ffaa5eea301ca6578ee0b3403513d77264246a77c18c8d529021045c15452940

Analysis

max time kernel
149s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe
Size

305KB
MD5

62909f84c54ea6c3dd35c67b0c7e1a41
SHA1

1e1a8aaaca779d7e6261c0c81dece9b89a7b3759
SHA256

56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61
SHA512

48782a36763f3db573c80bd086e6e4f5c8e8aaf61c32b530953ee0ad6f70c00cff04d8c070a3371f9e3f3dd9755d3289c632e52ab999f2be802fc1df45583aa0
SSDEEP

6144:YQPKPOeAta8PAe6VlWT8b9hHhr3fbSXoXfE:zSPOhYPVle8/hq

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Documents\\xdwdMicrosoft Security Essentials.exe"	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 47 IoCs

pid	Process
4836	Process not Found
5496	Process not Found
4240	Process not Found
2904	Process not Found
2648	Process not Found
920	Process not Found
3240	Process not Found
3640	Process not Found
5648	Process not Found
1536	Process not Found
3288	Process not Found
3028	Process not Found
4008	Process not Found
3988	Process not Found
1144	Process not Found
3300	Process not Found
1556	Process not Found
3008	Process not Found
2096	Process not Found
5752	Process not Found
1948	Process not Found
4480	Process not Found
2752	Process not Found
1188	Process not Found
4124	Process not Found
3044	Process not Found
1216	Process not Found
6112	Process not Found
1724	Process not Found
3696	Process not Found
4044	Process not Found
1660	Process not Found
2748	Process not Found
3248	Process not Found
744	Process not Found
5264	Process not Found
1480	Process not Found
3724	Process not Found
3536	Process not Found
3660	Process not Found
324	Process not Found
4036	Process not Found
5644	Process not Found
2712	Process not Found
5068	Process not Found
2184	Process not Found
5232	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google = "C:\\Users\\Public\\Pictures\\xdwdRainmeter.exe"	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 46 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5528	schtasks.exe
3872	schtasks.exe
5844	schtasks.exe
1128	schtasks.exe
932	schtasks.exe
5804	schtasks.exe
1416	schtasks.exe
5752	schtasks.exe
4284	schtasks.exe
5644	schtasks.exe
3504	schtasks.exe
3296	schtasks.exe
5764	schtasks.exe
4628	schtasks.exe
4552	schtasks.exe
5180	schtasks.exe
4960	schtasks.exe
1240	schtasks.exe
3284	schtasks.exe
5644	schtasks.exe
1660	schtasks.exe
1736	schtasks.exe
3488	schtasks.exe
1148	schtasks.exe
1028	schtasks.exe
3520	schtasks.exe
448	schtasks.exe
2776	schtasks.exe
4860	schtasks.exe
3632	schtasks.exe
2748	schtasks.exe
364	schtasks.exe
5652	schtasks.exe
3556	schtasks.exe
2236	schtasks.exe
4948	schtasks.exe
5584	schtasks.exe
5420	schtasks.exe
4968	schtasks.exe
4708	schtasks.exe
5192	schtasks.exe
884	schtasks.exe
2888	schtasks.exe
5392	schtasks.exe
3528	schtasks.exe
3176	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 4632	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	91
PID 2344 wrote to memory of 4632	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	91
PID 4632 wrote to memory of 5652	4632	CMD.exe	93
PID 4632 wrote to memory of 5652	4632	CMD.exe	93
PID 2344 wrote to memory of 2024	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	94
PID 2344 wrote to memory of 2024	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	94
PID 2024 wrote to memory of 5192	2024	CMD.exe	96
PID 2024 wrote to memory of 5192	2024	CMD.exe	96
PID 2344 wrote to memory of 5880	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	97
PID 2344 wrote to memory of 5880	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	97
PID 5880 wrote to memory of 4960	5880	CMD.exe	99
PID 5880 wrote to memory of 4960	5880	CMD.exe	99
PID 2344 wrote to memory of 3424	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	101
PID 2344 wrote to memory of 3424	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	101
PID 3424 wrote to memory of 3556	3424	CMD.exe	103
PID 3424 wrote to memory of 3556	3424	CMD.exe	103
PID 2344 wrote to memory of 2100	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	105
PID 2344 wrote to memory of 2100	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	105
PID 2100 wrote to memory of 884	2100	CMD.exe	107
PID 2100 wrote to memory of 884	2100	CMD.exe	107
PID 2344 wrote to memory of 1328	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	108
PID 2344 wrote to memory of 1328	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	108
PID 1328 wrote to memory of 1240	1328	CMD.exe	110
PID 1328 wrote to memory of 1240	1328	CMD.exe	110
PID 2344 wrote to memory of 1836	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	111
PID 2344 wrote to memory of 1836	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	111
PID 1836 wrote to memory of 2236	1836	CMD.exe	113
PID 1836 wrote to memory of 2236	1836	CMD.exe	113
PID 2344 wrote to memory of 5340	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	115
PID 2344 wrote to memory of 5340	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	115
PID 5340 wrote to memory of 5528	5340	CMD.exe	117
PID 5340 wrote to memory of 5528	5340	CMD.exe	117
PID 2344 wrote to memory of 5996	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	118
PID 2344 wrote to memory of 5996	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	118
PID 5996 wrote to memory of 5644	5996	CMD.exe	120
PID 5996 wrote to memory of 5644	5996	CMD.exe	120
PID 2344 wrote to memory of 1128	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	121
PID 2344 wrote to memory of 1128	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	121
PID 1128 wrote to memory of 3872	1128	CMD.exe	123
PID 1128 wrote to memory of 3872	1128	CMD.exe	123
PID 2344 wrote to memory of 5504	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	125
PID 2344 wrote to memory of 5504	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	125
PID 5504 wrote to memory of 2888	5504	CMD.exe	127
PID 5504 wrote to memory of 2888	5504	CMD.exe	127
PID 2344 wrote to memory of 3244	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	128
PID 2344 wrote to memory of 3244	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	128
PID 3244 wrote to memory of 3284	3244	CMD.exe	130
PID 3244 wrote to memory of 3284	3244	CMD.exe	130
PID 2344 wrote to memory of 2704	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	131
PID 2344 wrote to memory of 2704	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	131
PID 2704 wrote to memory of 4948	2704	CMD.exe	133
PID 2704 wrote to memory of 4948	2704	CMD.exe	133
PID 2344 wrote to memory of 4128	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	135
PID 2344 wrote to memory of 4128	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	135
PID 4128 wrote to memory of 4284	4128	CMD.exe	137
PID 4128 wrote to memory of 4284	4128	CMD.exe	137
PID 2344 wrote to memory of 5680	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	139
PID 2344 wrote to memory of 5680	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	139
PID 5680 wrote to memory of 2776	5680	CMD.exe	141
PID 5680 wrote to memory of 2776	5680	CMD.exe	141
PID 2344 wrote to memory of 3620	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	142
PID 2344 wrote to memory of 3620	2344	56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe	142
PID 3620 wrote to memory of 5844	3620	CMD.exe	144
PID 3620 wrote to memory of 5844	3620	CMD.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe
"C:\Users\Admin\AppData\Local\Temp\56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "HandBrake" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5652
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5192
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "audio" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5880
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "audio" /tr "C:\Users\Public\Pictures\xdwdRainmeter.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4960
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3556
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:884
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1240
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2236
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5340
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5528
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5996
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5644
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3872
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5504
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2888
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3284
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4948
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4284
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5680
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2776
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5844
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5500
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3504
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5340
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5420
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4108
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5392
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5228
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1128
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3184
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3296
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3852
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:364
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2660
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4968
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3920
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3488
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2280
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1148
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1952
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3528
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2872
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1028
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5500
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:932
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:6000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5644
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:952
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5764
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2848
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3176
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2044
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4628
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2332
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3520
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1936
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4552
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1716
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4708
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:2220
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4860
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:4612
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:448
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3588
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5804
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5892
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3632
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:3848
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5180
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:912
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5584
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:1612
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1416
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:6000
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5752
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5416
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1660
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5684
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2748
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST & exit
  2⤵
  PID:5184
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "discorde" /tr "C:\Users\Public\Documents\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/2344-0-0x00007FFA13023000-0x00007FFA13025000-memory.dmp

Filesize
8KB

Download
memory/2344-1-0x0000000000FE0000-0x0000000001032000-memory.dmp

Filesize
328KB

Download
memory/2344-2-0x00007FFA13023000-0x00007FFA13025000-memory.dmp

Filesize
8KB

Download
memory/2344-35-0x00007FFA13020000-0x00007FFA13AE1000-memory.dmp

Filesize
10.8MB

Download
memory/2344-119-0x00007FFA13020000-0x00007FFA13AE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads