88cf131986bedc03a33d12ea5392ce09f521d40a056b8576a34ee613f36479e5

General

Target

Client.exe
Size

328KB
MD5

0518135d19cbb497321df931809a30e8
SHA1

34981352c51a3e3b9031902cc3f733d252c12871
SHA256

88cf131986bedc03a33d12ea5392ce09f521d40a056b8576a34ee613f36479e5
SHA512

adfe6c11cf1af4a5b7af799c2e0d89a660f695149407b54449a3ff4b8186dd3fca3f508670aede4b0592942294ca96d156f2f681a2aaf11481c0711670a17fa2
SSDEEP

6144:P5QCJJfSBEmcHe6VlWT8b9uPUfMP0ftbi8J5HW5T:BQNEvHPVle8eaB/HW

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\xdwdMicrosoft Azure DevOps.exe"	Client.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Loads dropped DLL 32 IoCs

Processes:

pid process

4008
4744
760
4824
3580
3980
2056
780
4992
3076
4980
4804
4328
1428
4636
2196
2680
4808
4724
1616
788
4916
1872
720
2544
4680
4380
460
2340
1212
2024
4328
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4008
4744
760
4824
3580
3980
2056
780
4992
3076
4980
4804
4328
1428
4636
2196
2680
4808
4724
1616
788
4916
1872
720
2544
4680
4380
460
2340
1212
2024
4328

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\xdwdGreenshot.exe"	Client.exe

Drops file in Windows directory 1 IoCs

Processes:

Client.exe

description ioc process

File created C:\Windows\xdwd.dll Client.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	Client.exe

Creates scheduled task(s) 1 TTPs 34 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
564	schtasks.exe
3692	schtasks.exe
3348	schtasks.exe
4464	schtasks.exe
2376	schtasks.exe
4824	schtasks.exe
3456	schtasks.exe
4004	schtasks.exe
3588	schtasks.exe
4692	schtasks.exe
8	schtasks.exe
1668	schtasks.exe
4260	schtasks.exe
4544	schtasks.exe
2448	schtasks.exe
3536	schtasks.exe
1172	schtasks.exe
2916	schtasks.exe
3908	schtasks.exe
1584	schtasks.exe
4880	schtasks.exe
1108	schtasks.exe
860	schtasks.exe
4664	schtasks.exe
1520	schtasks.exe
4280	schtasks.exe
3720	schtasks.exe
2124	schtasks.exe
4596	schtasks.exe
1580	schtasks.exe
1276	schtasks.exe
4792	schtasks.exe
2416	schtasks.exe
1924	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client.exe

description pid process

Token: SeDebugPrivilege 2644 Client.exe

description	pid	process
Token: SeDebugPrivilege	2644	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exeCMD.exe

description	pid	process	target process
PID 2644 wrote to memory of 2348	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 2348	2644	Client.exe	CMD.exe
PID 2348 wrote to memory of 4280	2348	CMD.exe	schtasks.exe
PID 2348 wrote to memory of 4280	2348	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 3416	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 3416	2644	Client.exe	CMD.exe
PID 3416 wrote to memory of 3720	3416	CMD.exe	schtasks.exe
PID 3416 wrote to memory of 3720	3416	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 4572	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 4572	2644	Client.exe	CMD.exe
PID 4572 wrote to memory of 4792	4572	CMD.exe	schtasks.exe
PID 4572 wrote to memory of 4792	4572	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 4076	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 4076	2644	Client.exe	CMD.exe
PID 4076 wrote to memory of 3692	4076	CMD.exe	schtasks.exe
PID 4076 wrote to memory of 3692	4076	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 4060	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 4060	2644	Client.exe	CMD.exe
PID 4060 wrote to memory of 4260	4060	CMD.exe	schtasks.exe
PID 4060 wrote to memory of 4260	4060	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 2036	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 2036	2644	Client.exe	CMD.exe
PID 2036 wrote to memory of 1172	2036	CMD.exe	schtasks.exe
PID 2036 wrote to memory of 1172	2036	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 2268	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 2268	2644	Client.exe	CMD.exe
PID 2268 wrote to memory of 2416	2268	CMD.exe	schtasks.exe
PID 2268 wrote to memory of 2416	2268	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 1416	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 1416	2644	Client.exe	CMD.exe
PID 1416 wrote to memory of 1580	1416	CMD.exe	schtasks.exe
PID 1416 wrote to memory of 1580	1416	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 3676	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 3676	2644	Client.exe	CMD.exe
PID 3676 wrote to memory of 2916	3676	CMD.exe	schtasks.exe
PID 3676 wrote to memory of 2916	3676	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 3436	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 3436	2644	Client.exe	CMD.exe
PID 3436 wrote to memory of 3908	3436	CMD.exe	schtasks.exe
PID 3436 wrote to memory of 3908	3436	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 4204	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 4204	2644	Client.exe	CMD.exe
PID 4204 wrote to memory of 3348	4204	CMD.exe	schtasks.exe
PID 4204 wrote to memory of 3348	4204	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 1036	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 1036	2644	Client.exe	CMD.exe
PID 1036 wrote to memory of 1584	1036	CMD.exe	schtasks.exe
PID 1036 wrote to memory of 1584	1036	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 4876	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 4876	2644	Client.exe	CMD.exe
PID 4876 wrote to memory of 4880	4876	CMD.exe	schtasks.exe
PID 4876 wrote to memory of 4880	4876	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 3268	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 3268	2644	Client.exe	CMD.exe
PID 3268 wrote to memory of 4464	3268	CMD.exe	schtasks.exe
PID 3268 wrote to memory of 4464	3268	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 1368	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 1368	2644	Client.exe	CMD.exe
PID 1368 wrote to memory of 4004	1368	CMD.exe	schtasks.exe
PID 1368 wrote to memory of 4004	1368	CMD.exe	schtasks.exe
PID 2644 wrote to memory of 1280	2644	Client.exe	CMD.exe
PID 2644 wrote to memory of 1280	2644	Client.exe	CMD.exe
PID 1280 wrote to memory of 1108	1280	CMD.exe	schtasks.exe
PID 1280 wrote to memory of 1108	1280	CMD.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SYSTEM32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Teams Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe"
3⤵
- Creates scheduled task(s)
PID:4280

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3720

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Local\xdwdGreenshot.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4792

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3692

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4260

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1172

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1580

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2916

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3908

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3348

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4880

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4464

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4004

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1108

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:3996

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:860

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:4812

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4544

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:4068

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:564

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:3372

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2124

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:3044

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2376

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:3664

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3536

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:3024

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3588

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:4868

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4692

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:3172

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4824

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:1952

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4664

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:4608

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:3448

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:8

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:3368

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4596

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:568

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3456

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:3104

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:4912

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1276

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:4464

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1520

C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST & exit
2⤵
PID:4152

C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Microsoft OneNote Host" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdMicrosoft Azure DevOps.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

3

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/2644-0-0x0000000000AB0000-0x0000000000B08000-memory.dmp

Filesize
352KB

Download
memory/2644-1-0x00007FFF21033000-0x00007FFF21035000-memory.dmp

Filesize
8KB

Download
memory/2644-19-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

Filesize
10.8MB

Download
memory/2644-196-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads