5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32af824687697346da2d415bfb80fa29.exe
Size

13.1MB
MD5

32af824687697346da2d415bfb80fa29
SHA1

bc83dec747cc6fc84c61df9df6d0ca5e82227040
SHA256

cc1927347aa066e1fca14fe1669362dd817ee950f9727a38e3a7b8ced8553062
SHA512

873e74cd1623ee150d3528ba42875048e379e1a577b828215c35f4375bd9817ab25c21113353c3107dc4ab3bcd076a6df5191647c19b373e1472d1b38fbca719
SSDEEP

6144:RAIvHAsjfyx0Sd/jkraPjhEe6VlWT8b9AtHqrXjXx4uzTb8M59cTT4l2P:RAWx5raEPVle8/rttzEccTQY

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\xdwdCorelDRAW.exe"	32af824687697346da2d415bfb80fa29.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Admin\\AppData\\Roaming\\xdwdMicrosoft Visual Studio.exe"	32af824687697346da2d415bfb80fa29.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	32af824687697346da2d415bfb80fa29.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 46 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1152	schtasks.exe
1304	schtasks.exe
2652	schtasks.exe
1960	schtasks.exe
708	schtasks.exe
2208	schtasks.exe
2944	schtasks.exe
1300	schtasks.exe
680	schtasks.exe
2572	schtasks.exe
2676	schtasks.exe
1804	schtasks.exe
2424	schtasks.exe
1056	schtasks.exe
1680	schtasks.exe
1868	schtasks.exe
2452	schtasks.exe
972	schtasks.exe
1060	schtasks.exe
2936	schtasks.exe
1104	schtasks.exe
1852	schtasks.exe
3012	schtasks.exe
2836	schtasks.exe
1348	schtasks.exe
2036	schtasks.exe
2552	schtasks.exe
2100	schtasks.exe
3060	schtasks.exe
1976	schtasks.exe
2876	schtasks.exe
1720	schtasks.exe
2288	schtasks.exe
1580	schtasks.exe
1600	schtasks.exe
3032	schtasks.exe
2900	schtasks.exe
1672	schtasks.exe
2312	schtasks.exe
2380	schtasks.exe
2596	schtasks.exe
1576	schtasks.exe
1736	schtasks.exe
1908	schtasks.exe
1100	schtasks.exe
2592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	CMD.exe
1152	schtasks.exe
1908	CMD.exe
2936	schtasks.exe
2440	CMD.exe
2208	schtasks.exe
1332	CMD.exe
1056	schtasks.exe
1516	CMD.exe
1720	schtasks.exe
2428	CMD.exe
2312	schtasks.exe
2352	CMD.exe
1304	schtasks.exe
2988	CMD.exe
2572	schtasks.exe
2568	CMD.exe
3060	schtasks.exe
2124	CMD.exe
2380	schtasks.exe
1396	CMD.exe
2288	schtasks.exe
480	CMD.exe
1976	schtasks.exe
3024	CMD.exe
1680	schtasks.exe
1376	CMD.exe
1104	schtasks.exe
1776	CMD.exe
1852	schtasks.exe
2264	CMD.exe
3012	schtasks.exe
2344	CMD.exe
1580	schtasks.exe
2444	CMD.exe
2676	schtasks.exe
2884	CMD.exe
2596	schtasks.exe
560	CMD.exe
1576	schtasks.exe
2536	CMD.exe
2652	schtasks.exe
2936	CMD.exe
1804	schtasks.exe
2768	CMD.exe
1960	schtasks.exe
2296	CMD.exe
2836	schtasks.exe
1404	CMD.exe
1868	schtasks.exe
1300	CMD.exe
2424	schtasks.exe
1664	CMD.exe
1600	schtasks.exe
2612	CMD.exe
2876	schtasks.exe
1820	CMD.exe
2452	schtasks.exe
1576	CMD.exe
1348	schtasks.exe
552	CMD.exe
2944	schtasks.exe
2432	CMD.exe
2036	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	32af824687697346da2d415bfb80fa29.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2872	2892	32af824687697346da2d415bfb80fa29.exe	31
PID 2892 wrote to memory of 2872	2892	32af824687697346da2d415bfb80fa29.exe	31
PID 2892 wrote to memory of 2872	2892	32af824687697346da2d415bfb80fa29.exe	31
PID 2872 wrote to memory of 2592	2872	CMD.exe	33
PID 2872 wrote to memory of 2592	2872	CMD.exe	33
PID 2872 wrote to memory of 2592	2872	CMD.exe	33
PID 2892 wrote to memory of 2596	2892	32af824687697346da2d415bfb80fa29.exe	34
PID 2892 wrote to memory of 2596	2892	32af824687697346da2d415bfb80fa29.exe	34
PID 2892 wrote to memory of 2596	2892	32af824687697346da2d415bfb80fa29.exe	34
PID 2596 wrote to memory of 1672	2596	CMD.exe	36
PID 2596 wrote to memory of 1672	2596	CMD.exe	36
PID 2596 wrote to memory of 1672	2596	CMD.exe	36
PID 2892 wrote to memory of 588	2892	32af824687697346da2d415bfb80fa29.exe	37
PID 2892 wrote to memory of 588	2892	32af824687697346da2d415bfb80fa29.exe	37
PID 2892 wrote to memory of 588	2892	32af824687697346da2d415bfb80fa29.exe	37
PID 588 wrote to memory of 2100	588	CMD.exe	39
PID 588 wrote to memory of 2100	588	CMD.exe	39
PID 588 wrote to memory of 2100	588	CMD.exe	39
PID 2892 wrote to memory of 1668	2892	32af824687697346da2d415bfb80fa29.exe	40
PID 2892 wrote to memory of 1668	2892	32af824687697346da2d415bfb80fa29.exe	40
PID 2892 wrote to memory of 1668	2892	32af824687697346da2d415bfb80fa29.exe	40
PID 1668 wrote to memory of 1152	1668	CMD.exe	42
PID 1668 wrote to memory of 1152	1668	CMD.exe	42
PID 1668 wrote to memory of 1152	1668	CMD.exe	42
PID 2892 wrote to memory of 1908	2892	32af824687697346da2d415bfb80fa29.exe	43
PID 2892 wrote to memory of 1908	2892	32af824687697346da2d415bfb80fa29.exe	43
PID 2892 wrote to memory of 1908	2892	32af824687697346da2d415bfb80fa29.exe	43
PID 1908 wrote to memory of 2936	1908	CMD.exe	45
PID 1908 wrote to memory of 2936	1908	CMD.exe	45
PID 1908 wrote to memory of 2936	1908	CMD.exe	45
PID 2892 wrote to memory of 2440	2892	32af824687697346da2d415bfb80fa29.exe	46
PID 2892 wrote to memory of 2440	2892	32af824687697346da2d415bfb80fa29.exe	46
PID 2892 wrote to memory of 2440	2892	32af824687697346da2d415bfb80fa29.exe	46
PID 2440 wrote to memory of 2208	2440	CMD.exe	48
PID 2440 wrote to memory of 2208	2440	CMD.exe	48
PID 2440 wrote to memory of 2208	2440	CMD.exe	48
PID 2892 wrote to memory of 1332	2892	32af824687697346da2d415bfb80fa29.exe	49
PID 2892 wrote to memory of 1332	2892	32af824687697346da2d415bfb80fa29.exe	49
PID 2892 wrote to memory of 1332	2892	32af824687697346da2d415bfb80fa29.exe	49
PID 1332 wrote to memory of 1056	1332	CMD.exe	51
PID 1332 wrote to memory of 1056	1332	CMD.exe	51
PID 1332 wrote to memory of 1056	1332	CMD.exe	51
PID 2892 wrote to memory of 1516	2892	32af824687697346da2d415bfb80fa29.exe	52
PID 2892 wrote to memory of 1516	2892	32af824687697346da2d415bfb80fa29.exe	52
PID 2892 wrote to memory of 1516	2892	32af824687697346da2d415bfb80fa29.exe	52
PID 1516 wrote to memory of 1720	1516	CMD.exe	54
PID 1516 wrote to memory of 1720	1516	CMD.exe	54
PID 1516 wrote to memory of 1720	1516	CMD.exe	54
PID 2892 wrote to memory of 2428	2892	32af824687697346da2d415bfb80fa29.exe	55
PID 2892 wrote to memory of 2428	2892	32af824687697346da2d415bfb80fa29.exe	55
PID 2892 wrote to memory of 2428	2892	32af824687697346da2d415bfb80fa29.exe	55
