4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
Size

465KB
MD5

d01b5e1e47ef4095df2411ad4fba17bc
SHA1

28c133c39495cb2aa0fb04b6cd8a0be3ce5b6f54
SHA256

4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea
SHA512

9aa649836d5d3d6385e4d8d393333179e6e4ee27db1cf73959e0fa4e2b154215a04e95a4c2e9980e35978d57b3df17f502c70ce502b96818b708c9036ed6e945
SSDEEP

6144:0ULhuAEZHBmkhtnLYxe6VlWT8b9isuqTLriTRNqZj7fgoUxbTR+HeI0Wpd:Zg9ZsxPVle8aG4rqjkoUR++I0Wr

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Program Files\\xdwdSpotify.exe"	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 43 IoCs

pid	Process
1400	Process not Found
1184	Process not Found
3724	Process not Found
716	Process not Found
4916	WmiApSrv.exe
532	Process not Found
4028	Process not Found
4484	Process not Found
1940	Process not Found
384	Process not Found
1336	Process not Found
5072	Process not Found
2928	Process not Found
392	Process not Found
2316	Process not Found
1056	Process not Found
1680	Process not Found
3696	Process not Found
1400	Process not Found
4612	Process not Found
4952	Process not Found
1760	Process not Found
1196	Process not Found
3856	Process not Found
5000	Process not Found
1108	Process not Found
3936	Process not Found
4704	Process not Found
1036	Process not Found
4040	Process not Found
804	Process not Found
3432	Process not Found
4776	Process not Found
1512	Process not Found
4720	Process not Found
2940	Process not Found
2420	Process not Found
5072	Process not Found
1820	Process not Found
1476	Process not Found
3852	Process not Found
856	Process not Found
1544	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
29	0.tcp.eu.ngrok.io
130	0.tcp.eu.ngrok.io
236	0.tcp.eu.ngrok.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\xdwdSpotify.exe	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
File created	C:\Program Files\xdwdSpotify.exe	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe

Creates scheduled task(s) 1 TTPs 40 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3548	schtasks.exe
2908	schtasks.exe
632	schtasks.exe
4140	schtasks.exe
2796	schtasks.exe
2060	schtasks.exe
5032	schtasks.exe
2684	schtasks.exe
3184	schtasks.exe
4748	schtasks.exe
5044	schtasks.exe
4712	schtasks.exe
1380	schtasks.exe
5000	schtasks.exe
3084	schtasks.exe
3236	schtasks.exe
1012	schtasks.exe
4040	schtasks.exe
2896	schtasks.exe
4200	schtasks.exe
4776	schtasks.exe
4988	schtasks.exe
2628	schtasks.exe
2588	schtasks.exe
4524	schtasks.exe
1820	schtasks.exe
1536	schtasks.exe
2892	schtasks.exe
5108	schtasks.exe
4140	schtasks.exe
2912	schtasks.exe
4524	schtasks.exe
3756	schtasks.exe
5072	schtasks.exe
1976	schtasks.exe
1576	schtasks.exe
1580	schtasks.exe
4428	schtasks.exe
1476	schtasks.exe
1336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
4916	WmiApSrv.exe
4916	WmiApSrv.exe
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1720	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	96
PID 2528 wrote to memory of 1720	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	96
PID 1720 wrote to memory of 2892	1720	CMD.exe	98
PID 1720 wrote to memory of 2892	1720	CMD.exe	98
PID 2528 wrote to memory of 2532	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	99
PID 2528 wrote to memory of 2532	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	99
PID 2532 wrote to memory of 2908	2532	CMD.exe	101
PID 2532 wrote to memory of 2908	2532	CMD.exe	101
PID 2528 wrote to memory of 3364	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	102
PID 2528 wrote to memory of 3364	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	102
PID 3364 wrote to memory of 5108	3364	CMD.exe	104
PID 3364 wrote to memory of 5108	3364	CMD.exe	104
PID 2528 wrote to memory of 4524	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	106
PID 2528 wrote to memory of 4524	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	106
PID 4524 wrote to memory of 632	4524	CMD.exe	108
PID 4524 wrote to memory of 632	4524	CMD.exe	108
PID 2528 wrote to memory of 4040	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	109
PID 2528 wrote to memory of 4040	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	109
PID 4040 wrote to memory of 4748	4040	CMD.exe	111
PID 4040 wrote to memory of 4748	4040	CMD.exe	111
PID 2528 wrote to memory of 3936	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	114
PID 2528 wrote to memory of 3936	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	114
PID 3936 wrote to memory of 2060	3936	CMD.exe	116
PID 3936 wrote to memory of 2060	3936	CMD.exe	116
PID 2528 wrote to memory of 3300	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	117
PID 2528 wrote to memory of 3300	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	117
PID 3300 wrote to memory of 4776	3300	CMD.exe	119
PID 3300 wrote to memory of 4776	3300	CMD.exe	119
PID 2528 wrote to memory of 2220	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	121
PID 2528 wrote to memory of 2220	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	121
PID 2220 wrote to memory of 4140	2220	CMD.exe	123
PID 2220 wrote to memory of 4140	2220	CMD.exe	123
PID 2528 wrote to memory of 3904	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	126
PID 2528 wrote to memory of 3904	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	126
PID 3904 wrote to memory of 4988	3904	CMD.exe	128
PID 3904 wrote to memory of 4988	3904	CMD.exe	128
PID 2528 wrote to memory of 4404	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	129
PID 2528 wrote to memory of 4404	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	129
PID 4404 wrote to memory of 3236	4404	CMD.exe	131
PID 4404 wrote to memory of 3236	4404	CMD.exe	131
PID 2528 wrote to memory of 2432	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	132
PID 2528 wrote to memory of 2432	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	132
PID 2432 wrote to memory of 5032	2432	CMD.exe	134
PID 2432 wrote to memory of 5032	2432	CMD.exe	134
PID 2528 wrote to memory of 436	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	135
PID 2528 wrote to memory of 436	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	135
PID 436 wrote to memory of 4140	436	CMD.exe	137
PID 436 wrote to memory of 4140	436	CMD.exe	137
PID 2528 wrote to memory of 4364	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	138
PID 2528 wrote to memory of 4364	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	138
PID 4364 wrote to memory of 4524	4364	CMD.exe	140
PID 4364 wrote to memory of 4524	4364	CMD.exe	140
PID 2528 wrote to memory of 4804	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	141
PID 2528 wrote to memory of 4804	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	141
PID 4804 wrote to memory of 2628	4804	CMD.exe	143
PID 4804 wrote to memory of 2628	4804	CMD.exe	143
PID 2528 wrote to memory of 804	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	144
PID 2528 wrote to memory of 804	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	144
PID 804 wrote to memory of 1012	804	CMD.exe	146
PID 804 wrote to memory of 1012	804	CMD.exe	146
PID 2528 wrote to memory of 2892	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	147
PID 2528 wrote to memory of 2892	2528	4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe	147
PID 2892 wrote to memory of 2796	2892	CMD.exe	149
PID 2892 wrote to memory of 2796	2892	CMD.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe
"C:\Users\Admin\AppData\Local\Temp\4ab8c02ccc707823bc0a9d2551bc8873f089ecd8d447c1bb8882b16a75f27bea.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "GIMP (GNU Image Manipulation Program)" /tr "C:\Program Files\xdwdSpotify.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "GIMP (GNU Image Manipulation Program)" /tr "C:\Program Files\xdwdSpotify.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2892
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2908
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Zoom" /tr "C:\Users\Admin\AppData\Roaming\xdwdMalwarebytes Update.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Zoom" /tr "C:\Users\Admin\AppData\Roaming\xdwdMalwarebytes Update.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5108
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:632
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4748
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2060
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4776
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4140
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4988
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3236
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5032
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4140
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4524
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2628
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1012
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2796
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:5108
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2588
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1644
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4040
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:3884
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5044
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1544
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1580
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:3552
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4428
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:604
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2912
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4712
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1476
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:2940
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1336
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1080
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2896
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4928
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5072
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:3248
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4524
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4952
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2684
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:2532
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1976
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4636
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1820
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:2168
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3548
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1420
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5000
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:716
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3756
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4112
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3184
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1760
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1536
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:2432
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1576
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1944
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4712
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:3212
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3084
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:3460
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1380
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:2704
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/2528-1-0x00007FFE80DA3000-0x00007FFE80DA5000-memory.dmp

Filesize
8KB

Download
memory/2528-0-0x00000000001E0000-0x000000000025A000-memory.dmp

Filesize
488KB

Download
memory/2528-32-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp

Filesize
10.8MB

Download
memory/2528-136-0x00007FFE80DA3000-0x00007FFE80DA5000-memory.dmp

Filesize
8KB

Download
memory/2528-287-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp

Filesize
10.8MB

Download