7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe
Size

218.5MB
MD5

d86b4e05d449d68ae457d3bf780eb2ab
SHA1

eb7e026cb99fa53ed05e7814497910b67140cda0
SHA256

3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4
SHA512

b3d9f94429cfeabd616a4624589a1da05d5e3b33244b92d49bdc0345a50cbea524b37d2305c93e4c381cf8f03214b3844f4cc2a56d7f7ea68fb3a1f21fcb1318
SSDEEP

6144:tvcXK+rhXT2Ef5YTe6VlWT8b9qHVKIGJG3qVbgVSLh:VsFyEf5KPVle8oY1GT

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Documents\\xdwdMicrosoft Security Essentials.exe"	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 42 IoCs

pid	Process
4456	Process not Found
412	Process not Found
3984	Process not Found
2484	Process not Found
4420	Process not Found
3416	Process not Found
2432	Process not Found
3764	Process not Found
3696	Process not Found
2084	Process not Found
564	Process not Found
1512	Process not Found
5660	Process not Found
5376	Process not Found
2820	Process not Found
2088	Process not Found
1124	Process not Found
1904	Process not Found
5216	Process not Found
464	Process not Found
3724	Process not Found
1480	Process not Found
3480	Process not Found
4888	Process not Found
5416	Process not Found
3128	Process not Found
4344	Process not Found
4648	Process not Found
2220	Process not Found
3656	Process not Found
748	Process not Found
5572	Process not Found
4540	Process not Found
5976	Process not Found
3108	Process not Found
1228	Process not Found
5904	Process not Found
5740	Process not Found
1072	Process not Found
3748	Process not Found
3220	Process not Found
3504	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Public\\Pictures\\xdwdRainmeter.exe"	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
115	pastebin.com
150	pastebin.com
152	pastebin.com
166	pastebin.com
203	pastebin.com
59	pastebin.com
142	pastebin.com
147	pastebin.com
202	pastebin.com
91	pastebin.com
122	pastebin.com
177	pastebin.com
207	pastebin.com
36	pastebin.com
92	pastebin.com
116	pastebin.com
133	pastebin.com
155	pastebin.com
27	pastebin.com
34	pastebin.com
54	pastebin.com
97	pastebin.com
117	pastebin.com
125	pastebin.com
127	pastebin.com
140	pastebin.com
31	pastebin.com
90	pastebin.com
146	pastebin.com
174	pastebin.com
187	pastebin.com
188	pastebin.com
224	pastebin.com
242	pastebin.com
61	pastebin.com
62	pastebin.com
113	pastebin.com
108	pastebin.com
139	pastebin.com
169	pastebin.com
181	pastebin.com
209	pastebin.com
236	pastebin.com
238	pastebin.com
94	pastebin.com
111	pastebin.com
123	pastebin.com
148	pastebin.com
184	pastebin.com
26	pastebin.com
151	pastebin.com
208	pastebin.com
211	pastebin.com
213	pastebin.com
237	pastebin.com
132	pastebin.com
170	pastebin.com
232	pastebin.com
214	pastebin.com
222	pastebin.com
234	pastebin.com
52	pastebin.com
164	pastebin.com
192	pastebin.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 41 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4124	schtasks.exe
4660	schtasks.exe
3884	schtasks.exe
1332	schtasks.exe
5488	schtasks.exe
5928	schtasks.exe
5444	schtasks.exe
1244	schtasks.exe
5732	schtasks.exe
2872	schtasks.exe
5004	schtasks.exe
1300	schtasks.exe
3692	schtasks.exe
5856	schtasks.exe
3644	schtasks.exe
1672	schtasks.exe
6084	schtasks.exe
3296	schtasks.exe
5968	schtasks.exe
2492	schtasks.exe
2964	schtasks.exe
5020	schtasks.exe
4080	schtasks.exe
5100	schtasks.exe
2708	schtasks.exe
5728	schtasks.exe
620	schtasks.exe
5996	schtasks.exe
3648	schtasks.exe
960	schtasks.exe
5144	schtasks.exe
3324	schtasks.exe
5800	schtasks.exe
4436	schtasks.exe
5112	schtasks.exe
4524	schtasks.exe
1932	schtasks.exe
3656	schtasks.exe
2168	schtasks.exe
4932	schtasks.exe
6060	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4688	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	93
PID 3500 wrote to memory of 4688	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	93
PID 4688 wrote to memory of 620	4688	CMD.exe	95
PID 4688 wrote to memory of 620	4688	CMD.exe	95
PID 3500 wrote to memory of 1032	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	96
PID 3500 wrote to memory of 1032	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	96
PID 1032 wrote to memory of 5856	1032	CMD.exe	98
PID 1032 wrote to memory of 5856	1032	CMD.exe	98
PID 3500 wrote to memory of 5776	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	100
PID 3500 wrote to memory of 5776	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	100
PID 5776 wrote to memory of 5968	5776	CMD.exe	102
PID 5776 wrote to memory of 5968	5776	CMD.exe	102
PID 3500 wrote to memory of 1912	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	104
PID 3500 wrote to memory of 1912	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	104
PID 1912 wrote to memory of 3324	1912	CMD.exe	106
PID 1912 wrote to memory of 3324	1912	CMD.exe	106
PID 3500 wrote to memory of 1928	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	107
PID 3500 wrote to memory of 1928	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	107
PID 1928 wrote to memory of 2492	1928	CMD.exe	109
PID 1928 wrote to memory of 2492	1928	CMD.exe	109
PID 3500 wrote to memory of 5924	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	111
PID 3500 wrote to memory of 5924	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	111
PID 5924 wrote to memory of 2964	5924	CMD.exe	113
PID 5924 wrote to memory of 2964	5924	CMD.exe	113
PID 3500 wrote to memory of 2820	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	114
PID 3500 wrote to memory of 2820	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	114
PID 2820 wrote to memory of 1932	2820	CMD.exe	116
PID 2820 wrote to memory of 1932	2820	CMD.exe	116
PID 3500 wrote to memory of 536	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	118
PID 3500 wrote to memory of 536	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	118
PID 536 wrote to memory of 3656	536	CMD.exe	120
PID 536 wrote to memory of 3656	536	CMD.exe	120
PID 3500 wrote to memory of 5000	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	121
PID 3500 wrote to memory of 5000	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	121
PID 5000 wrote to memory of 5444	5000	CMD.exe	123
PID 5000 wrote to memory of 5444	5000	CMD.exe	123
PID 3500 wrote to memory of 3564	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	124
PID 3500 wrote to memory of 3564	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	124
PID 3564 wrote to memory of 5020	3564	CMD.exe	126
PID 3564 wrote to memory of 5020	3564	CMD.exe	126
PID 3500 wrote to memory of 5824	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	127
PID 3500 wrote to memory of 5824	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	127
PID 5824 wrote to memory of 4080	5824	CMD.exe	129
PID 5824 wrote to memory of 4080	5824	CMD.exe	129
PID 3500 wrote to memory of 5372	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	135
PID 3500 wrote to memory of 5372	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	135
PID 5372 wrote to memory of 3644	5372	CMD.exe	137
PID 5372 wrote to memory of 3644	5372	CMD.exe	137
PID 3500 wrote to memory of 368	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	141
PID 3500 wrote to memory of 368	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	141
PID 368 wrote to memory of 1244	368	CMD.exe	143
PID 368 wrote to memory of 1244	368	CMD.exe	143
PID 3500 wrote to memory of 1932	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	144
PID 3500 wrote to memory of 1932	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	144
PID 1932 wrote to memory of 2168	1932	CMD.exe	146
PID 1932 wrote to memory of 2168	1932	CMD.exe	146
PID 3500 wrote to memory of 400	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	147
PID 3500 wrote to memory of 400	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	147
PID 400 wrote to memory of 5732	400	CMD.exe	149
PID 400 wrote to memory of 5732	400	CMD.exe	149
PID 3500 wrote to memory of 5012	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	150
PID 3500 wrote to memory of 5012	3500	3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe	150
PID 5012 wrote to memory of 1332	5012	CMD.exe	152
PID 5012 wrote to memory of 1332	5012	CMD.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe
"C:\Users\Admin\AppData\Local\Temp\3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:620
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5856
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5776
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Evernote" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5968
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3324
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2492
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5924
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2964
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1932
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3656
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5444
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5020
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5824
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4080
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5372
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3644
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1244
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2168
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5732
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1332
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4952
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5100
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1648
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2872
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5408
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2708
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5280
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3884
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1448
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1672
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4772
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6084
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4372
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4932
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2248
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5800
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5984
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4436
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1620
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3692
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3204
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5488
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4936
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5728
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5688
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5112
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5832
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5004
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2232
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5996
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3016
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5928
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5632
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6060
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3596
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3648
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4588
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3296
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3244
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4124
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4320
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4524
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1088
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:960
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5268
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1300
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4556
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4660
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2268
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "MATLAB" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/3500-0-0x00007FFB7AAE3000-0x00007FFB7AAE5000-memory.dmp

Filesize
8KB

Download
memory/3500-1-0x0000000000820000-0x000000000087A000-memory.dmp

Filesize
360KB

Download
memory/3500-2-0x00007FFB7AAE3000-0x00007FFB7AAE5000-memory.dmp

Filesize
8KB

Download
memory/3500-3-0x00007FFB7AAE0000-0x00007FFB7B5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-92-0x00007FFB7AAE0000-0x00007FFB7B5A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads