f0327eb525c670040177a66a4f948b153b0eeaa6b762ea6aa85b9e922630ed95

Analysis

max time kernel
121s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm cfg.exe
Size

240KB
MD5

a815c5b47b23939ca295e469c0dd8ed8
SHA1

4c8eb5a35c099127433cc1d0000fb1749e61367b
SHA256

f0327eb525c670040177a66a4f948b153b0eeaa6b762ea6aa85b9e922630ed95
SHA512

35797edec08d9543f9a6d00d775f68798dbc6dc3f1e7b53c8b7fd5d31af8db200323d7784d852fb8b2883c210a340ef30c7c401dc9ada14dfdfe53092449ec09
SSDEEP

3072:uANarzCs2/hLPJxyXc+6EDbUh/Y+nCzu6wlMB3H6G6Ii6sgXbvxf+KcF4j8:uANardX7x0F6eMB3J6IiqbZf9lj8

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Media\\xdwdCli3nt.exe"	Xworm cfg.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Nvidia\xdwdWichD0g.exe	Xworm cfg.exe
File opened for modification	C:\Program Files\Nvidia	Xworm cfg.exe
File created	C:\Program Files\Nvidia\xdwdWichD0g.exe	Xworm cfg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Media\xdwdCli3nt.exe	Xworm cfg.exe
File opened for modification	C:\Windows\Media\xdwdCli3nt.exe	Xworm cfg.exe
File opened for modification	C:\Windows\Media	Xworm cfg.exe