PID 2428 wrote to memory of 2312	2428	CMD.exe	57
PID 2428 wrote to memory of 2312	2428	CMD.exe	57
PID 2428 wrote to memory of 2312	2428	CMD.exe	57
PID 2892 wrote to memory of 2352	2892	32af824687697346da2d415bfb80fa29.exe	58
PID 2892 wrote to memory of 2352	2892	32af824687697346da2d415bfb80fa29.exe	58
PID 2892 wrote to memory of 2352	2892	32af824687697346da2d415bfb80fa29.exe	58
PID 2352 wrote to memory of 1304	2352	CMD.exe	60
PID 2352 wrote to memory of 1304	2352	CMD.exe	60
PID 2352 wrote to memory of 1304	2352	CMD.exe	60
PID 2892 wrote to memory of 2988	2892	32af824687697346da2d415bfb80fa29.exe	61
PID 2892 wrote to memory of 2988	2892	32af824687697346da2d415bfb80fa29.exe	61
PID 2892 wrote to memory of 2988	2892	32af824687697346da2d415bfb80fa29.exe	61
PID 2988 wrote to memory of 2572	2988	CMD.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\32af824687697346da2d415bfb80fa29.exe
"C:\Users\Admin\AppData\Local\Temp\32af824687697346da2d415bfb80fa29.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Outlook" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Outlook" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2592
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1672
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Wireshark Host" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft Visual Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Wireshark Host" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft Visual Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2100
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1152
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2936
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2208
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1056
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2312
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1304
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2572
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2568
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3060
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2124
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2380
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2288
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:480
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1976
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1680
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1104
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1776
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1852
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2264
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:3012
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1580
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2676
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2596
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1576
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1804
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1960
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2836
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1404
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1868
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1300
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2424
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1600
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2876
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:1348
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2944
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    - Suspicious behavior: EnumeratesProcesses
    PID:2036
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:3036
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:972
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:2180
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3032
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:2544
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1736
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:996
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:708
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:2324
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1300
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:2124
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2900
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:3068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2552
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:764
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1060
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:1396
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1908
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:2236
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:680
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:908
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/480-367-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/552-904-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/560-596-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1056-142-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/1104-422-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/1152-60-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1300-764-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1304-226-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1332-143-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/1348-870-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1376-423-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/1396-344-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1404-736-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/1516-176-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1576-592-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1576-871-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1580-511-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/1600-791-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/1664-792-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/1668-123-0x0000000077180000-0x0000000077329000-memory.dmp

