5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32af824687697346da2d415bfb80fa29.exe
Size

13.1MB
MD5

32af824687697346da2d415bfb80fa29
SHA1

bc83dec747cc6fc84c61df9df6d0ca5e82227040
SHA256

cc1927347aa066e1fca14fe1669362dd817ee950f9727a38e3a7b8ced8553062
SHA512

873e74cd1623ee150d3528ba42875048e379e1a577b828215c35f4375bd9817ab25c21113353c3107dc4ab3bcd076a6df5191647c19b373e1472d1b38fbca719
SSDEEP

6144:RAIvHAsjfyx0Sd/jkraPjhEe6VlWT8b9AtHqrXjXx4uzTb8M59cTT4l2P:RAWx5raEPVle8/rttzEccTQY

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\xdwdCorelDRAW.exe"	32af824687697346da2d415bfb80fa29.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 47 IoCs

pid	Process
4064	Process not Found
3976	Process not Found
436	Process not Found
2408	Process not Found
5104	Process not Found
736	Process not Found
1764	Process not Found
3252	Process not Found
5692	Process not Found
2224	Process not Found
5412	Process not Found
5696	Process not Found
5080	Process not Found
1916	Process not Found
4572	Process not Found
5608	Process not Found
3900	Process not Found
2356	Process not Found
6040	Process not Found
4216	Process not Found
5000	Process not Found
4596	Process not Found
4896	Process not Found
6016	Process not Found
3760	Process not Found
5448	Process not Found
1528	Process not Found
3080	Process not Found
4068	Process not Found
2904	Process not Found
3708	Process not Found
6132	Process not Found
3340	Process not Found
4724	Process not Found
4056	Process not Found
4532	Process not Found
2572	Process not Found
4968	Process not Found
224	Process not Found
4260	Process not Found
3772	Process not Found
6072	Process not Found
5088	Process not Found
5592	Process not Found
1696	Process not Found
4476	Process not Found
1692	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Admin\\AppData\\Roaming\\xdwdMicrosoft Visual Studio.exe"	32af824687697346da2d415bfb80fa29.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	32af824687697346da2d415bfb80fa29.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 46 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2024	schtasks.exe
2268	schtasks.exe
5592	schtasks.exe
4620	schtasks.exe
5940	schtasks.exe
4136	schtasks.exe
4444	schtasks.exe
5372	schtasks.exe
1792	schtasks.exe
5748	schtasks.exe
2388	schtasks.exe
4792	schtasks.exe
5556	schtasks.exe
5808	schtasks.exe
5220	schtasks.exe
5112	schtasks.exe
2616	schtasks.exe
1048	schtasks.exe
6004	schtasks.exe
5636	schtasks.exe
3900	schtasks.exe
2356	schtasks.exe
1456	schtasks.exe
2756	schtasks.exe
4756	schtasks.exe
5776	schtasks.exe
3584	schtasks.exe
4840	schtasks.exe
3576	schtasks.exe
1088	schtasks.exe
1240	schtasks.exe
624	schtasks.exe
4512	schtasks.exe
1960	schtasks.exe
1128	schtasks.exe
4872	schtasks.exe
3520	schtasks.exe
5164	schtasks.exe
5556	schtasks.exe
1620	schtasks.exe
3668	schtasks.exe
4424	schtasks.exe
1156	schtasks.exe
220	schtasks.exe
5456	schtasks.exe
3936	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	32af824687697346da2d415bfb80fa29.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 4692	1944	32af824687697346da2d415bfb80fa29.exe	95
PID 1944 wrote to memory of 4692	1944	32af824687697346da2d415bfb80fa29.exe	95
PID 4692 wrote to memory of 1128	4692	CMD.exe	97
PID 4692 wrote to memory of 1128	4692	CMD.exe	97
PID 1944 wrote to memory of 4788	1944	32af824687697346da2d415bfb80fa29.exe	98
PID 1944 wrote to memory of 4788	1944	32af824687697346da2d415bfb80fa29.exe	98
PID 4788 wrote to memory of 4872	4788	CMD.exe	100
PID 4788 wrote to memory of 4872	4788	CMD.exe	100
PID 1944 wrote to memory of 2008	1944	32af824687697346da2d415bfb80fa29.exe	101
PID 1944 wrote to memory of 2008	1944	32af824687697346da2d415bfb80fa29.exe	101
PID 2008 wrote to memory of 5220	2008	CMD.exe	103
PID 2008 wrote to memory of 5220	2008	CMD.exe	103
PID 1944 wrote to memory of 5824	1944	32af824687697346da2d415bfb80fa29.exe	105
PID 1944 wrote to memory of 5824	1944	32af824687697346da2d415bfb80fa29.exe	105
PID 5824 wrote to memory of 1156	5824	CMD.exe	107
PID 5824 wrote to memory of 1156	5824	CMD.exe	107
PID 1944 wrote to memory of 5328	1944	32af824687697346da2d415bfb80fa29.exe	109
PID 1944 wrote to memory of 5328	1944	32af824687697346da2d415bfb80fa29.exe	109
PID 5328 wrote to memory of 5112	5328	CMD.exe	111
PID 5328 wrote to memory of 5112	5328	CMD.exe	111
PID 1944 wrote to memory of 5376	1944	32af824687697346da2d415bfb80fa29.exe	112
PID 1944 wrote to memory of 5376	1944	32af824687697346da2d415bfb80fa29.exe	112
PID 5376 wrote to memory of 3520	5376	CMD.exe	114
PID 5376 wrote to memory of 3520	5376	CMD.exe	114
PID 1944 wrote to memory of 1008	1944	32af824687697346da2d415bfb80fa29.exe	115
PID 1944 wrote to memory of 1008	1944	32af824687697346da2d415bfb80fa29.exe	115
PID 1008 wrote to memory of 2616	1008	CMD.exe	117
PID 1008 wrote to memory of 2616	1008	CMD.exe	117
PID 1944 wrote to memory of 4068	1944	32af824687697346da2d415bfb80fa29.exe	119
PID 1944 wrote to memory of 4068	1944	32af824687697346da2d415bfb80fa29.exe	119
PID 4068 wrote to memory of 3576	4068	CMD.exe	121
PID 4068 wrote to memory of 3576	4068	CMD.exe	121
PID 1944 wrote to memory of 5992	1944	32af824687697346da2d415bfb80fa29.exe	122
PID 1944 wrote to memory of 5992	1944	32af824687697346da2d415bfb80fa29.exe	122
PID 5992 wrote to memory of 5164	5992	CMD.exe	124
PID 5992 wrote to memory of 5164	5992	CMD.exe	124
PID 1944 wrote to memory of 5124	1944	32af824687697346da2d415bfb80fa29.exe	125
PID 1944 wrote to memory of 5124	1944	32af824687697346da2d415bfb80fa29.exe	125
PID 5124 wrote to memory of 1088	5124	CMD.exe	127
PID 5124 wrote to memory of 1088	5124	CMD.exe	127
PID 1944 wrote to memory of 440	1944	32af824687697346da2d415bfb80fa29.exe	128
PID 1944 wrote to memory of 440	1944	32af824687697346da2d415bfb80fa29.exe	128
PID 440 wrote to memory of 1456	440	CMD.exe	130
PID 440 wrote to memory of 1456	440	CMD.exe	130
PID 1944 wrote to memory of 884	1944	32af824687697346da2d415bfb80fa29.exe	132
PID 1944 wrote to memory of 884	1944	32af824687697346da2d415bfb80fa29.exe	132
PID 884 wrote to memory of 2024	884	CMD.exe	134
PID 884 wrote to memory of 2024	884	CMD.exe	134
PID 1944 wrote to memory of 3372	1944	32af824687697346da2d415bfb80fa29.exe	136
PID 1944 wrote to memory of 3372	1944	32af824687697346da2d415bfb80fa29.exe	136
PID 3372 wrote to memory of 1048	3372	CMD.exe	138
PID 3372 wrote to memory of 1048	3372	CMD.exe	138
PID 1944 wrote to memory of 1936	1944	32af824687697346da2d415bfb80fa29.exe	139
PID 1944 wrote to memory of 1936	1944	32af824687697346da2d415bfb80fa29.exe	139