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2988	schtasks.exe
976	schtasks.exe
908	schtasks.exe
2120	schtasks.exe
308	schtasks.exe
2428	schtasks.exe
2324	schtasks.exe
1800	schtasks.exe
2928	schtasks.exe
2612	schtasks.exe
1300	schtasks.exe
2448	schtasks.exe
2424	schtasks.exe
2348	schtasks.exe
2920	schtasks.exe
1860	schtasks.exe
2556	schtasks.exe
1804	schtasks.exe
2332	schtasks.exe
932	schtasks.exe
2968	schtasks.exe
1756	schtasks.exe
1792	schtasks.exe
2744	schtasks.exe
2416	schtasks.exe
376	schtasks.exe
1636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2240	Xworm cfg.exe
2240	Xworm cfg.exe
2240	Xworm cfg.exe
2240	Xworm cfg.exe
2240	Xworm cfg.exe
2240	Xworm cfg.exe
2240	Xworm cfg.exe
2240	Xworm cfg.exe
2240	Xworm cfg.exe
2240	Xworm cfg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	Xworm cfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2732	2240	Xworm cfg.exe	29
PID 2240 wrote to memory of 2732	2240	Xworm cfg.exe	29
PID 2240 wrote to memory of 2732	2240	Xworm cfg.exe	29
PID 2732 wrote to memory of 2556	2732	CMD.exe	31
PID 2732 wrote to memory of 2556	2732	CMD.exe	31
PID 2732 wrote to memory of 2556	2732	CMD.exe	31
PID 2240 wrote to memory of 2844	2240	Xworm cfg.exe	32
PID 2240 wrote to memory of 2844	2240	Xworm cfg.exe	32
PID 2240 wrote to memory of 2844	2240	Xworm cfg.exe	32
PID 2844 wrote to memory of 2424	2844	CMD.exe	34
PID 2844 wrote to memory of 2424	2844	CMD.exe	34
PID 2844 wrote to memory of 2424	2844	CMD.exe	34
PID 2240 wrote to memory of 2804	2240	Xworm cfg.exe	35
PID 2240 wrote to memory of 2804	2240	Xworm cfg.exe	35
PID 2240 wrote to memory of 2804	2240	Xworm cfg.exe	35
PID 2804 wrote to memory of 2988	2804	CMD.exe	37
PID 2804 wrote to memory of 2988	2804	CMD.exe	37
PID 2804 wrote to memory of 2988	2804	CMD.exe	37
PID 2240 wrote to memory of 2640	2240	Xworm cfg.exe	41
PID 2240 wrote to memory of 2640	2240	Xworm cfg.exe	41
PID 2240 wrote to memory of 2640	2240	Xworm cfg.exe	41
PID 2640 wrote to memory of 2348	2640	CMD.exe	43
PID 2640 wrote to memory of 2348	2640	CMD.exe	43
PID 2640 wrote to memory of 2348	2640	CMD.exe	43
PID 2240 wrote to memory of 2576	2240	Xworm cfg.exe	44
PID 2240 wrote to memory of 2576	2240	Xworm cfg.exe	44
PID 2240 wrote to memory of 2576	2240	Xworm cfg.exe	44
PID 2576 wrote to memory of 1792	2576	CMD.exe	46
PID 2576 wrote to memory of 1792	2576	CMD.exe	46
PID 2576 wrote to memory of 1792	2576	CMD.exe	46
PID 2240 wrote to memory of 2120	2240	Xworm cfg.exe	47
PID 2240 wrote to memory of 2120	2240	Xworm cfg.exe	47
PID 2240 wrote to memory of 2120	2240	Xworm cfg.exe	47
PID 2120 wrote to memory of 2920	2120	CMD.exe	49
PID 2120 wrote to memory of 2920	2120	CMD.exe	49
PID 2120 wrote to memory of 2920	2120	CMD.exe	49
PID 2240 wrote to memory of 1424	2240	Xworm cfg.exe	50
PID 2240 wrote to memory of 1424	2240	Xworm cfg.exe	50
PID 2240 wrote to memory of 1424	2240	Xworm cfg.exe	50
PID 1424 wrote to memory of 1804	1424	CMD.exe	52
PID 1424 wrote to memory of 1804	1424	CMD.exe	52
PID 1424 wrote to memory of 1804	1424	CMD.exe	52
PID 2240 wrote to memory of 2972	2240	Xworm cfg.exe	53
PID 2240 wrote to memory of 2972	2240	Xworm cfg.exe	53
PID 2240 wrote to memory of 2972	2240	Xworm cfg.exe	53
PID 2972 wrote to memory of 1300	2972	CMD.exe	55
PID 2972 wrote to memory of 1300	2972	CMD.exe	55
PID 2972 wrote to memory of 1300	2972	CMD.exe	55
PID 2240 wrote to memory of 2260	2240	Xworm cfg.exe	56
PID 2240 wrote to memory of 2260	2240	Xworm cfg.exe	56
PID 2240 wrote to memory of 2260	2240	Xworm cfg.exe	56
PID 2260 wrote to memory of 376	2260	CMD.exe	58
PID 2260 wrote to memory of 376	2260	CMD.exe	58
PID 2260 wrote to memory of 376	2260	CMD.exe	58
PID 2240 wrote to memory of 2736	2240	Xworm cfg.exe	59
PID 2240 wrote to memory of 2736	2240	Xworm cfg.exe	59
PID 2240 wrote to memory of 2736	2240	Xworm cfg.exe	59
PID 2736 wrote to memory of 2744	2736	CMD.exe	61
PID 2736 wrote to memory of 2744	2736	CMD.exe	61
PID 2736 wrote to memory of 2744	2736	CMD.exe	61
PID 2240 wrote to memory of 1580	2240	Xworm cfg.exe	62
PID 2240 wrote to memory of 1580	2240	Xworm cfg.exe	62
PID 2240 wrote to memory of 1580	2240	Xworm cfg.exe	62
PID 1580 wrote to memory of 2416	1580	CMD.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Xworm cfg.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm cfg.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\system32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows Update" /tr "C:\Windows\Media\xdwdCli3nt.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2556
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2424
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "RunTimeBroker" /tr "C:\Program Files\Nvidia\xdwdWichD0g.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "RunTimeBroker" /tr "C:\Program Files\Nvidia\xdwdWichD0g.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2988
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2348
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1792
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2920
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1804
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1300
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:376
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2744
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2416
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:2456
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1800
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:2668
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2332
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:1476
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1636
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:768
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2928
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:3044
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:976
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:792
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2120
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:948
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:932
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:1912
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2612
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:2272
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2428
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:2412
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2448
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:2660
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2324
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:2304
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:308
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:512
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2968
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:424
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1860
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:1252
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:908
- C:\Windows\system32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit
  2⤵
  PID:2908
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1756
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2240 -s 1972
  2⤵
  PID:752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Media\xdwdCli3nt.exe

Filesize
733.2MB

MD5
0863399b4d7e1ae7d3339cd958f30028

SHA1
e5c51d53cb28b1692ae7e4cfeaee8f9af98b9891

SHA256
ebcfbef73621ab3a2fce239b434d79821cfcd25d3821c04bc39fc5f8db7d2445

SHA512
57a4605810cb321e218acec020fe5ce79b1df19f0404420f9d4f914646cd11dcec37bcf93e64ddf19c197482706e52cacaeb2ad9e8abef2a4b840790bc898fb5

Download Submit
memory/2240-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-0-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/2240-36-0x000000001B6E0000-0x000000001B760000-memory.dmp

Filesize
512KB

Download
memory/2240-67-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-68-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2240-760-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download