Overview

overview

10

Static

static

10

55b3d90596...38.exe

windows7-x64

10

55b3d90596...38.exe

windows10-2004-x64

10

55bc6e4a24...7e.exe

windows7-x64

8

55bc6e4a24...7e.exe

windows10-2004-x64

8

55be056b62...2f.exe

windows7-x64

10

55be056b62...2f.exe

windows10-2004-x64

10

55c90346c1...7d.exe

windows7-x64

7

55c90346c1...7d.exe

windows10-2004-x64

7

55e68f668a...36.exe

windows7-x64

10

55e68f668a...36.exe

windows10-2004-x64

10

5600890872...c9.exe

windows7-x64

1

5600890872...c9.exe

windows10-2004-x64

1

563d48f590...69.exe

windows7-x64

7

563d48f590...69.exe

windows10-2004-x64

7

56583e9f6e...61.exe

windows7-x64

10

56583e9f6e...61.exe

windows10-2004-x64

10

569bb28f26...62.exe

windows7-x64

7

569bb28f26...62.exe

windows10-2004-x64

7

56a0fe7669...54.exe

windows7-x64

10

56a0fe7669...54.exe

windows10-2004-x64

10

56bf03053c...ec.exe

windows7-x64

10

56bf03053c...ec.exe

windows10-2004-x64

10

56f180528b...73.exe

windows7-x64

10

56f180528b...73.exe

windows10-2004-x64

10

5737ca76a6...88.exe

windows7-x64

10

5737ca76a6...88.exe

windows10-2004-x64

10

575bc86968...a1.exe

windows7-x64

7

575bc86968...a1.exe

windows10-2004-x64

7

57d8199712...1f.exe

windows7-x64

10

57d8199712...1f.exe

windows10-2004-x64

57f8be0d4c...5a.exe

windows7-x64

10

57f8be0d4c...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe

  • Size

    305KB

  • MD5

    62909f84c54ea6c3dd35c67b0c7e1a41

  • SHA1

    1e1a8aaaca779d7e6261c0c81dece9b89a7b3759

  • SHA256

    56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61

  • SHA512

    48782a36763f3db573c80bd086e6e4f5c8e8aaf61c32b530953ee0ad6f70c00cff04d8c070a3371f9e3f3dd9755d3289c632e52ab999f2be802fc1df45583aa0

  • SSDEEP

    6144:YQPKPOeAta8PAe6VlWT8b9hHhr3fbSXoXfE:zSPOhYPVle8/hq

Score
10/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe
    "C:\Users\Admin\AppData\Local\Temp\56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2768
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2356
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "audio" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "audio" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2668
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:296
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:320
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2960
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:408
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1348
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:3036
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:288
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2584
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2856
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2832
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2944
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3056
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2200
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2380
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2604
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2700
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1308
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1620
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:752
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2588
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2332
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:376
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1768
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:768
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2168
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3040
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1600
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2152
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2508
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2628
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2624
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:284
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2896
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2144
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:444
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2912
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2316
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1576
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2460
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1548
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2988
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2404
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:3012
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2892
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:1588
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2360
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2280
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2848
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:928
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2780
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2676
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2712
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:3056
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:444
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2036
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2316
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2068
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
      2⤵
        PID:292
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1036
      • C:\Windows\system32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
        2⤵
          PID:2268
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1504
        • C:\Windows\system32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
          2⤵
            PID:756
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2264
          • C:\Windows\system32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
            2⤵
              PID:1040
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2408
            • C:\Windows\system32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
              2⤵
                PID:1608
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                  3⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2696
              • C:\Windows\system32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                2⤵
                  PID:2484
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2152
                • C:\Windows\system32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                  2⤵
                    PID:2872
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:1844
                  • C:\Windows\system32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                    2⤵
                      PID:2136
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                        3⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1080
                    • C:\Windows\system32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                      2⤵
                        PID:2888
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                          3⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1052
                      • C:\Windows\system32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
                        2⤵
                          PID:2952
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
                            3⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:2144

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\xdwd.dll
                        Filesize

                        136KB

                        MD5

                        16e5a492c9c6ae34c59683be9c51fa31

                        SHA1

                        97031b41f5c56f371c28ae0d62a2df7d585adaba

                        SHA256

                        35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                        SHA512

                        20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                        Download Submit

                      • memory/284-597-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/288-227-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/296-55-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/320-84-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/376-456-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/408-142-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/444-899-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/444-618-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/752-394-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/768-484-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/820-143-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/928-814-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1276-54-0x0000000077651000-0x0000000077652000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1276-56-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1276-123-0x0000000077600000-0x00000000777A9000-memory.dmp

                        Filesize

                        1.7MB

                        Download

                      • memory/1276-62-0x0000000077600000-0x00000000777A9000-memory.dmp

                        Filesize

                        1.7MB

                        Download

                      • memory/1308-371-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1348-170-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1504-171-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1548-703-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1576-675-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1588-758-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1600-511-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1620-395-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1672-199-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/1768-455-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2036-898-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2068-931-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2096-2-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2096-94-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2096-1-0x0000000000B50000-0x0000000000BA2000-memory.dmp

                        Filesize

                        328KB

                        Download

                      • memory/2096-34-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2096-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2108-114-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2116-255-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2144-619-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2152-540-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2168-483-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2200-315-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2280-786-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2316-646-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2316-932-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2332-427-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2360-787-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2380-339-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2404-731-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2460-674-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2508-535-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2584-226-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2588-428-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2604-338-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2624-567-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2628-568-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2676-842-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2700-372-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2712-876-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2780-843-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2832-283-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2848-815-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2856-254-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2892-759-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2896-595-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2912-647-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2912-85-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2944-282-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2960-113-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2988-702-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/3012-730-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/3036-198-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/3040-512-0x000007FEF7A20000-0x000007FEF7A42000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/3056-316-0x000007FEF6D00000-0x000007FEF6D22000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/3056-871-0x000007FEF6D30000-0x000007FEF6D52000-memory.dmp

                        Filesize

                        136KB

                        Download