9a06693efc8f7f504f754cccc3dd9b293b8ceaff32911334c839faa23adff7d9

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

409KB
MD5

298e8e437985c2565567af36a8f9cefb
SHA1

ce516e3a49edeacc554fe79291e64aaf44827d83
SHA256

9a06693efc8f7f504f754cccc3dd9b293b8ceaff32911334c839faa23adff7d9
SHA512

5ebe31b8f85b0b2f05bd8804dfd86b099d30d85a0cd426aea0c4f203984008bbe8dc1ae45cbb55b3f96f0411a3167245fcb1d556c3bd6f3f77db0bc811f36e18
SSDEEP

6144:zWSKJ6VQ+1j2i+q37+CgGe6VlWT8b9uMV3EEof2tsHf6VpbB84pi:SHsNzyPGPVle8sF/A

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\xdwdVisual Studio Code Host.exe"	Client.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 44 IoCs

pid	Process
4844	Process not Found
1644	Process not Found
2220	Process not Found
4536	Process not Found
4224	WmiApSrv.exe
3908	Process not Found
2896	Process not Found
3548	Process not Found
4076	Process not Found
3316	Process not Found
2248	Process not Found
2336	Process not Found
4544	Process not Found
3260	Process not Found
4808	Process not Found
952	Process not Found
2632	Process not Found
4868	Process not Found
3784	Process not Found
3736	Process not Found
4968	Process not Found
2464	Process not Found
2160	Process not Found
4608	Process not Found
2900	Process not Found
4904	Process not Found
4940	Process not Found
1244	Process not Found
4732	Process not Found
968	Process not Found
1436	Process not Found
2560	Process not Found
3788	Process not Found
3148	Process not Found
776	Process not Found
3052	Process not Found
4540	Process not Found
704	Process not Found
3484	Process not Found
5088	Process not Found
4524	Process not Found
720	Process not Found
956	Process not Found
904	Process not Found

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\xdwdVisual Studio Code Host.exe	Client.exe
File opened for modification	C:\Windows\xdwdVisual Studio Code Host.exe	Client.exe
File created	C:\Windows\xdwd.dll	Client.exe

Creates scheduled task(s) 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1468	schtasks.exe
2356	schtasks.exe
4548	schtasks.exe
4520	schtasks.exe
3360	schtasks.exe
4980	schtasks.exe
3488	schtasks.exe
4628	schtasks.exe
1732	schtasks.exe
416	schtasks.exe
2640	schtasks.exe
5052	schtasks.exe
3628	schtasks.exe
2444	schtasks.exe
4552	schtasks.exe
2964	schtasks.exe
2844	schtasks.exe
1264	schtasks.exe
4104	schtasks.exe
4640	schtasks.exe
3564	schtasks.exe
5060	schtasks.exe
3876	schtasks.exe
5108	schtasks.exe
1872	schtasks.exe
3944	schtasks.exe
2124	schtasks.exe
2028	schtasks.exe
2268	schtasks.exe
2724	schtasks.exe
4192	schtasks.exe
1044	schtasks.exe
1408	schtasks.exe
1516	schtasks.exe
5052	schtasks.exe
3600	schtasks.exe
1888	schtasks.exe
4652	schtasks.exe
3316	schtasks.exe
680	schtasks.exe
4572	schtasks.exe
236	schtasks.exe
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
4224	WmiApSrv.exe
4224	WmiApSrv.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe
1520	Client.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1688	1520	Client.exe	83
PID 1520 wrote to memory of 1688	1520	Client.exe	83
PID 1688 wrote to memory of 3564	1688	CMD.exe	85
PID 1688 wrote to memory of 3564	1688	CMD.exe	85
PID 1520 wrote to memory of 1328	1520	Client.exe	86
PID 1520 wrote to memory of 1328	1520	Client.exe	86
PID 1328 wrote to memory of 3944	1328	CMD.exe	88
PID 1328 wrote to memory of 3944	1328	CMD.exe	88
PID 1520 wrote to memory of 2248	1520	Client.exe	89
PID 1520 wrote to memory of 2248	1520	Client.exe	89
PID 2248 wrote to memory of 1468	2248	CMD.exe	91
PID 2248 wrote to memory of 1468	2248	CMD.exe	91
PID 1520 wrote to memory of 2556	1520	Client.exe	92
PID 1520 wrote to memory of 2556	1520	Client.exe	92
PID 2556 wrote to memory of 1044	2556	CMD.exe	94
PID 2556 wrote to memory of 1044	2556	CMD.exe	94
PID 1520 wrote to memory of 3448	1520	Client.exe	96
PID 1520 wrote to memory of 3448	1520	Client.exe	96
PID 3448 wrote to memory of 2964	3448	CMD.exe	98
PID 3448 wrote to memory of 2964	3448	CMD.exe	98
PID 1520 wrote to memory of 1832	1520	Client.exe	101
PID 1520 wrote to memory of 1832	1520	Client.exe	101
PID 1832 wrote to memory of 1732	1832	CMD.exe	103
PID 1832 wrote to memory of 1732	1832	CMD.exe	103
PID 1520 wrote to memory of 2464	1520	Client.exe	104
PID 1520 wrote to memory of 2464	1520	Client.exe	104
PID 2464 wrote to memory of 5060	2464	CMD.exe	106
PID 2464 wrote to memory of 5060	2464	CMD.exe	106
PID 1520 wrote to memory of 952	1520	Client.exe	107
PID 1520 wrote to memory of 952	1520	Client.exe	107
PID 952 wrote to memory of 1408	952	CMD.exe	109
PID 952 wrote to memory of 1408	952	CMD.exe	109
PID 1520 wrote to memory of 4376	1520	Client.exe	110
PID 1520 wrote to memory of 4376	1520	Client.exe	110
PID 4376 wrote to memory of 2124	4376	CMD.exe	112
PID 4376 wrote to memory of 2124	4376	CMD.exe	112
PID 1520 wrote to memory of 3628	1520	Client.exe	113
PID 1520 wrote to memory of 3628	1520	Client.exe	113
PID 3628 wrote to memory of 2356	3628	CMD.exe	115
PID 3628 wrote to memory of 2356	3628	CMD.exe	115
PID 1520 wrote to memory of 4440	1520	Client.exe	116
PID 1520 wrote to memory of 4440	1520	Client.exe	116
PID 4440 wrote to memory of 416	4440	CMD.exe	118
PID 4440 wrote to memory of 416	4440	CMD.exe	118
PID 1520 wrote to memory of 4720	1520	Client.exe	119
PID 1520 wrote to memory of 4720	1520	Client.exe	119
PID 4720 wrote to memory of 4548	4720	CMD.exe	121
PID 4720 wrote to memory of 4548	4720	CMD.exe	121
PID 1520 wrote to memory of 5104	1520	Client.exe	122
PID 1520 wrote to memory of 5104	1520	Client.exe	122
PID 5104 wrote to memory of 4520	5104	CMD.exe	124
PID 5104 wrote to memory of 4520	5104	CMD.exe	124
PID 1520 wrote to memory of 1636	1520	Client.exe	125
PID 1520 wrote to memory of 1636	1520	Client.exe	125
PID 1636 wrote to memory of 1516	1636	CMD.exe	127
PID 1636 wrote to memory of 1516	1636	CMD.exe	127
PID 1520 wrote to memory of 1408	1520	Client.exe	128
PID 1520 wrote to memory of 1408	1520	Client.exe	128
PID 1408 wrote to memory of 5052	1408	CMD.exe	130
PID 1408 wrote to memory of 5052	1408	CMD.exe	130
PID 1520 wrote to memory of 3944	1520	Client.exe	131
PID 1520 wrote to memory of 3944	1520	Client.exe	131
PID 3944 wrote to memory of 4652	3944	CMD.exe	133
PID 3944 wrote to memory of 4652	3944	CMD.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OBS Studio Update" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "OBS Studio Update" /tr "C:\Windows\xdwdVisual Studio Code Host.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3564
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3944
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Discord" /tr "C:\Users\Public\Documents\xdwdMicrosoft Outlook Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Discord" /tr "C:\Users\Public\Documents\xdwdMicrosoft Outlook Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1468
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1044
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2964
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1732
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5060
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1408
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2124
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2356
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:416
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4548
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4520
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1516
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5052
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4652
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:988
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1264
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1064
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3360
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3032
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3876
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3852
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4104
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:968
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2640
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4220
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5052
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3144
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2028
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3396
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3628
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1276
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2444
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1200
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2844
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3312
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3600
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4916
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1888
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2464
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4980
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1408
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5108
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4632
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3316
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3472
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:680
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3140
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2268
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:1304
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4192
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3756
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4640
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3576
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3488
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3804
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4628
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3136
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4552
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:3572
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4572
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2760
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2724
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2032
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:236
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:2172
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1440
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST & exit
  2⤵
  PID:4192
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Docker Upgrade" /tr "C:\Windows\xdwdVisual Studio Code Host.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1872

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1520-0-0x0000000000270000-0x00000000002DC000-memory.dmp

Filesize
432KB

Download
memory/1520-1-0x00007FF9B0D93000-0x00007FF9B0D95000-memory.dmp

Filesize
8KB

Download
memory/1520-49-0x00007FF9B0D90000-0x00007FF9B1852000-memory.dmp

Filesize
10.8MB

Download
memory/1520-105-0x000000001C0C0000-0x000000001C136000-memory.dmp

Filesize
472KB

Download
memory/1520-106-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/1520-107-0x0000000002640000-0x000000000265E000-memory.dmp

Filesize
120KB

Download
memory/1520-139-0x00007FF9B0D93000-0x00007FF9B0D95000-memory.dmp

Filesize
8KB

Download
memory/1520-264-0x00007FF9B0D90000-0x00007FF9B1852000-memory.dmp

Filesize
10.8MB

Download
memory/1520-451-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download