Overview

overview

10

Static

static

10

94975fe621...cd.exe

windows7-x64

10

94975fe621...cd.exe

windows10-2004-x64

10

94c020786b...1d.exe

windows7-x64

10

94c020786b...1d.exe

windows10-2004-x64

10

94c7c87a82...20.exe

windows7-x64

1

94c7c87a82...20.exe

windows10-2004-x64

1

94dd618932...a1.exe

windows7-x64

3

94dd618932...a1.exe

windows10-2004-x64

3

94e2ada20e...f6.exe

windows7-x64

10

94e2ada20e...f6.exe

windows10-2004-x64

7

952e0a7f82...33.exe

windows7-x64

7

952e0a7f82...33.exe

windows10-2004-x64

7

953e99960b...40.exe

windows7-x64

10

953e99960b...40.exe

windows10-2004-x64

10

9576cc7c1d...3f.exe

windows7-x64

10

9576cc7c1d...3f.exe

windows10-2004-x64

10

959c2d37a1...19.exe

windows7-x64

10

959c2d37a1...19.exe

windows10-2004-x64

10

95cc71e95c...eb.exe

windows7-x64

10

95cc71e95c...eb.exe

windows10-2004-x64

10

95fc2287fc...2c.exe

windows7-x64

10

95fc2287fc...2c.exe

windows10-2004-x64

10

960c033d30...04.exe

windows7-x64

1

960c033d30...04.exe

windows10-2004-x64

1

96591b5749...ff.exe

windows7-x64

1

96591b5749...ff.exe

windows10-2004-x64

1

9695505ced...e7.exe

windows7-x64

1

9695505ced...e7.exe

windows10-2004-x64

1

96959cb142...76.exe

windows7-x64

10

96959cb142...76.exe

windows10-2004-x64

10

96985d97b0...da.exe

windows7-x64

10

96985d97b0...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe

  • Size

    372KB

  • MD5

    04f517ad3dbfedd58ba599b17f0b280b

  • SHA1

    d2d19f89b31136881b46b5b459dc87c80d5555bf

  • SHA256

    96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da

  • SHA512

    8be216dd87ac40cd060c97b0f4f9cf497e0f91e1c1ee30b732c9e333b511cb7cd660db37f983bb266e7874b00991850e87c00ca06347fcdf257183546213bd9f

  • SSDEEP

    6144:t90nfbbmC1vJ/lwphR3sje6VlWT8b97zRMDHK4ygGaUbYoidnhi:tKm8vJ7PVle8NzqyDal

Score
10/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Drops file in Windows directory 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 44 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
    "C:\Users\Admin\AppData\Local\Temp\96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2656
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2696
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "DaVinci Resolve Update" /tr "C:\Users\Admin\Videos\xdwdCyberLink PowerDirector Update.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "DaVinci Resolve Update" /tr "C:\Users\Admin\Videos\xdwdCyberLink PowerDirector Update.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2148
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2968
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2476
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1812
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2400
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2580
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2116
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2036
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1192
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2616
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2324
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1872
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1868
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2820
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2232
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:940
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2096
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3068
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1016
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2856
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1816
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2216
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1188
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1668
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:3032
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2876
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2912
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1904
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2996
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2844
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:3000
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2980
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1288
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2168
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:528
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2816
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:968
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1744
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1816
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2948
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:236
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1976
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1516
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:524
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2644
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2124
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2576
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2720
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2700
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2868
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2300
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2248
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1172
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:928
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:952
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1748
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1724
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
      2⤵
        PID:1772
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2704
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
        2⤵
          PID:1204
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1604
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
          2⤵
            PID:804
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1344
          • C:\Windows\system32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
            2⤵
              PID:2164
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2664
            • C:\Windows\system32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
              2⤵
                PID:1136
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1924
              • C:\Windows\system32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
                2⤵
                  PID:1888
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2476
                • C:\Windows\system32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
                  2⤵
                    PID:1908
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:2176
                  • C:\Windows\system32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
                    2⤵
                      PID:972
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
                        3⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:920
                    • C:\Windows\system32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST & exit
                      2⤵
                        PID:1488
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "Avast Antivirus" /tr "C:\Users\Admin\AppData\Roaming\xdwdAtom.exe" /RL HIGHEST
                          3⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:896

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Windows\xdwd.dll
                      Filesize

                      136KB

                      MD5

                      16e5a492c9c6ae34c59683be9c51fa31

                      SHA1

                      97031b41f5c56f371c28ae0d62a2df7d585adaba

                      SHA256

                      35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                      SHA512

                      20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                      Download Submit

                    • memory/236-710-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/524-767-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/528-626-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/536-235-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/640-151-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/928-905-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/940-375-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/952-904-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/968-654-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1016-402-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1172-878-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1188-458-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1192-262-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1288-598-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1516-738-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1528-207-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1552-94-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/1552-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1552-34-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

                      Filesize

                      9.9MB

                      Download

                    • memory/1552-2-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1552-1-0x0000000000AA0000-0x0000000000B04000-memory.dmp

                      Filesize

                      400KB

                      Download

                    • memory/1668-487-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1724-934-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1744-681-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1748-935-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1812-121-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1816-680-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1816-430-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1868-316-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1872-317-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1904-543-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1932-91-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1976-739-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2032-179-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2036-234-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2084-122-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2096-374-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2116-205-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2124-795-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2168-627-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2216-459-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2232-346-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2248-879-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2300-848-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2324-290-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2400-150-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2476-90-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2576-792-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2580-178-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2616-291-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2644-764-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2700-822-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2720-823-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2764-263-0x000007FEF69B0000-0x000007FEF69D2000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2800-123-0x0000000077270000-0x0000000077419000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2800-62-0x00000000772C1000-0x00000000772C2000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2800-65-0x0000000077270000-0x0000000077419000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2800-64-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2816-655-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2820-347-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2844-571-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2856-431-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2868-849-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2876-515-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2912-514-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2948-711-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2968-63-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2980-599-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2996-542-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/3000-570-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/3032-486-0x000007FEFAEE0000-0x000007FEFAF02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/3068-403-0x000007FEFB010000-0x000007FEFB032000-memory.dmp

                      Filesize

                      136KB

                      Download