PID 1936 wrote to memory of 2268	1936	CMD.exe	141
PID 1936 wrote to memory of 2268	1936	CMD.exe	141
PID 1944 wrote to memory of 1428	1944	32af824687697346da2d415bfb80fa29.exe	143
PID 1944 wrote to memory of 1428	1944	32af824687697346da2d415bfb80fa29.exe	143
PID 1428 wrote to memory of 3936	1428	CMD.exe	145
PID 1428 wrote to memory of 3936	1428	CMD.exe	145
PID 1944 wrote to memory of 1284	1944	32af824687697346da2d415bfb80fa29.exe	146
PID 1944 wrote to memory of 1284	1944	32af824687697346da2d415bfb80fa29.exe	146
PID 1284 wrote to memory of 1240	1284	CMD.exe	148
PID 1284 wrote to memory of 1240	1284	CMD.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\32af824687697346da2d415bfb80fa29.exe
"C:\Users\Admin\AppData\Local\Temp\32af824687697346da2d415bfb80fa29.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Outlook" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Outlook" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1128
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4872
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Wireshark Host" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft Visual Studio.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Wireshark Host" /tr "C:\Users\Admin\AppData\Roaming\xdwdMicrosoft Visual Studio.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5220
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5824
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1156
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5328
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5112
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5376
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3520
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2616
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3576
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5992
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5164
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5124
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1088
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1456
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2024
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1048
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2268
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3936
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1240
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:1488
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:624
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:5900
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2756
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:932
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5372
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:5944
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5592
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:6108
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4756
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:3348
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4620
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:4684
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1792
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:1896
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5776
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:3256
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5556
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:1504
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1620
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:3388
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:220
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:5832
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6004
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:5212
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5748
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:2288
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2388
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:3672
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4792
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:2760
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5940
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:4796
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4512
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:4192
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3668
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:4508
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4136
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:5532
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5636
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:1916
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1960
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:2568
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5556
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:3424
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3900
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:4244
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2356
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:3040
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5808
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:5684
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4424
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:4152
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4444
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:2028
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3584
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:1576
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5456
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST & exit
  2⤵
  PID:4380
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Visual Studio Code Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdCorelDRAW.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1944-0-0x00007FFA83E73000-0x00007FFA83E75000-memory.dmp

Filesize
8KB

Download
memory/1944-1-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/1944-2-0x00007FFA83E73000-0x00007FFA83E75000-memory.dmp

Filesize
8KB

Download
memory/1944-35-0x00007FFA83E70000-0x00007FFA84931000-memory.dmp

Filesize
10.8MB

Download
memory/1944-119-0x00007FFA83E70000-0x00007FFA84931000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads