1.exe	126
PID 4436 wrote to memory of 1648	4436	ElysiumExeFree 1.exe	126
PID 1648 wrote to memory of 1672	1648	CMD.exe	128
PID 1648 wrote to memory of 1672	1648	CMD.exe	128
PID 4436 wrote to memory of 2748	4436	ElysiumExeFree 1.exe	131
PID 4436 wrote to memory of 2748	4436	ElysiumExeFree 1.exe	131
PID 2748 wrote to memory of 3712	2748	CMD.exe	133
PID 2748 wrote to memory of 3712	2748	CMD.exe	133
PID 4436 wrote to memory of 6132	4436	ElysiumExeFree 1.exe	134
PID 4436 wrote to memory of 6132	4436	ElysiumExeFree 1.exe	134
PID 6132 wrote to memory of 220	6132	CMD.exe	136
PID 6132 wrote to memory of 220	6132	CMD.exe	136
PID 4436 wrote to memory of 3704	4436	ElysiumExeFree 1.exe	138
PID 4436 wrote to memory of 3704	4436	ElysiumExeFree 1.exe	138
PID 3704 wrote to memory of 3948	3704	CMD.exe	140
PID 3704 wrote to memory of 3948	3704	CMD.exe	140
PID 4436 wrote to memory of 3660	4436	ElysiumExeFree 1.exe	142
PID 4436 wrote to memory of 3660	4436	ElysiumExeFree 1.exe	142
PID 3660 wrote to memory of 2500	3660	CMD.exe	144
PID 3660 wrote to memory of 2500	3660	CMD.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\453d8a70001855e0de88f95920eecd22.exe
"C:\Users\Admin\AppData\Local\Temp\453d8a70001855e0de88f95920eecd22.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree.exe
  "C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 828
    3⤵
    - Program crash
    PID:5360
- C:\Users\Admin\AppData\Local\Temp\cooocli.exe
  "C:\Users\Admin\AppData\Local\Temp\cooocli.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5976
- - C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolder\services.exe
    C:\Users\Admin\AppData\Local\PlaceholderTileLogoFolder\services.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      UAC bypass
      Drops file in Drivers directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\services.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\services.exe" -
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1876
  - - C:\Program Files\Google\Chrome\Application\services.exe
      "C:\Program Files\Google\Chrome\Application\services.exe" -
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2072
- C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree 1.exe
  "C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree 1.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5900
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Inkscape" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3376
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3656
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Bitdefender Antivirus" /tr "C:\Program Files\xdwdPutty.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "Bitdefender Antivirus" /tr "C:\Program Files\xdwdPutty.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:856
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3040
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6044
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3368
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1672
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3712
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6132
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:220
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3948
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2500
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1640
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4988
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:3412
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4376
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:6040
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1060
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:5132
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5260
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1812
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5796
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:4848
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4488
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:4924
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2888
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2984
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:820
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:4364
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2684
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:928
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2500
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:4412
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1372
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2124
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1088
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:4808
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3532
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1452
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6000
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2480
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2332
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2004
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2972
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2440
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2536
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2540
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3712
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:5912
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2928
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1476
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3212
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:5648
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2460
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2836
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1232
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:2408
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5780
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:6032
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5188
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:5484
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5324
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:1268
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5936
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:4896
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5632
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:920
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5580
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:4356
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3852
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST & exit
    3⤵
    PID:5428
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Atom Update" /tr "C:\Users\Admin\AppData\Local\xdwdUnity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1884 -ip 1884
1⤵
PID:4708

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4140

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\453d8a70001855e0de88f95920eecd22.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
8b570ab506bf67f280a15aa8ea5c9645

SHA1
30fe1b55ce9b7f87dceea9777d7a3ae91077fa8b

SHA256
a2713765a423c4127e825d5c850f69325e6f6fc3aa9a6d24930bf55bb0c3fe7b

SHA512
11fb7ee1470ff9008bdc793ffc2b683dc25a266f34e2c5060a4f429dde6e010b14c8fec5e46347cdf4de115870e3fa5f1cd1a31174bfc779341bd963c678aa05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
5218251a9325e23faaff87876082dd32

SHA1
cce0b55818300e22a8d5edccdf70b0488a87c79e

SHA256
cae000d246aed9d4e8528ca5fda2a98689ee5f5bdae17d5e0f8139f5c3434967

SHA512
1a3959f4cfd3e11880109122ecabd85649bad1e8e0299533c1a1e728842cd9bea155d8eb65353468d02f06610c8010b9c00e3bb57276f6272b011c82cc3d793e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree 1.exe

Filesize
464KB

MD5
e4b6094cd35d97423d00e3c683acafca

SHA1
8b8cb21a52ac2cbdee9692c170422dbf8f5bd170

SHA256
f4c28ca0c118da99941869afcaa5459820991cba54ffb9ff16bdf1a24c930eb5

SHA512
9a3150d6d48a67fc95963f72119fe54b7ddf6a2aacfc7dca668f28abb10ee99a8d6d15775140a372041e42d370c62c71c546ff92de7d93057d84c6dea0640ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ElysiumExeFree.exe

Filesize
335KB

MD5
f5786a239cc582cd4b8fb73308431398

SHA1
5e04df1cc0b1faac15184d29103c30b857334ecf

SHA256
494d94e2e8290c2222be743b777afc5e50cbd80b93966fa768ab54bdc75bf9b8

SHA512
9c440692d852457b49a19bc0add646a47c2bf5616b2daeff6eee285605a8cb5d46b08b5d219b5442f3bf7330a87312c8e4d4543db45af1a0cc9b1ad9a7456f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qreak1fl.zii.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooocli.exe

Filesize
3.1MB

MD5
f27ed810a051a5b4793789303e045e54

SHA1
798a26f92fb041b85d56c9c86ba39eac1586f5bb

SHA256
a0fdd5875161ea259febd8ea6a366e0caf5b39d65000ad7305915fe972b0e973

SHA512
586eb39314ffb846bd8d4f6fbcd33b0e87a79ed57d615153923400507c94c9489a0e0f67d4f71c53aa4ccfd979c13d5c71a88742eb9ecab2b9711a185c3909d9

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/364-10-0x00007FF8AC0E0000-0x00007FF8ACBA1000-memory.dmp

Filesize
10.8MB

Download
memory/364-35-0x00007FF8AC0E0000-0x00007FF8ACBA1000-memory.dmp

Filesize
10.8MB

Download
memory/364-1-0x0000000000220000-0x00000000005CE000-memory.dmp

Filesize
3.7MB

Download
memory/364-0-0x00007FF8AC0E3000-0x00007FF8AC0E5000-memory.dmp

Filesize
8KB

Download
memory/1876-69-0x00000000001D0000-0x0000000000D4D000-memory.dmp

Filesize
11.5MB

Download
memory/1876-54-0x00000000001D0000-0x0000000000D4D000-memory.dmp

Filesize
11.5MB

Download
memory/1884-38-0x0000000000680000-0x00000000006DE000-memory.dmp

Filesize
376KB

Download
memory/2072-78-0x0000000000C80000-0x00000000017FD000-memory.dmp

Filesize
11.5MB

Download
memory/2072-77-0x0000000000C80000-0x00000000017FD000-memory.dmp

Filesize
11.5MB

Download
memory/4324-55-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/4324-101-0x0000000008020000-0x0000000008034000-memory.dmp

Filesize
80KB

Download
memory/4324-57-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/4324-67-0x00000000062D0000-0x0000000006624000-memory.dmp

Filesize
3.3MB

Download
memory/4324-53-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/4324-71-0x0000000006910000-0x000000000695C000-memory.dmp

Filesize
304KB

Download
memory/4324-70-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/4324-107-0x0000000008F00000-0x00000000094A4000-memory.dmp

Filesize
5.6MB

Download
memory/4324-51-0x00000000052E0000-0x0000000005316000-memory.dmp

Filesize
216KB

Download
memory/4324-106-0x0000000008130000-0x0000000008152000-memory.dmp

Filesize
136KB

Download
memory/4324-79-0x0000000006E20000-0x0000000006E64000-memory.dmp

Filesize
272KB

Download
memory/4324-80-0x0000000007BD0000-0x0000000007C46000-memory.dmp

Filesize
472KB

Download
memory/4324-81-0x00000000082D0000-0x000000000894A000-memory.dmp

Filesize
6.5MB

Download
memory/4324-82-0x0000000007C70000-0x0000000007C8A000-memory.dmp

Filesize
104KB

Download
memory/4324-83-0x0000000007E40000-0x0000000007E72000-memory.dmp

Filesize
200KB

Download
memory/4324-84-0x00000000709F0000-0x0000000070A3C000-memory.dmp

Filesize
304KB

Download
memory/4324-95-0x0000000007E80000-0x0000000007E9E000-memory.dmp

Filesize
120KB

Download
memory/4324-85-0x0000000070BF0000-0x0000000070F44000-memory.dmp

Filesize
3.3MB

Download
memory/4324-96-0x0000000007EA0000-0x0000000007F43000-memory.dmp

Filesize
652KB

Download
memory/4324-97-0x0000000007FA0000-0x0000000007FAA000-memory.dmp

Filesize
40KB

Download
memory/4324-98-0x0000000008090000-0x0000000008126000-memory.dmp

Filesize
600KB

Download
memory/4324-99-0x0000000007FF0000-0x0000000008001000-memory.dmp

Filesize
68KB

Download
memory/4324-100-0x0000000008010000-0x000000000801E000-memory.dmp

Filesize
56KB

Download
memory/4324-56-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/4324-102-0x0000000008060000-0x000000000807A000-memory.dmp

Filesize
104KB

Download
memory/4324-103-0x0000000008050000-0x0000000008058000-memory.dmp

Filesize
32KB

Download
memory/4436-76-0x00007FF8AC0E0000-0x00007FF8ACBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4436-34-0x00000000004F0000-0x000000000056A000-memory.dmp

Filesize
488KB

Download
memory/4436-37-0x00007FF8AC0E0000-0x00007FF8ACBA1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-371-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-535-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-105-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-1165-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-47-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-203-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-289-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-104-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-453-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-1083-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-618-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-686-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-755-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-837-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-919-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/4856-1001-0x0000000000290000-0x0000000000E0D000-memory.dmp

Filesize
11.5MB

Download
memory/5976-45-0x0000000000A40000-0x00000000015BD000-memory.dmp

Filesize
11.5MB

Download
memory/5976-31-0x0000000000A40000-0x00000000015BD000-memory.dmp

Filesize
11.5MB

Download