Filesize
1.7MB

Download
memory/1668-61-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1668-62-0x0000000077180000-0x0000000077329000-memory.dmp

Filesize
1.7MB

Download
memory/1668-54-0x00000000771D1000-0x00000000771D2000-memory.dmp

Filesize
4KB

Download
memory/1680-399-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1720-170-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1776-456-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/1804-652-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/1820-848-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/1852-451-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/1868-735-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/1908-85-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/1960-679-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/1976-366-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/2036-926-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2124-311-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/2208-113-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2264-479-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2288-343-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2296-703-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2312-198-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/2344-512-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/2352-230-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2380-310-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/2424-763-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2428-199-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/2432-927-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2440-117-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2444-535-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2452-847-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/2536-625-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/2568-288-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2572-254-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/2596-562-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/2612-815-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2652-624-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/2676-534-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2768-681-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/2836-702-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2876-814-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2884-568-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/2892-1-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/2892-94-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-2-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/2892-34-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-0-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/2936-653-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/2936-84-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/2944-898-0x000007FEF7480000-0x000007FEF74A2000-memory.dmp

Filesize
136KB

Download
memory/2988-255-0x000007FEF73F0000-0x000007FEF7412000-memory.dmp

Filesize
136KB

Download
memory/3012-478-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/3024-400-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download
memory/3060-282-0x000007FEF7420000-0x000007FEF7442000-memory.dmp

Filesize
136KB

Download