8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe
Size

18.0MB
MD5

b87558f9dafbbb8ec1101ea9cdfcd5bd
SHA1

78fdb6b2808a8797f00f5bf41f619f2620cc7600
SHA256

cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1
SHA512

c357bcc8f29869ab00abc7ebfde5325dc1df50a7c29381b73b1009eeb7ef7decd37b16b0c65dd33c92a2d919014bbd93f9e135dabf78080e9c584d662921f00c
SSDEEP

6144:tvcXK+rhXT2Ef5YTe6VlWT8b9qHVKIGJG3qVbgVSLh:VsFyEf5KPVle8oY1GT

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Documents\\xdwdMicrosoft Security Essentials.exe"	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 39 IoCs

pid	Process
4352	Process not Found
1952	Process not Found
2316	Process not Found
4048	Process not Found
6024	Process not Found
5148	Process not Found
3860	Process not Found
5068	Process not Found
4888	Process not Found
2132	Process not Found
1072	Process not Found
5152	Process not Found
4544	Process not Found
696	Process not Found
4880	Process not Found
2688	Process not Found
4200	Process not Found
5520	Process not Found
1052	Process not Found
2100	Process not Found
2172	Process not Found
3956	Process not Found
2044	Process not Found
2208	Process not Found
3948	Process not Found
3788	Process not Found
3060	Process not Found
1888	Process not Found
1432	Process not Found
4516	Process not Found
3208	Process not Found
3712	Process not Found
5612	Process not Found
5536	Process not Found
4616	Process not Found
5600	Process not Found
1880	Process not Found
2256	Process not Found
5388	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Public\\Pictures\\xdwdRainmeter.exe"	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
226	pastebin.com
99	pastebin.com
85	pastebin.com
115	pastebin.com
178	pastebin.com
186	pastebin.com
230	pastebin.com
51	pastebin.com
73	pastebin.com
142	pastebin.com
209	pastebin.com
212	pastebin.com
107	pastebin.com
98	pastebin.com
220	pastebin.com
228	pastebin.com
235	pastebin.com
239	pastebin.com
42	pastebin.com
46	pastebin.com
126	pastebin.com
139	pastebin.com
157	pastebin.com
181	pastebin.com
200	pastebin.com
243	pastebin.com
237	pastebin.com
35	pastebin.com
43	pastebin.com
161	pastebin.com
75	pastebin.com
45	pastebin.com
52	pastebin.com
215	pastebin.com
71	pastebin.com
40	pastebin.com
49	pastebin.com
89	pastebin.com
131	pastebin.com
153	pastebin.com
176	pastebin.com
222	pastebin.com
96	pastebin.com
101	pastebin.com
128	pastebin.com
145	pastebin.com
191	pastebin.com
221	pastebin.com
241	pastebin.com
54	pastebin.com
81	pastebin.com
109	pastebin.com
140	pastebin.com
144	pastebin.com
154	pastebin.com
194	pastebin.com
240	pastebin.com
47	pastebin.com
114	pastebin.com
127	pastebin.com
151	pastebin.com
165	pastebin.com
167	pastebin.com
179	pastebin.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5532	schtasks.exe
3896	schtasks.exe
4268	schtasks.exe
5776	schtasks.exe
5820	schtasks.exe
5416	schtasks.exe
2540	schtasks.exe
4548	schtasks.exe
4016	schtasks.exe
1540	schtasks.exe
5668	schtasks.exe
5820	schtasks.exe
5124	schtasks.exe
5208	schtasks.exe
4900	schtasks.exe
5276	schtasks.exe
4688	schtasks.exe
6120	schtasks.exe
5960	schtasks.exe
5960	schtasks.exe
5880	schtasks.exe
2132	schtasks.exe
5448	schtasks.exe
6012	schtasks.exe
5740	schtasks.exe
112	schtasks.exe
3068	schtasks.exe
6088	schtasks.exe
796	schtasks.exe
4736	schtasks.exe
5884	schtasks.exe
1880	schtasks.exe
2256	schtasks.exe
3656	schtasks.exe
1540	schtasks.exe
1996	schtasks.exe
3972	schtasks.exe
5752	schtasks.exe
5744	schtasks.exe
3564	schtasks.exe
1284	schtasks.exe
4896	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 1396	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	102
PID 324 wrote to memory of 1396	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	102
PID 1396 wrote to memory of 5960	1396	CMD.exe	104
PID 1396 wrote to memory of 5960	1396	CMD.exe	104
PID 324 wrote to memory of 2656	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	106
PID 324 wrote to memory of 2656	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	106
PID 2656 wrote to memory of 5740	2656	CMD.exe	108
PID 2656 wrote to memory of 5740	2656	CMD.exe	108
PID 324 wrote to memory of 4080	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	109
PID 324 wrote to memory of 4080	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	109
PID 4080 wrote to memory of 3972	4080	CMD.exe	111
PID 4080 wrote to memory of 3972	4080	CMD.exe	111
PID 324 wrote to memory of 2932	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	112
PID 324 wrote to memory of 2932	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	112
PID 2932 wrote to memory of 5820	2932	CMD.exe	114
PID 2932 wrote to memory of 5820	2932	CMD.exe	114
PID 324 wrote to memory of 2916	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	115
PID 324 wrote to memory of 2916	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	115
PID 2916 wrote to memory of 5416	2916	CMD.exe	117
PID 2916 wrote to memory of 5416	2916	CMD.exe	117
PID 324 wrote to memory of 3392	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	118
PID 324 wrote to memory of 3392	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	118
PID 3392 wrote to memory of 5752	3392	CMD.exe	120
PID 3392 wrote to memory of 5752	3392	CMD.exe	120
PID 324 wrote to memory of 5620	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	121
PID 324 wrote to memory of 5620	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	121
PID 5620 wrote to memory of 5532	5620	CMD.exe	123
PID 5620 wrote to memory of 5532	5620	CMD.exe	123
PID 324 wrote to memory of 1544	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	126
PID 324 wrote to memory of 1544	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	126
PID 1544 wrote to memory of 6088	1544	CMD.exe	128
PID 1544 wrote to memory of 6088	1544	CMD.exe	128
PID 324 wrote to memory of 2692	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	130
PID 324 wrote to memory of 2692	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	130
PID 2692 wrote to memory of 1880	2692	CMD.exe	132
PID 2692 wrote to memory of 1880	2692	CMD.exe	132
PID 324 wrote to memory of 4892	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	134
PID 324 wrote to memory of 4892	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	134
PID 4892 wrote to memory of 2256	4892	CMD.exe	136
PID 4892 wrote to memory of 2256	4892	CMD.exe	136
PID 324 wrote to memory of 5948	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	137
PID 324 wrote to memory of 5948	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	137
PID 5948 wrote to memory of 3656	5948	CMD.exe	139
PID 5948 wrote to memory of 3656	5948	CMD.exe	139
PID 324 wrote to memory of 2476	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	140
PID 324 wrote to memory of 2476	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	140
PID 2476 wrote to memory of 5744	2476	CMD.exe	142
PID 2476 wrote to memory of 5744	2476	CMD.exe	142
PID 324 wrote to memory of 4640	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	143
PID 324 wrote to memory of 4640	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	143
PID 4640 wrote to memory of 1540	4640	CMD.exe	145
PID 4640 wrote to memory of 1540	4640	CMD.exe	145
PID 324 wrote to memory of 116	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	146
PID 324 wrote to memory of 116	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	146
PID 116 wrote to memory of 2540	116	CMD.exe	148
PID 116 wrote to memory of 2540	116	CMD.exe	148
PID 324 wrote to memory of 1520	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	149
PID 324 wrote to memory of 1520	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	149
PID 1520 wrote to memory of 3564	1520	CMD.exe	151
PID 1520 wrote to memory of 3564	1520	CMD.exe	151
PID 324 wrote to memory of 2988	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	152
PID 324 wrote to memory of 2988	324	cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe	152
PID 2988 wrote to memory of 4548	2988	CMD.exe	154
PID 2988 wrote to memory of 4548	2988	CMD.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe
"C:\Users\Admin\AppData\Local\Temp\cbf8cf5e7e45dde393990bd7b673b0fa1dbc973e6b252c16b0a07cb2e89ce6d1.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5960
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5740
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3972
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5820
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5416
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5752
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5620
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5532
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6088
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1880
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2256
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5948
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3656
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5744
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1540
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2540
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3564
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4548
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2512
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5880
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5124
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:6024
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:112
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5692
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1284
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5140
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5208
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4104
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3896
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:6004
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4016
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3080
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2132
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4228
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5448
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4816
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1540
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:432
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4268
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4828
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5668
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3304
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5820
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4252
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4900
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3708
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:796
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1536
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5776
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:6016
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6012
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5092
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5276
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5556
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1996
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4684
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4688
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4624
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6120
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2968
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4736
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1960
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4896
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:392
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5884
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5760
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3068
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3672
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/324-0-0x00007FFC17993000-0x00007FFC17995000-memory.dmp

Filesize
8KB

Download
memory/324-1-0x0000000000A70000-0x0000000000ACA000-memory.dmp

Filesize
360KB

Download
memory/324-2-0x00007FFC17993000-0x00007FFC17995000-memory.dmp

Filesize
8KB

Download
memory/324-20-0x00007FFC17990000-0x00007FFC18451000-memory.dmp

Filesize
10.8MB

Download
memory/324-91-0x00007FFC17990000-0x00007FFC18451000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads