Overview

overview

10

Static

static

10

bca3772529...45.exe

windows7-x64

10

bca3772529...45.exe

windows10-2004-x64

10

bccb34575f...72.exe

windows7-x64

10

bccb34575f...72.exe

windows10-2004-x64

10

bcf1af9a5a...be.exe

windows7-x64

10

bcf1af9a5a...be.exe

windows10-2004-x64

8

bcf783e363...97.exe

windows7-x64

3

bcf783e363...97.exe

windows10-2004-x64

3

bd515574dc...8c.exe

windows7-x64

1

bd515574dc...8c.exe

windows10-2004-x64

1

bd68ca7605...39.exe

windows7-x64

10

bd68ca7605...39.exe

windows10-2004-x64

10

bd707a0357...e3.exe

windows7-x64

9

bd707a0357...e3.exe

windows10-2004-x64

9

bd7edfedeb...0b.exe

windows7-x64

10

bd7edfedeb...0b.exe

windows10-2004-x64

10

bdad1ff46d...f2.exe

windows7-x64

10

bdad1ff46d...f2.exe

windows10-2004-x64

10

bdae9ff159...df.exe

windows7-x64

10

bdae9ff159...df.exe

windows10-2004-x64

10

be01d2552c...1c.exe

windows7-x64

10

be01d2552c...1c.exe

windows10-2004-x64

10

be077774c9...87.exe

windows7-x64

10

be077774c9...87.exe

windows10-2004-x64

10

be0a8aeb7e...56.exe

windows7-x64

3

be0a8aeb7e...56.exe

windows10-2004-x64

3

be1643898c...f5.exe

windows7-x64

7

be1643898c...f5.exe

windows10-2004-x64

10

be183db6d4...94.exe

windows7-x64

10

be183db6d4...94.exe

windows10-2004-x64

10

be2375e810...94.exe

windows7-x64

10

be2375e810...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b.exe

  • Size

    300KB

  • MD5

    4bb553f72fc435ab9d6bc0cd2f5dcf27

  • SHA1

    3a4623813ca0b3e8ce929bd7c555534c2e207e6c

  • SHA256

    bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b

  • SHA512

    6c42ef68d52d473f7beb12109eadedb59eed09d5126b13330beccb793d2a2e717d94f9aa493e4190c5d6283518a2fc245dd6aa24b69f5d82649d5b6a07b5e8de

  • SSDEEP

    6144:mevNyKnYli6n3hICfse6VlWT8b9PBLQBbmZSV:94K2WPVle8dS

Score
10/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 46 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b.exe
    "C:\Users\Admin\AppData\Local\Temp\bd7edfedebe8a680d801ffd5b2415cd3877e95c78edb8cfc44eaae3e0e9a1e0b.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2740
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1316
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:764
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1940
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2272
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:288
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:3008
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:840
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:944
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3048
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3024
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2524
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
        PID:688
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:572
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
        2⤵
          PID:3064
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2244
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
          2⤵
            PID:2796
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1876
          • C:\Windows\system32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
            2⤵
              PID:1688
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:3012
            • C:\Windows\system32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
              2⤵
                PID:2392
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2568
              • C:\Windows\system32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                2⤵
                  PID:2564
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1756
                • C:\Windows\system32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                  2⤵
                    PID:1336
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:1028
                  • C:\Windows\system32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                    2⤵
                      PID:2536
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                        3⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1484
                    • C:\Windows\system32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                      2⤵
                        PID:2656
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                          3⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2668
                      • C:\Windows\system32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                        2⤵
                          PID:1144
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                            3⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:2268
                        • C:\Windows\system32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                          2⤵
                            PID:1504
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                              3⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:2124
                          • C:\Windows\system32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                            2⤵
                              PID:2096
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                3⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:2552
                            • C:\Windows\system32\CMD.exe
                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                              2⤵
                                PID:3068
                                • C:\Windows\system32\schtasks.exe
                                  SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                  3⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2376
                              • C:\Windows\system32\CMD.exe
                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                2⤵
                                  PID:1800
                                  • C:\Windows\system32\schtasks.exe
                                    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                    3⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2204
                                • C:\Windows\system32\CMD.exe
                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                  2⤵
                                    PID:1492
                                    • C:\Windows\system32\schtasks.exe
                                      SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                      3⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1544
                                  • C:\Windows\system32\CMD.exe
                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                    2⤵
                                      PID:1792
                                      • C:\Windows\system32\schtasks.exe
                                        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                        3⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1308
                                    • C:\Windows\system32\CMD.exe
                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                      2⤵
                                        PID:760
                                        • C:\Windows\system32\schtasks.exe
                                          SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                          3⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1452
                                      • C:\Windows\system32\CMD.exe
                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                        2⤵
                                          PID:2060
                                          • C:\Windows\system32\schtasks.exe
                                            SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                            3⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1712
                                        • C:\Windows\system32\CMD.exe
                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                          2⤵
                                            PID:2300
                                            • C:\Windows\system32\schtasks.exe
                                              SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                              3⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1596
                                          • C:\Windows\system32\CMD.exe
                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                            2⤵
                                              PID:2636
                                              • C:\Windows\system32\schtasks.exe
                                                SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                3⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:536
                                            • C:\Windows\system32\CMD.exe
                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                              2⤵
                                                PID:888
                                                • C:\Windows\system32\schtasks.exe
                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                  3⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1304
                                              • C:\Windows\system32\CMD.exe
                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                2⤵
                                                  PID:2920
                                                  • C:\Windows\system32\schtasks.exe
                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                    3⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2824
                                                • C:\Windows\system32\CMD.exe
                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                  2⤵
                                                    PID:1628
                                                    • C:\Windows\system32\schtasks.exe
                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                      3⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3012
                                                  • C:\Windows\system32\CMD.exe
                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                    2⤵
                                                      PID:1648
                                                      • C:\Windows\system32\schtasks.exe
                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                        3⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2056
                                                    • C:\Windows\system32\CMD.exe
                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                      2⤵
                                                        PID:1672
                                                        • C:\Windows\system32\schtasks.exe
                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                          3⤵
                                                          • Scheduled Task/Job: Scheduled Task
                                                          PID:2736
                                                      • C:\Windows\system32\CMD.exe
                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                        2⤵
                                                          PID:1000
                                                          • C:\Windows\system32\schtasks.exe
                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                            3⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1244
                                                        • C:\Windows\system32\CMD.exe
                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                          2⤵
                                                            PID:872
                                                            • C:\Windows\system32\schtasks.exe
                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                              3⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:1252
                                                          • C:\Windows\system32\CMD.exe
                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                            2⤵
                                                              PID:2556
                                                              • C:\Windows\system32\schtasks.exe
                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                                3⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:1604
                                                            • C:\Windows\system32\CMD.exe
                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                              2⤵
                                                                PID:2524
                                                                • C:\Windows\system32\schtasks.exe
                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                                  3⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:2776
                                                              • C:\Windows\system32\CMD.exe
                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                                2⤵
                                                                  PID:1160
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                                    3⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1624
                                                                • C:\Windows\system32\CMD.exe
                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                                  2⤵
                                                                    PID:2108
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                                      3⤵
                                                                      • Scheduled Task/Job: Scheduled Task
                                                                      PID:1064
                                                                  • C:\Windows\system32\CMD.exe
                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                                    2⤵
                                                                      PID:1952
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                                        3⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:2316
                                                                    • C:\Windows\system32\CMD.exe
                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                                      2⤵
                                                                        PID:2264
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                                          3⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:1880
                                                                      • C:\Windows\system32\CMD.exe
                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                                        2⤵
                                                                          PID:108
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                                            3⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2324
                                                                        • C:\Windows\system32\CMD.exe
                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                                                                          2⤵
                                                                            PID:2968
                                                                            • C:\Windows\system32\schtasks.exe
                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                                                                              3⤵
                                                                              • Scheduled Task/Job: Scheduled Task
                                                                              PID:2236

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v15

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\Windows\xdwd.dll
                                                                          Filesize

                                                                          136KB

                                                                          MD5

                                                                          16e5a492c9c6ae34c59683be9c51fa31

                                                                          SHA1

                                                                          97031b41f5c56f371c28ae0d62a2df7d585adaba

                                                                          SHA256

                                                                          35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                                                                          SHA512

                                                                          20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                                                                          Download Submit

                                                                        • memory/288-117-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/536-817-0x000007FEF6060000-0x000007FEF6082000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/572-281-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/688-283-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/760-729-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/764-53-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/840-148-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/888-840-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/944-168-0x000007FEF1280000-0x000007FEF12A2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1028-448-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1144-539-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1156-169-0x000007FEF1280000-0x000007FEF12A2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1304-839-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1308-700-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1336-449-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1452-728-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1484-476-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1492-673-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1504-561-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1544-672-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1596-784-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1628-897-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1672-149-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1688-370-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1712-761-0x000007FEF6060000-0x000007FEF6082000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1724-202-0x000007FEF1280000-0x000007FEF12A2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1756-420-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1760-225-0x000007FEF1280000-0x000007FEF12A2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1792-701-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1800-645-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1876-336-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/1940-60-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2056-923-0x000007FEF6060000-0x000007FEF6082000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2060-762-0x000007FEF6060000-0x000007FEF6082000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2096-589-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2124-560-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2204-644-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2244-313-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2268-537-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2272-83-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2300-785-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2376-616-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2392-393-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2468-252-0x000007FEF1280000-0x000007FEF12A2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2524-251-0x000007FEF1280000-0x000007FEF12A2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2536-477-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2552-588-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2564-421-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2568-392-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2636-818-0x000007FEF6060000-0x000007FEF6082000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2656-505-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2668-504-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2796-340-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2824-873-0x000007FEF6060000-0x000007FEF6082000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2840-64-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

                                                                          Filesize

                                                                          9.9MB

                                                                          Download

                                                                        • memory/2840-121-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

                                                                          Filesize

                                                                          9.9MB

                                                                          Download

                                                                        • memory/2840-0-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/2840-2-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/2840-1-0x0000000000C00000-0x0000000000C52000-memory.dmp

                                                                          Filesize

                                                                          328KB

                                                                          Download

                                                                        • memory/2868-61-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/2920-874-0x000007FEF6060000-0x000007FEF6082000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/3008-116-0x000007FEF5BA0000-0x000007FEF5BC2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/3012-369-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/3012-896-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/3024-224-0x000007FEF1280000-0x000007FEF12A2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/3048-201-0x000007FEF1280000-0x000007FEF12A2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/3064-315-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/3068-617-0x000007FEF7140000-0x000007FEF7162000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download

                                                                        • memory/3068-84-0x000007FEF12B0000-0x000007FEF12D2000-memory.dmp

                                                                          Filesize

                                                                          136KB

                                                                          Download